Introduction

This document describes Cisco ACS 1113 Appliance and RSA Secure ID Authentication manager dual factor authentication integration procedure.

RSA secure id server configuration

Windows 2000 service pack 4 or Windows 2003 service pack 3 server
RSA server version 6.1 or higher with all the relevant patches loaded.
Ip addressing must be able to reach the ACS server without any firewall in between to establish the shared secret.

RSA server Ip addressing

That can be anything falling in line with your local network address range assignment. Typically you would want to secure the RSA server in a DMZ or secure network segment
192.168.1.10
255.255.255.0
Gateway 192.168.1.1

Agent Host Configuration

To facilitate communication between the Cisco Secure ACS and the RSA Authentication Manager / RSA SecurID Appliance, an Agent Host record must be added to the RSA Authentication Manager database. The Agent Host record identifies the Cisco Secure ACS within its database and contains information about communication and encryption.
To create the Agent Host record, you will need the following information.
• Hostname
• IP Addresses for all network interfaces

When adding the Agent Host Record, you should configure the Cisco Secure ACS as Net OS. This setting is used by the RSA Authentication Manager to determine how communication with the Cisco Secure ACS will occur.
Hosts only become functional when a proper node secret is exchanged between the server and the host. Before that the node secret tick box is greyed out.

The bellow screen shows that auto agent registration is configured for host discovery

RSA user creation

The bellow screen shows a typical RSA created user with an assigned token to the server database. It’s important to note that these users need to be created on the ACS server as well if you have more than one group of users that need to access different resources .As of version 3.x and 4.x the ACS server mapping for RSA server only allows for a single ACS group to be mapped to a single RSA server instance.

Remember you need to configure all the hosts that are agents or servers including the RSA server itself as hosts in the windows host file in order for everything to work properly.

Cisco ACS side configuration

The bellow section describes the ACS server side configuration

Prerequisites:

ACS 1113 SE appliance running version 4.0 or higher

Cisco ACS network group to RSA database mapping

Cisco ACS server Creating a new external Database

The bellow screen explains the configuration sequence between the RSA server and the ACS server in order for them to operate in tandem to perform the dual factor authentication and its specific configuration mapping .The shared secret file sdconf.rec is created on the RSA server

Network group mapping

The bellow screen indicates the default network group that the RSA server database is mapped to on the ACS server

Cisco ACS server Sdconf.rec import

Creating that sdconf.rec file is done on the RSA server and stored on an ftp server for upload to the ACS server. See the bellow section that describes creating a host record file on the RSA server for more detail in order to proceed with this section

Unknown user policy External database Mapping RSA

The bellow screen deals with request not local to the ACS database. It means that when the username is not specifically configured on the ACS then the device checks the RSA server for external user authentication database.

Cisco ACS user account creation Mapped by External Authenticator

The Bellow screen describes a typical user account belonging to the RSA database. Note that only the username has to exist in the ACS database but the password resides to the RSA server where dual factor authentication is enforced

Table of Contents

Introduction

RSA secure id server configuration

Prerequisites:

RSA server Ip addressing

Agent Host Configuration

RSA user creation

Cisco ACS side configuration

Prerequisites:

Cisco ACS server Creating a new external Database

Network group mapping

Cisco ACS server Sdconf.rec import

Unknown user policy External database Mapping RSA

Cisco ACS user account creation Mapped by External Authenticator

Recommended Reading