05-24-2009 10:13 PM
Hi,
I would like to know if it's possible and supported to have authentication to a router using double authentication using a token ( PIN Code + Password ). The attached document doesn't describe enough this.
I am being told that RSA supports only the VPN access.
please advise.
thanks in advance.
Jean
05-25-2009 07:02 AM
Jean
It is possible to authenticate user access on a Cisco IOS router using RSA tokens to authenticate. I have done this numerous times and it works. But the IOS router does not communicate directly with the RSA authentication server (it does not use the RSA mode natively). The IOS router would communicate with a Radius server (using the Radius set of protocols) and the Radius server would pass the authentication request to RSA for processing.
Some Cisco VPN devices (the C3000 series VPN concentrator and the ASA5500 series) do have the ability to communicate directly with RSA (in native mode). But the Cisco IOS router does not do this. It might be helpful to realize that in configuring authentication on the Cisco IOS router that the alternatives supported are TACACS, Radius, and local resources.
So if your objective is to authenticate users on Cisco IOS routers using RSA tokens then it does work (and could be for remote access like telnet and SSH or could be for VPN remote access). But if your objective is to have the router communicate directly with RSA for authentication then it does not work.
HTH
Rick
05-25-2009 10:27 AM
Rick,
thanks for the clarification. is there any documentation on Cisco that can be helpful ?
regards,
jean
05-25-2009 11:45 AM
Cisco's TACACS+/RADIUS server is the Cisco Secure Access Control Server (ACS) product. It is available as an appliance or as a software product. Version 4.2 is the latest version. Here is a link to the User Guide:
and the data sheet:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps2086/data_sheet_c78-453387.html
As mentioned earlier, integration with an RSA SecureID token-based authentication method is via the TACACS+/RADIUS server as the authentication broker. Your routers and switches are set for external authentication to the ACS server. The ACS server, in turn, looks to the RSA server for one-time password verification. See the deployment guide at:
for more information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide