Anyconnect - Configuring RSA SDI Token to work with Start Before Logon


Thu, 05/26/2011 - 09:25
May 23rd, 2011
User Badges:
  • Cisco Employee,

RSA SecurID software authenticators reduce the number of items a user has to manage for safe and secure access to corporate assets. RSA SecurID Software Tokens residing on a remote device generate a random, one-time-use passcode that changes every 60 seconds. The term SDI stands for Security Dynamics, Inc. technology, which refers to this one-time password generation technology that uses hardware and software tokens.

NOTE: For more information on how to configure the ASA for SDI Taken Inegration, please refer to the previous link. This document addresses what needs to be done on the RSA SecureID software to make it work in pre-login mode.

How it Works?

The first time that a user runs the SecurID desktop application, a token storage database is created on the user’s computer. This database is a container for the tokens imported to the local hard drive. When a user performs a SecurID authentication, the application retrieves the tokencode from the token in the database. The default token storage database is a per-user database, meaning that it contains only those tokens that belong to a specific user of the computer. The per-user database is intended to be used by VPN client applications that are running in the user context.

What needs to be Done?

1. Install in single database mode: When using SecureID app with the SBL feature in Anyconnect, the user logs on to the VPN client before loggin on to Windows. Thus the user context is not known. Therefore, the SecurID desktop application cannot locate the user’s token.In this scenario, the user must configure the installation to create a single database that contains all of the tokens stored on the hard drive. To create a single database, you must install the desktop application from the msiexec command line, using the SETSINGLEDATABASE property. This property creates a single database in the All Users directory. When the user starts prelogon to the VPN client, for example, the VPN client retrieves a token from All Users.

2. Set VpnMode Policy: If you are using windows XP then you will also have to ensure that VpnMode policy is set. This policy ensures that the CISCO Vpn Client can funtion properly on XP machines when users log on to VPN client applciation with tokens stored on a TPM or a biometric device.

Points to note with using SecureID in single databse mode:

1. Due to the user context issues, the RSA SecurID Software Token for Windows supports prelogon VPN authentication and running the VPN client as a service for only one user who has been issued only one software token. However, the application supports a single user with multiple tokens if the VPN client application provides the option of selecting a token from a list.

2. The SETSINGLEDATABASE property should only be used on single-user machines. Do not use this property if multiple users share a computer, because doing so gives all users access to all tokens stored in the single database.

3. the single database mode is only supported as of RSA SecurID Software Token v4.1. None of the previous versions will work with SBL.

Suggested Reading:

1. ASA and SDI Token (SoftID) Integration

2. RSA SecurID Software Token 4.1 Administrator’s Guide

3. RSA SecurID Ready Implementation Guide

4. Choosing the right version of RSA SecurID® Software Token for Microsoft®Windows®



This Document

Related Content