Cisco routers Integration with RSA token

Unanswered Question
Apr 16th, 2009

Hi All,

can anyone provide me with a link or a documentation for how to integrate cisco routers with rsa tokens ?

thanks for the help.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Richard Burts Thu, 04/16/2009 - 07:27


If you are looking for a way to have IOS routers authenticate directly with an RSA token server, I do not believe that this is supported. You should be able to get authentication on the router using RSA tokens by configuring aaa authentication on the router to go to an authentication server (perhaps ACS) which would use RSA as an external authentication service.



jeansamarani Thu, 04/16/2009 - 07:38

Hi Rick,

do you mean that I will still be able to use the token in the scenario that you have mentioned even if i am not authentication directly with a RSA token server? is there any link that describe and explain how to configure it ?


Richard Burts Thu, 04/16/2009 - 08:01


Yes you can use the RSA tokens to authenticate on the IOS router. But the authentication communication is not directly from the router to the RSA server. The router should use Radius to an authentication server like ACS, and the authentication server is acting as the RSA client.

This link discusses how to set it up on ACS:



jeansamarani Thu, 04/16/2009 - 08:17


the link that you have provided seems pretty good. but what about the configuration on the router ? the document doesn't mention anything,

can you please help ?


Richard Burts Thu, 04/16/2009 - 09:41


The router would be a straightforward configuration of authentication using Radius. It might look something like this:

aaa authentication login default group radius line

aaa authentication enable default group radius enable

and configure the radius server something like this:

radius-server host key



Marvin Rhoads Thu, 04/16/2009 - 09:53

Just set up your router to use the CiscoSecure ACS server as your radius server. One uses the standard commands on the router - e.g.:

"The following example shows how to configure the router to authorize using RADIUS:

aaa new-model

aaa authorization exec default group radius if-authenticated

aaa authorization network default group radius

radius-server host ip

radius-server key "

(from the Cisco ISO Security Configuration Guide - )

The router (or switch) only knows that it's using external authentication (your ACS server). It's the credentials you present at login time that the ACS server uses in passing your user-provided tokencode to the RSA server. The router is just passing your credentials along and waiting for access authorization to be returned from the ACS server.

Hope this helps. Please rate helpful posts.

jeansamarani Thu, 04/16/2009 - 10:24

ok thanks for the information. I think i have now enough information to start with.


This Discussion