RSA Radius to Cisco ASA 8.0 Authentication Fail.

Unanswered Question
Jan 28th, 2008

I'm configuring a ASA to authenticate against the RSA using it's build in Radius server.

I'm testing using

"test aaa-server authentication RSA-Radius host username testcisco password test1234123456"

I assumed password "test1234123456" consists of RSA's password (test) + pin-code (1234) + RSA Token (123456) but I'm not sure since this isn't stated anyway in the documents that I could find.

and it's always telling me authentication failure but I've tested the same account using another server (using SDI and not Radius) and the account is working fine. I've double-checked the radius shared secret and that's correct.

Is there any log files or trace files on the AuthMan that I can use to see what's wrong ? The ASA's config is simple enough.

"aaa-server RSA-Radius protocol radius

aaa-server RSA-Radius host

key abc123

authentication-port 1812

accounting-port 1813"


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Mon, 01/28/2008 - 08:13

1- What version of RSA SecurID are you

using? version 5.2 or 6.1?

2- because you're using native RSA radius

Server, you need to fine the agent host of

the ASA a little differently, not the same

you define an agent hosts using SDI.

3- Use the RSA Server "log monitor" option and

you can see in the log as to why it failed.

It will tell you why such as syntax error

or "agent host not found", etc...

4- Open a case with RSA and they can

help you. Seem like a very simple problem.

By the way, my works fine between the my Pix

firewall and the RSA radius server. See below:

CiscoPix# test aaa-server authen TEST username test1 password 1234testme

Server IP Address or name:

INFO: Attempting Authentication test to IP address <> (timeout: 10 seconds)

INFO: Authentication Successful


wong.jason Mon, 01/28/2008 - 08:22

1. I'm using AuthMan 6.1 .

2. Could you give a example ? I'm assuming a standard Radius config on the ASA.

aaa-server RSA-Radius protocol radius

aaa-server RSA-Radius host

key abc123

authentication-port 1812

accounting-port 1813

3. I'll try this tomorrow.


cisco24x7 Mon, 01/28/2008 - 08:28

ok.. here is how:

1- on the RSA server, define an agent host

with the IP address of the RSA server itself.

Allow all users for testing purposes

2- On the secondary notes, put it your ASA

ip address as the secondary notes,

3- test.

Your ASA configuration looks fine. If you

need additional help, send me a private email

and I can help you with it.

CCIE Security

wong.jason Mon, 01/28/2008 - 08:39

Thanks. There don't seems to be a option to view your email address. Maybe it's not published. Mine is in the profile. Please drop me a email. Would like to bounce some Qs off you. Thanks.


This Discussion