Previous Page Next Page

Cisco Secure ACS Support for Two-Factor Authentication Systems

Cisco Secure ACS server supports the use of token servers to provide a strong security authentication mechanism using the OTP technology.

Cisco Secure ACS provides support for ASCII, Password Authentication Protocol (PAP), and Protected Extensible Authentication Protocol (PEAP)/Extensible Authentication Protocol Generic Token Card (EAP-GTC) authentication by using token servers. No other authentication protocols are supported with token server databases.

Note

For more information about authentication protocols and the Cisco Secure ACS external database types that support token servers, refer to the Authentication Protocol-Database Compatibility: http://tinyurl.com/2fb4nq.


Cisco Secure ACS supports two types of token server implementations:

How Cisco Secure ACS Works

Cisco Secure ACS acts as a client to the token server using the RADIUS-enabled interface of the token server, except in the case of RSA SecurID implementation. For RSA SecurID, Cisco Secure ACS uses RSA proprietary API client software.

When Cisco Secure ACS receives an authentication request from the AAA client (NAS), ACS forwards the authentication request to the token server. This process assumes that ACS is configured to authenticate against a token server, as configured in the external database configuration for "unknown user policy."

Figure 10-2 shows a menu option for the Cisco Secure ACS external database configuration, in which both RADIUS-enabled and non-RADIUS (RSA SecurID) token servers can be configured.

Figure 10-2. Configuring a Cisco Secure ACS Token Server


Before configuring the Cisco Secure ACS, it is important that the RADIUS-enabled token server and/or the RSA SecurID token server are installed and configured. In the case of RSA SecurID, ensure that the applicable RSA SecurID API client software is installed on the Cisco Secure ACS server.

Configuring Cisco Secure ACS for RADIUS-Enabled Token Server

Perform the following steps to configure Cisco Secure ACS for a RADIUS-enabled token server:

Step 1.
Before configuring Cisco Secure ACS, ensure that the RADIUS-enabled token server is installed and configured.

Step 2.
From the ACS external database configuration menu, select RADIUS token server, and create a new token server as shown in Figures 10-3, 10-4, and 10-5.

Figure 10-3. Configuring ACS for RADIUS-Enabled Token Server (Step 2)


Figure 10-4. Configuring ACS for RADIUS-Enabled Token Server (Step 2 cont)


Figure 10-5. Configuring ACS for RADIUS-Enabled Token Server (Step 2 cont)


Step 3.
After the token server instance is created, select Configure to add the RADIUS parameters for the token server, as shown in Figures 10-6 and 10-7.

Figure 10-6. Configuring ACS for RADIUS-Enabled Token Server (Step 3)


Figure 10-7. Configuring ACS for RADIUS-Enabled Token Server (Step 3 cont)


Step 4.
Configure the external database Unknown User Policy to select the RADIUS token server instance to handle authentication requests, as shown in Figures 10-8 and 10-9.



Figure 10-8. Configuring ACS for Unknown User Policy (Step 4)




Figure 10-9. Configuring ACS for Unknown User Policy (Step 4 cont)


Tip

For more information on configuring a RADIUS-enabled token server on Cisco Secure ACS, refer to http://tinyurl.com/yu26nj.


Configuring Cisco Secure ACS for RSA SecurID Token Server

You can find a sample configuration available at Cisco.com to configure Cisco Secure ACS with RSA SecurID (ACE Server) implementation:

http://tinyurl.com/2xg8sr

The following options are available to install Cisco Secure ACS with RSA SecurID token server in these combinations:

Tip

For more information on configuring the RSA SecurID Token Server on Cisco Secure ACS, refer to http://tinyurl.com/yu26nj.


Previous Page Next Page