Cisco VPN client and RSA soft token

Unanswered Question
Apr 27th, 2008

Hi,

I just setup a RSA to our Cisco 3030. I was under the impression after the setup of the RSA that my VPN client will prompt me for my network password and token.

If it can be done. What do I need to do to get prompted for both network password and rsa passcode. Currently I am only get prompted for rsa passcode.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ebreniz Mon, 05/05/2008 - 09:02

The AnyConnect SSL VPN Client has to be 'aware' that the RSA Software Token is installed and it needs to communicate with it via the RSA API. It is possible to authenticate Remote Access VPN Clients using RSA. RSA has an inbuilt RADIUS server (you may need to enable it). So configure aaa server and authentication on the router and set the client authentication to this radius server.

You need the following:

1) in the ACS Server, make sure you install the RSA agent and configure it properly.

2) Create external users database for certain group/users. When user is unknown, forward it to the RSA SecurID server.

3) on the RSA SecurID, make sure you create the ACS server as an agent. you need to create a sdconf.rec file and place it in the ACS server.

The ACS server SecurID agent has a tool for you to verify the connectivity. The setup is actually very simple.

http://www.cisco.com/en/US/docs/security/pix/pix62/configuration/guide/basclnt.html

Richard Burts Mon, 05/05/2008 - 09:36

Edgar

Your comments about what to do on the ACS server may or may not be needed. I have set up Remote Access VPN on the 3000 series concentrator which the original poster is asking about and the concentrator communicated directly with the RSA server (not the Radius server) for authentication.

Also your comments about the AnyConnect client would be appropriate if the original poster were asking about Remote Access VPN on the ASA. But clearly he is asking about the 3030 concentrator and as far as I know the AnyConnect client is not supported on the 3000 series concentrator.

Obi

I am not aware of any option that will prompt for both the group password (which I assume is what you mean when you say network password) in addition to prompting for the user password (RSA password).

HTH

Rick

Actions

This Discussion