RSA tokens and AAA

Unanswered Question
Nov 5th, 2008

I have an RSA ACE sever and would liek to sue it for console port and VTY port access....DOES AAA support this and if so, what does the config look like...I have done it witH ACS, but would like to try it just going directly to the RSA securID server..and letting the server pop the login...and then I juts poke in my PAsscode and Token PIN...anyone done this yet....

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Wed, 11/05/2008 - 14:49

Dane

It is not possible to have the router just go to the RSA ACE server with native tokens for authentication. The protocol used for direct communication for RSA token authentication is not supported in AAA. I have implemented something that is pretty close and I think it would get you pretty much what you want. I have implemented it where routers configure authentication using radius to the RSA server. The RSA server can run radius to talk to the router and then use the token processing on the server to do the authentication. So this does not need ACS and the router is talking directly to the RSA server address. But the router is using radius as the authentication protocol and the server has to make the connection between radius and the token processing.

HTH

Rick

cisco24x7 Wed, 11/05/2008 - 19:19

Very simple:

1- install RSA Server on host A,

2- install ACS server on host B,

3- create an agent host on host A with host B

ip address,

4- copy the sdconf.rec file over to %Windows\system32 directory of host B,

5- install RSA agent software on host B,

6- create RSA user in host A,

7- use the RSA test utility on host B to test

authentication from host B over to host A,

8, configure ACS to use RSA SecurID. Read

the instruction on cisco web site, in the

External database,

9- run log monitor on host A RSA server,

10- try to log into a router,

11- enter the username create in step 6,

you should see that you will be able to

authenticate with RSA securID and ACS

integration.

Last but not least, if you use TACACS, you

will NOT be able to use Next-PIN mode on

RSA Server. Next-PIN mode only works with

Radius.

Easy right?

Actions

This Discussion