Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1394
Views
0
Helpful
1
Replies

ASA access through RSA SecurID w/ RADIUS

Go to solution
darkid123
Level 1
Level 1

‎07-16-2007 05:58 AM - edited ‎03-10-2019 03:16 PM

Hi,

I'm trying to configure AAA to access our ASA box. I've got an RSA SecurID applicance with the Steel Belted Radius running. I have set up SSH access and telnet access without any problems.

However, when I try to access it via HTTP or with the ASDM, it will not authenticate. I've enabled the http server and added the proper commands, but what actually happens is when I try to log on through HTTP, it sends out 2 RADIUS requests, 1 immediately after the other. So the first one gets accepted, and the 2nd one gets rejected. I believe it's because you can't authenticate twice with the same tokencode on the RSA, hence why the 2nd request is being rejected. But it shouldn't be sending 2 requests in the first place.

This doesn't happen through SSH.

I've attached a log of the connection flow through the FW...

Any help greatly appreciated!

Labels:
Preview file
6 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
somishra
Cisco Employee
Cisco Employee

‎07-16-2007 07:25 AM

Hi,

ASDM will not work with RSA Token Server generated passwords.RSA Token Server generated passwords are one time use only. They get expired after first usage. ASDM uses Java which caches authentication when logged in initially. For all subsequent http transactions from ASDM, Java uses cached authentication information while communicating with device. Each action from ASDM to device is an independent http transaction involving entire SSL handshake, but as Java uses it cached authentication information users don't have to enter them again.

ASDM will only work if authentication mechanism configured uses persistent passwords.One-Time Password (OTP) mechanisms do not work with ASDM.

Try testing http authentication with a local user account in the Radius server and check results.

Hope this helps.

Soumya

View solution in original post

0 Helpful
1 Reply 1

Go to solution
somishra
Cisco Employee
Cisco Employee

‎07-16-2007 07:25 AM

Hi,

ASDM will not work with RSA Token Server generated passwords.RSA Token Server generated passwords are one time use only. They get expired after first usage. ASDM uses Java which caches authentication when logged in initially. For all subsequent http transactions from ASDM, Java uses cached authentication information while communicating with device. Each action from ASDM to device is an independent http transaction involving entire SSL handshake, but as Java uses it cached authentication information users don't have to enter them again.

ASDM will only work if authentication mechanism configured uses persistent passwords.One-Time Password (OTP) mechanisms do not work with ASDM.

Try testing http authentication with a local user account in the Radius server and check results.

Hope this helps.

Soumya

0 Helpful
Customers Also Viewed These Support Documents