Introduction
Does the ASA support RSA/SDI and its challenge-mechanisms (PIN modes) for administrative connection authentication for ASDM?
RSA Token/One-Time-Password support available with ASDM only in SINGLE ROUTED MODE. If you are in Single Routed Mode, you can do OTP with ASDM if you are running ASA 8.2+ with ASDM 6.2+. We incorporated a "caching" function. Unfortunately, this was accomplished via WebVPN - a feature that is not supported via Multi-context mode.
If the firewall is running in multi-context and transparent mode. It won't work. Below is the enhancement request that was filed for the same feature to be supported.
Bug
CSCtf23419 ASDM OTP authentication support in multi-context and transparent modes
<B>Symptom:ASDM OTP (one-time-password) authentication support was added in ASA version 8.2 in single-routed-mode only.
Enhancement Request: Provide ASDM OTP authentication for ASA Firewall transparent mode and multi-context mode.
Looks like this is currently not updated in the release notes.
New Features -ASA Version 8.2(1)/ASDM Version 6.2(1)
Feature
Description
Remote Access Features |
One Time Password Support for ASDM Authentication | ASDM now supports administrator authentication using one time passwords (OTPs) supported by RSA SecurID (SDI). This feature addresses security concerns about administrators authenticating with static passwords. New session controls for ASDM users include the ability to limit the session time and the idle time. When the password used by the ASDM administrator times out, ASDM prompts the administrator to re-authenticate. The following commands were introduced: http server idle-timeout and http server session-timeout. The http server idle-timeout default is 20 minutes, and can be increased up to a maximum of 1440 minutes. In ASDM, see Configuration > Device Management > Management Access > ASDM/HTTPD/Telnet/SSH. |
Reference
