Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RSA tokens and AAA

I have an RSA ACE sever and would liek to sue it for console port and VTY port access....DOES AAA support this and if so, what does the config look like...I have done it witH ACS, but would like to try it just going directly to the RSA securID server..and letting the server pop the login...and then I juts poke in my PAsscode and Token PIN...anyone done this yet....

Hall of Fame Super Silver

Re: RSA tokens and AAA


It is not possible to have the router just go to the RSA ACE server with native tokens for authentication. The protocol used for direct communication for RSA token authentication is not supported in AAA. I have implemented something that is pretty close and I think it would get you pretty much what you want. I have implemented it where routers configure authentication using radius to the RSA server. The RSA server can run radius to talk to the router and then use the token processing on the server to do the authentication. So this does not need ACS and the router is talking directly to the RSA server address. But the router is using radius as the authentication protocol and the server has to make the connection between radius and the token processing.




Re: RSA tokens and AAA

Very simple:

1- install RSA Server on host A,

2- install ACS server on host B,

3- create an agent host on host A with host B

ip address,

4- copy the sdconf.rec file over to %Windows\system32 directory of host B,

5- install RSA agent software on host B,

6- create RSA user in host A,

7- use the RSA test utility on host B to test

authentication from host B over to host A,

8, configure ACS to use RSA SecurID. Read

the instruction on cisco web site, in the

External database,

9- run log monitor on host A RSA server,

10- try to log into a router,

11- enter the username create in step 6,

you should see that you will be able to

authenticate with RSA securID and ACS


Last but not least, if you use TACACS, you

will NOT be able to use Next-PIN mode on

RSA Server. Next-PIN mode only works with


Easy right?

CreatePlease login to create content