Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ASA TACACS + SDI (RSA) Authentication and Authorisation

Hi guys

Just wondering if this can be done:

We have a RSA server and TACACS server, all working fine.

We would like to put in 2 factor authentication using our RSA token to manage our ASA box.

Now, I have got the 2 factor authentication working (tested it with SSH to ASA box) but it seems like it allows anyone with an account on the RSA server to login to the box. We don't want this, we want to be able to lock it down to only few accounts.

We also have a TACACS server. Logging in to the ASA box using TACACS local accounts work fine

I understand that authorisation doesn't work with RSA, and one of the suggestions that I received was to add the RSA server into TACACS, create the user groups / users we want and use TACACS for both authentication and authorisation. Is that right? Some pointers would be appreciated :|

Community Member

Re: ASA TACACS + SDI (RSA) Authentication and Authorisation

Basically the Tacacs+ is a AA protocol with authentication and authorisation at the same time. I configured the ASA with the ASDM for the Tacacs use. Therefore you should look for the problem with the timeouts, I had troubles that every 30 sec the RSA user ran into a timeout.

I suggest you that you create a group on the ACS for the firewall admins.

cheers Martin

Community Member

Re: ASA TACACS + SDI (RSA) Authentication and Authorisation

Yep maybe I didn't explain myself very well :) Thank you for your reply, sorry it took this long for me to write back. I'll have a look at the timeout issue, thanks for the heads up. Could be some ports that need to be opened, who knows :)

Community Member

Hello friends,Please allow me

Hello friends,

Please allow me to resurect this old post!

Did you find your answer? My IT manager is asking me to integrate RSA token with our TACACS. Is it possible to add that second factor of authentication for managing my whole network devices?


CreatePlease to create content