Integration with RSA Token

Unanswered Question
May 24th, 2009
User Badges:

Hi,

I would like to know if it's possible and supported to have authentication to a router using double authentication using a token ( PIN Code + Password ). The attached document doesn't describe enough this.

I am being told that RSA supports only the VPN access.

please advise.


thanks in advance.


Jean



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Mon, 05/25/2009 - 07:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jean


It is possible to authenticate user access on a Cisco IOS router using RSA tokens to authenticate. I have done this numerous times and it works. But the IOS router does not communicate directly with the RSA authentication server (it does not use the RSA mode natively). The IOS router would communicate with a Radius server (using the Radius set of protocols) and the Radius server would pass the authentication request to RSA for processing.


Some Cisco VPN devices (the C3000 series VPN concentrator and the ASA5500 series) do have the ability to communicate directly with RSA (in native mode). But the Cisco IOS router does not do this. It might be helpful to realize that in configuring authentication on the Cisco IOS router that the alternatives supported are TACACS, Radius, and local resources.


So if your objective is to authenticate users on Cisco IOS routers using RSA tokens then it does work (and could be for remote access like telnet and SSH or could be for VPN remote access). But if your objective is to have the router communicate directly with RSA for authentication then it does not work.


HTH


Rick

jeansamarani Mon, 05/25/2009 - 10:27
User Badges:

Rick,


thanks for the clarification. is there any documentation on Cisco that can be helpful ?


regards,


jean

Marvin Rhoads Mon, 05/25/2009 - 11:45
User Badges:
  • Super Silver, 17500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Cisco's TACACS+/RADIUS server is the Cisco Secure Access Control Server (ACS) product. It is available as an appliance or as a software product. Version 4.2 is the latest version. Here is a link to the User Guide:


http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/ACS4_2UG.html


and the data sheet:


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps2086/data_sheet_c78-453387.html


As mentioned earlier, integration with an RSA SecureID token-based authentication method is via the TACACS+/RADIUS server as the authentication broker. Your routers and switches are set for external authentication to the ACS server. The ACS server, in turn, looks to the RSA server for one-time password verification. See the deployment guide at:


http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps2086/prod_white_paper0900aecd80737943.pdf


for more information.

Actions

This Discussion