04-16-2009 06:15 AM
Hi All,
can anyone provide me with a link or a documentation for how to integrate cisco routers with rsa tokens ?
thanks for the help.
Jean
04-16-2009 07:27 AM
Jean
If you are looking for a way to have IOS routers authenticate directly with an RSA token server, I do not believe that this is supported. You should be able to get authentication on the router using RSA tokens by configuring aaa authentication on the router to go to an authentication server (perhaps ACS) which would use RSA as an external authentication service.
HTH
Rick
04-16-2009 07:38 AM
Hi Rick,
do you mean that I will still be able to use the token in the scenario that you have mentioned even if i am not authentication directly with a RSA token server? is there any link that describe and explain how to configure it ?
thanks
04-16-2009 08:01 AM
Jean
Yes you can use the RSA tokens to authenticate on the IOS router. But the authentication communication is not directly from the router to the RSA server. The router should use Radius to an authentication server like ACS, and the authentication server is acting as the RSA client.
This link discusses how to set it up on ACS:
HTH
Rick
04-16-2009 08:17 AM
Rick,
the link that you have provided seems pretty good. but what about the configuration on the router ? the document doesn't mention anything,
can you please help ?
thanks
04-16-2009 09:41 AM
Jean
The router would be a straightforward configuration of authentication using Radius. It might look something like this:
aaa authentication login default group radius line
aaa authentication enable default group radius enable
and configure the radius server something like this:
radius-server host
keyHTH
Rick
04-16-2009 09:53 AM
Just set up your router to use the CiscoSecure ACS server as your radius server. One uses the standard commands on the router - e.g.:
"The following example shows how to configure the router to authorize using RADIUS:
aaa new-model
aaa authorization exec default group radius if-authenticated
aaa authorization network default group radius
radius-server host ip
radius-server key "
(from the Cisco ISO Security Configuration Guide - http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_authorizatn_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1001170 )
The router (or switch) only knows that it's using external authentication (your ACS server). It's the credentials you present at login time that the ACS server uses in passing your user-provided tokencode to the RSA server. The router is just passing your credentials along and waiting for access authorization to be returned from the ACS server.
Hope this helps. Please rate helpful posts.
04-16-2009 10:24 AM
ok thanks for the information. I think i have now enough information to start with.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: