cisco pix 501 with RSA SecurID compatability?

Toggle sidebar Toggle sidebar
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,557
13,801
126
www.anyf.ca
I've done some of my own research, and I have not found that it is compatible, but I've also not found anything that it is compatible. More advanced pix versions do mention SecurID in the data sheet while the pix 501 does not, so my guess is my idea wont work. (using SecurID with the pix for VPN authentication).

But before I declare this as not possible, anyone happen to know off hand from past experiences if this works or not?
 
J

jlazzaro

Golden Member
May 6, 2004
1,743
0
0
im pretty sure the 501 supports token based authentication like securid...

want to know for sure? call cisco or rsa. you have both of their products and a support contract correct?
 
N

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
note that I'm not a pix guy....

can't you just use radius authentication, and point the radius server to the token database? That's how we do wireless token auth, and I would assume that as long as the 501 works with radius (we use ACS) it would work too, right?
 
J

jlazzaro

Golden Member
May 6, 2004
1,743
0
0
that was my understanding as well. the rsa ace/server is basically acting as an AAA server. while there would be a few more commands (crypto policies and such) that basic principle is the same.

your previous post

if you want real help, man up and post a config. these bit by bit posts arent helping anyone (especially you!).
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,557
13,801
126
www.anyf.ca
Ok here's the config. Wherever you see 1.2.3.4 its an external IP. Just removed anything that could potentially be confidential to the company or otherwise not wanted posted on a public forum. IPs may not make any sense in some cases but think the main issue lies in the crypto maps and policy section and possibly aaa server lines.

I can also confirm the pix is communicating with the RSA (sends 4 authentication request packets with different authenticator IDs) but the RSA is not sending anything back.

The physical connection is like this:

[PC] 10.1.1.100 ----------- [pix] 10.1.1.1 |< 10.10.1.5 ----------- RSA [10.10.1.190


interface ethernet0 100full
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password cisco
hostname ABCDE-515
domain-name ABCDE.on.ca
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol http 8080
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
name 192.168.0.0 BCM

access-list aclin permit tcp any host 1.2.3.4 eq www
access-list aclin permit tcp any host 1.2.3.4 eq smtp
access-list aclin permit tcp any host 1.2.3.4 eq pop3
access-list aclin permit tcp any host 1.2.3.4 eq 5639
access-list aclin permit udp any host 1.2.3.4 eq 5640
access-list aclin permit udp any host 1.2.3.4 eq 5640
access-list aclin permit tcp any host 1.2.3.4 eq 5639
access-list aclin permit tcp any host 1.2.3.4 eq ftp
access-list aclin remark Outside port access for Groupwise Webaccess.
access-list aclin permit tcp any host 1.2.3.4 range https https
access-list aclin permit tcp any host 1.2.3.4 eq 1677
access-list aclin permit tcp any host 1.2.3.4 eq 5639
access-list aclin permit udp any host 1.2.3.4 eq 5640
access-list aclin permit tcp host 1.2.3.4 host 1.2.3.4 eq https
access-list aclin permit tcp any host 1.2.3.4 eq 21021
access-list aclin permit tcp any host 1.2.3.4 eq 21023
access-list aclin permit tcp any host 1.2.3.4 eq 21024
access-list aclin permit tcp any host 1.2.3.4 eq 21025
access-list aclin permit tcp any host 1.2.3.4 eq 21521
access-list aclin permit tcp any host 1.2.3.4 eq 22021
access-list aclin permit tcp any host 1.2.3.4 eq 22022
access-list aclin permit tcp any host 1.2.3.4 eq 23021
access-list aclin permit tcp any host 1.2.3.4 eq 23521
access-list aclin permit tcp any host 1.2.3.4 eq 24021
access-list aclin permit tcp any host 1.2.3.4 eq 24521
access-list aclin permit tcp any host 1.2.3.4 eq 25021
access-list aclin permit tcp any host 1.2.3.4 eq 25521
access-list aclin permit tcp any host 1.2.3.4 eq https
access-list aclin permit tcp any host 1.2.3.4 eq 444
access-list aclin permit tcp host 1.2.3.4 host 1.2.3.4 eq https
access-list inside_outbound_nat0_acl permit ip any 192.168.200.8 255.255.255.248
access-list outside_cryptomap_dyn_20 permit ip any 192.168.200.8 255.255.255.248
pager lines 24
logging on
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging facility 23
logging queue 0
logging host outside 1.2.3.4
logging host outside 1.2.3.4
icmp permit host 1.2.3.4 outside
mtu outside 1500
mtu inside 1500
ip address outside 10.1.1.1 255.255.255.0
ip address inside 10.10.1.5 255.255.255.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit name attack-policy attack action alarm drop reset
ip audit name info-policy info action alarm
ip audit interface outside info-policy
ip audit interface outside attack-policy
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnpool 192.168.200.10-192.168.200.15
no pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 1.2.3.4 https 10.10.1.9 ssh netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.4 10.10.1.6 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.4 10.10.1.22 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.4 10.10.1.23 netmask 255.255.255.255 0 0
static (inside,outside) 1.2.3.4 10.10.1.101 netmask 255.255.255.255 0 0
access-group aclin in interface outside
route outside 0.0.0.0 0.0.0.0 209.226.48.225 1
route inside 10.0.0.0 255.0.0.0 10.10.1.1 1
route inside 192.168.0.0 255.255.0.0 10.10.1.1 1
timeout xlate 1:00:00
timeout conn 0:30:00 half-closed 0:10:00 udp 0:01:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server radius-authport 1812
aaa-server radius-acctport 1813
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.10.1.190 timeout 10
aaa-server LOCAL protocol local
url-server (inside) vendor n2h2 host 10.10.1.13 port 4101 timeout 5 protocol TCP
aaa authentication telnet console RADIUS
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow cgi-truncate
filter java 80 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0
ntp server 192.5.41.40 source outside
snmp-server host outside 142.217.214.230 poll
snmp-server location *removed*
snmp-server contact *removed*
snmp-server community *removed*
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set ABCDEset esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ABCDE esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-MD5
crypto dynamic-map mydynmap 5 set transform-set ABCDE
crypto map ABCDE 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map ABCDE interface outside
crypto map outside_map client authentication RADIUS
crypto map remote client configuration address initiate
crypto map remote client token authentication RADIUS
crypto map ABCDE 5 ipsec-isakmp dynamic mydynmap
crypto map ABCDE client configuration address initiate
crypto map ABCDE client configuration address respond
crypto map ABCDE client token authentication RADIUS
isakmp enable outside
isakmp client configuration address-pool local vpnpool outside
isakmp nat-traversal 120
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup ABCDE address-pool vpnpool
vpngroup ABCDE dns-server 10.10.1.8 1.2.3.4
vpngroup ABCDE idle-time 900
vpngroup ABCDE password cisco
telnet timeout 5
ssh 1.2.3.4 255.255.255.255 outside
ssh 1.2.3.4 255.255.255.255 outside
ssh timeout 5
console timeout 0
terminal width 80
Click to expand...


 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,557
13,801
126
www.anyf.ca
I got it working. I ended up calling RSA support and was walked through the process.

Basically the radius server has to be installed manually on the RSA, the installer is in a folder in the C: drive (can't recall the name, I'm at home now) then in the host mode configuration radius needs to be configured and the pix added as a client. The secret code you enter should also go in the pix when typing the line aaa-server RADIUS (inside) host 10.10.1.190 timeout 10 so it should be aaa-server RADIUS (inside) host 10.10.1.190 secredcode timeout 10.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom