PIX-535 RSA Secure ID config question

Unanswered Question
May 19th, 2008

I am trying to configure my PIX-535 to prompt for RSA Secure ID authentication.

So when somebody tries to get to a paticular website, the PIX-535 will put up a Secure ID page and forward the response to our RSA Secure ID server.

Any help?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
smahbub Fri, 05/23/2008 - 07:01

RSA SecurID: Provides strong, two-factor authentication using tokens in conjunction with the RSA ACE/Server.RSA Keys-RSA is the public key cryptographic system developed by Ron Rivest, Adi Shamir, and Leonard Adleman. RSA keys come in pairs: one public key and one private key.

Sean,

I am not sure how you would do it for RSA - but to authenticate a HTTP/HTTPS request from inside out:-

access-list HTTP_authentication line 1 extended permit tcp x.x.x.x y.y.y.y 0.0.0.0 0.0.0.0 eq http

aaa authentication match HTTP_authentication Lan-2-Lan LOCAL(for local uid/pwd in the ASA) or you could have a set of authentication servers that you would name here.

The issue I see with trying RSA - is how the browser would send the information back to the ASA and then forward onto the securID server.

I do know that you can use "Challenge/Response Authentication - CRACK" for remote VPN connections, don't think you can use this for http auth.

HTH.

cisco24x7 Fri, 05/23/2008 - 10:44

here is a typical scenario:

1- Install Cisco ACS on a server,

2- Install RSA SecurID on another Server,

3- create an agent host on the RSA SecurID Server for tthe Cisco ACS server. Generate

the sdconf.rec file for the Cisco ACS server,

4- copy the sdconf.rec file over to the Cisco

ACS server in the C:\Windows\System32 directory,

5- Install RSA Agent software on the Cisco

ACS server,

6- create account on the RSA SecurID Server,

7- setup Cisco ACS to forward authentication

request to RSA SecurID server,

8- setup the ASA like what Andrew described,

9- now from the client machine, do http://www.cisco.com. You will get prompted

for authentication,

That's pretty much it.

Attachment: 

Actions

This Discussion