Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA access through RSA SecurID w/ RADIUS

Hi,

I'm trying to configure AAA to access our ASA box. I've got an RSA SecurID applicance with the Steel Belted Radius running. I have set up SSH access and telnet access without any problems.

However, when I try to access it via HTTP or with the ASDM, it will not authenticate. I've enabled the http server and added the proper commands, but what actually happens is when I try to log on through HTTP, it sends out 2 RADIUS requests, 1 immediately after the other. So the first one gets accepted, and the 2nd one gets rejected. I believe it's because you can't authenticate twice with the same tokencode on the RSA, hence why the 2nd request is being rejected. But it shouldn't be sending 2 requests in the first place.

This doesn't happen through SSH.

I've attached a log of the connection flow through the FW...

Any help greatly appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA access through RSA SecurID w/ RADIUS

Hi,

ASDM will not work with RSA Token Server generated passwords.RSA Token Server generated passwords are one time use only. They get expired after first usage. ASDM uses Java which caches authentication when logged in initially. For all subsequent http transactions from ASDM, Java uses cached authentication information while communicating with device. Each action from ASDM to device is an independent http transaction involving entire SSL handshake, but as Java uses it cached authentication information users don't have to enter them again.

ASDM will only work if authentication mechanism configured uses persistent passwords.One-Time Password (OTP) mechanisms do not work with ASDM.

Try testing http authentication with a local user account in the Radius server and check results.

Hope this helps.

Soumya

1 REPLY
Cisco Employee

Re: ASA access through RSA SecurID w/ RADIUS

Hi,

ASDM will not work with RSA Token Server generated passwords.RSA Token Server generated passwords are one time use only. They get expired after first usage. ASDM uses Java which caches authentication when logged in initially. For all subsequent http transactions from ASDM, Java uses cached authentication information while communicating with device. Each action from ASDM to device is an independent http transaction involving entire SSL handshake, but as Java uses it cached authentication information users don't have to enter them again.

ASDM will only work if authentication mechanism configured uses persistent passwords.One-Time Password (OTP) mechanisms do not work with ASDM.

Try testing http authentication with a local user account in the Radius server and check results.

Hope this helps.

Soumya

814
Views
5
Helpful
1
Replies
CreatePlease to create content