Read RSA SecurID Ready Implementation Guide text version

Cisco Systems

Cisco Secure Access Control System

RSA SecurID Ready Implementation Guide

Last Modified: March 27, 2008

Partner Information

Product Information

Partner Name Web Site Product Name Version & Platform Product Description Cisco Systems, Inc. www.cisco.com Cisco Secure Access Control System (ACS) Appliance V4.1.1 (build 23) Cisco Secure Access Control Server (ACS) for Windows provides a centralized identity networking solution and simplified user management experience across all Cisco devices and security management applications. Cisco Secure ACS helps to ensure enforcement of assigned policies by allowing network administrators to control: Cisco Secure ACS is a main pillar of Cisco trust and identity networking security solutions. It extends access security by combining authentication, user and administrator access, and policy control from a centralized identity networking framework, allowing greater flexibility and mobility, increased security, and user productivity gains. With Cisco Secure ACS, you can manage and administer user access for Cisco IOS® routers, VPNs, firewalls, dialup and DSL connections, cable access solutions, storage, content, voice over IP (VoIP), Cisco wireless solutions, and Cisco Catalyst® switches using IEEE 802.1x access control. RADIUS Servers

Product Category

Solution Summary

Partner Integration Overview

Authentication Methods Supported List Library Version Used RSA Authentication Manager Name Locking RSA Authentication Manager Replica Support Secondary RADIUS Server Support Location of Node Secret on Agent RSA Authentication Agent Host Type RSA SecurID User Specification RSA SecurID Protection of Administrative Users RSA Software Token API Integration Use of Cached Domain Credentials RADIUS N/A N/A N/A Yes(1) N/A Net OS Designated Users, All Users, RSA SecurID as Default No No No

2

Product Requirements

Partner Product Requirements: Cisco Secure ACS Appliance

Application Microsoft Internet Explorer 6.0 Additional Patches Service Pack 2 Sun Java Plug-in 1.4.2-04 or Microsoft Java Virtual Machine Sun Java Plug-in 1.4.2-04

Netscape Communicator 7.1

Note: Both Java and JavaScript must be enabled in browsers used to administer Cisco Secure ACS

3

Agent Host Configuration

To facilitate communication between the Cisco Secure ACS and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database and RADIUS database. The Agent Host record identifies the Cisco Secure ACS within its database and contains information about communication and encryption. To create the Agent Host record, you will need the following information.

· · · Hostname IP Addresses for all network interfaces RADIUS Secret (When using RADIUS Authentication Protocol)

When adding the Agent Host Record, you should configure the Cisco Secure ACS as Net OS. This setting is used by the RSA Authentication Manager to determine how communication with the Cisco Secure ACS will occur.

Note: Hostnames within the RSA Authentication Manager / RSA SecurID Appliance must resolve to valid IP addresses on the local network.

Please refer to the appropriate RSA Security documentation for additional information about Creating, Modifying and Managing Agent Host records.

4

Partner Authentication Agent Configuration

Before You Begin

This section provides instructions for integrating the partners' product with RSA SecurID Authentication. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All vendor products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

Documenting the Solution

Activating RSA SecurID authentication:

Cisco Secure ACS supports SecurID authentication of users. To configure Cisco Secure ACS 4.1.1 to authenticate users with Authentication Manger, follow these steps: 1. In the left-hand navigation bar, click .

5

2. Click Database Configuration.

3.

Click RADIUS Token Server.

6

4. Click Create New Configuration.

5. Enter a name to label the configuration. 6. Click Submit.

7

7. Click Configure under External User Database Configuration.

8. Enter RADIUS Server configuration information and click Submit.

8

Adding/Configuring SecurID authentication to your Unknown User Policy:

1. In the left-hand navigation bar, click .

2. Click Unknown User Policy. 3. Select Check the following external user databases, highlight RSA RADIUS Token Server and move it to the Selected Databases box by clicking the ->. 4. Click Submit.

9

Adding/Configuring SecurID authentication for specific user accounts:

1. In the left-hand navigation bar, click 2. Type in the User name. 3. Click Add/Edit. .

4. Under

> Password Authentication, choose RSA RADIUS Token Server.

10

Certification Checklist For RSA Authentication Manager 6.1.x

Date Tested: March 15, 2008 Product Name RSA Authentication Manager Cisco Secure ACS Appliance Certification Environment Version Information

6.1.2 4.1.1 (build 23)

Operating System

Windows 2003 Enterprise Server N/A

Mandatory Functionality RSA Native Protocol

New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN PASSCODE 16 Digit PASSCODE 4 Digit Password Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas) Name Locking Enabled No RSA Authentication Manager N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

RADIUS Protocol

Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) User Selectable Deny 4 and 8 Digit PIN Deny Alphanumeric PIN 16 Digit PASSCODE 4 Digit Password Next Tokencode Mode Failover Name Locking Enabled No RSA Authentication Manager

Additional Functionality

RSA Software Token Automation System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode RSA SD800 Token Automation System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode Domain Credential Functionality Determine Cached Credential State Set Domain Credential Retrieve Domain Credential

CMY

N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode System Generated PIN User Defined (8 Digit Numeric) User Selectable Next Tokencode Mode Determine Cached Credential State Set Domain Credential Retrieve Domain Credential

= Pass

N/A N/A N/A N/A N/A N/A N/A N/A

= Fail N/A = Non-Available Function

11

Certification Checklist For RSA Authentication Manager 7.1

Date Tested: March 27th, 2008 Product Name RSA Authentication Manager Cisco Secure ACS Appliance Certification Environment Version Information

7.1 4.1.1 (build 23)

Operating System

Windows 2003 Enterprise Server N/A

Mandatory Functionality RSA Native Protocol

New PIN Mode Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN PIN Reuse Passcode 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Next Tokencode Mode Load Balancing / Reliability Testing Failover (3-10 Replicas) No RSA Authentication Manager N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A N/A

RADIUS Protocol

Force Authentication After New PIN System Generated PIN User Defined (4-8 Alphanumeric) User Defined (5-7 Numeric) Deny 4 and 8 Digit PIN Deny Alphanumeric PIN Deny Numeric PIN PIN Reuse 16 Digit Passcode 4 Digit Fixed Passcode Next Tokencode Mode Failover No RSA Authentication Manager

Additional Functionality

RSA Software Token Automation System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode RSA SecurID 800 Token Automation System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode

CMY

N/A N/A N/A N/A N/A N/A

System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode System Generated PIN User Defined (8 Digit Numeric) Next Tokencode Mode

= Pass

N/A N/A N/A N/A N/A N/A

= Fail N/A = Non-Available Function

12

Known Issues

1. Force Authentication after New PIN (both System Generated and User Defined), does not function as designed. The user is immediately authenticated after selecting or entering a NEW PIN. Cisco has been notified as this is how Cisco ACS is currently processing NEW PIN requests.

13

Information

RSA SecurID Ready Implementation Guide

13 pages

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

185536


You might also be interested in

BETA
RSA SecurID Ready Implementation Guide