Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AAA Authorization with RADIUS and RSA SecurID Authentication Manager

Hi there.

I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not.  Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS


I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:


#aaa new-model

#radius-server host timeout 10 retransmit 3 key cisco123!

#aaa authentication login default group radius enable

#aaa authorization exec default group radius local


I have also tried

#aaa authorization exec default group radius if-authenticated local


  • I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
  • I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
  • I've turned on RADIUS debugging on the IOS device, and I dont get anything either
  • I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis."  -- not sure if this is related to my issue?
  • I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID