https://community.cisco.com/t5/network-access-control/web-authentication-with-rsa-secureid-on-a-cisco-switch/m-p/1878625#M267719 <HTML><HEAD></HEAD><BODY><P>yep that's spot on</P><P>I needed to modify it a bit for our setup, but it looks a bit like this</P><P></P><P>aaa cache profile httpauth</P><P> all</P><P></P><P>aaa group server radius webrad_grp</P><P>&nbsp; server 10.10.0.30 auth-port 1812 acct-port 1813</P><P>&nbsp; cache expiry 1</P><P>&nbsp; cache authorization profile httpauth</P><P>&nbsp; cache authentication profile httpauth</P><P>!</P><P></P><P>aaa authentication login httpauth cache webrad_grp group webrad_grp</P><P>aaa authorization exec httpauth cache webrad_grp group webrad_grp</P><P>aaa authorization network httpauth cache webrad_grp group webrad_grp</P><P></P><P>ip http secure-server</P><P>ip http authentication aaa login-authentication httpauth</P><P>ip http authentication aaa exec-authorization httpauth</P><P></P><P>it remembers the credentials for an hour or so</P><P>to reset them for http access (since the token changes all the time) all I need to do is</P><P></P><P>clear aaa cache group webrad_grp all</P></BODY></HTML> Mon, 13 Feb 2012 11:12:29 GMT support 2012-02-13T11:12:29Z https://community.cisco.com/t5/network-access-control/web-authentication-with-rsa-secureid-on-a-cisco-switch/m-p/1878623#M267691 <P>Hi,</P><P>I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius</P><P>I've already managed to link it in for ssh access</P><P></P><P>but I've not managed to get it working for http / web access to the switch</P><P>I think this is because we're using "single use" tokens for maximum security with RSA SecureID</P><P>and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server</P><P>(okay on the first authentication, but each time after it's going to want a different token code)</P><P></P><P>I was wondering if anyone knew a way around this? (if there's a way to get the switch to just authenticate once instead of multiple times against the radius server)</P><P></P><P>For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2</P> Mon, 11 Mar 2019 01:47:47 GMT https://community.cisco.com/t5/network-access-control/web-authentication-with-rsa-secureid-on-a-cisco-switch/m-p/1878623#M267691 support 2019-03-11T01:47:47Z https://community.cisco.com/t5/network-access-control/web-authentication-with-rsa-secureid-on-a-cisco-switch/m-p/1878624#M267698 <HTML><HEAD></HEAD><BODY><P>Hello Chris,</P><P></P><P>Can you test the following configuration?</P><P></P><P>aaa group server radius webtac_grp</P><P> server <RADIUS-SERVER-IP></RADIUS-SERVER-IP></P><P> cache expiry 1</P><P> cache authorization profile httpauth</P><P> cache authentication profile httpauth</P><P>!</P><P>aaa authentication login httpauth cache webtac_grp group webtac_grp</P><P>aaa authorization exec httpauth cache webtac_grp group webtac_grp</P><P>aaa authorization network httpauth cache webtac_grp group webtac_grp</P><P></P><P>aaa cache profile httpauth</P><P> all</P><P></P><P>ip http server</P><P>ip http authentication aaa login-authentication httpauth</P><P>ip http authentication aaa exec-authorization httpauth</P><P></P><P>radius-server host <RADIUS-SERVER-IP> key ******</RADIUS-SERVER-IP></P><P></P><P>I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.</P><P></P><P>NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.</P><P></P><P>If this was helpful please rate.</P><P></P><P>Regards.</P></BODY></HTML> Wed, 08 Feb 2012 19:42:43 GMT https://community.cisco.com/t5/network-access-control/web-authentication-with-rsa-secureid-on-a-cisco-switch/m-p/1878624#M267698 camejia 2012-02-08T19:42:43Z https://community.cisco.com/t5/network-access-control/web-authentication-with-rsa-secureid-on-a-cisco-switch/m-p/1878625#M267719 <HTML><HEAD></HEAD><BODY><P>yep that's spot on</P><P>I needed to modify it a bit for our setup, but it looks a bit like this</P><P></P><P>aaa cache profile httpauth</P><P> all</P><P></P><P>aaa group server radius webrad_grp</P><P>&nbsp; server 10.10.0.30 auth-port 1812 acct-port 1813</P><P>&nbsp; cache expiry 1</P><P>&nbsp; cache authorization profile httpauth</P><P>&nbsp; cache authentication profile httpauth</P><P>!</P><P></P><P>aaa authentication login httpauth cache webrad_grp group webrad_grp</P><P>aaa authorization exec httpauth cache webrad_grp group webrad_grp</P><P>aaa authorization network httpauth cache webrad_grp group webrad_grp</P><P></P><P>ip http secure-server</P><P>ip http authentication aaa login-authentication httpauth</P><P>ip http authentication aaa exec-authorization httpauth</P><P></P><P>it remembers the credentials for an hour or so</P><P>to reset them for http access (since the token changes all the time) all I need to do is</P><P></P><P>clear aaa cache group webrad_grp all</P></BODY></HTML> Mon, 13 Feb 2012 11:12:29 GMT https://community.cisco.com/t5/network-access-control/web-authentication-with-rsa-secureid-on-a-cisco-switch/m-p/1878625#M267719 support 2012-02-13T11:12:29Z