Cisco IOS with Securid

s.nicholls · ‎08-23-2004

Does anyone know how you can secure dial up connections into a Cisco 3620 Router using RSA securid.We currently use a Radius server which works fine but we want to extend this to use Securid.

Richard Burts · ‎08-24-2004

A customer I work with is doing this between a group of AS5350 routers and a TACACS server. I would assume it would be quite similar for Radius. I have configured the router to authenticate telnet and SSH access with one authentication method and to authenticate dial access with a different authentication method. The dial access authentication method sends the authentication request to the TACACS server. The TACACS is configured that the authentication data is in an external source and is configured to send the athentication request to the RSA secureID server. Authentication from RSA goes to TACACS which forwards it to the router.

HTH

Rick

HTH

Rick

paddyxdoyle · ‎08-25-2004

Hi,

You can authenticate directly to the SecureID server from the router using Radius.

I've got the exact configs somewhere, i'll dig them out if you want.

I think you just need to amend your radius config to point to the Ace server, set up a shared secret between your router and the Ace server.

Then set up your aaa authentication method for ppp

e.g. aaa authentication ppp dial_in group radius

and then bind your AAA statement to your modems

group-async *

ppp authentication pap dial_in

You have to use pap as your authentication method

Rgds

paddyxdoyle · ‎08-25-2004

Hi,

Here is the config i mentioned earlier.

One RSA server

--------------

aaa new-model

radius-server host 10.1.1.1

radius-server key 0 secret_key

aaa authentication ppp user-radius group radius

interface Group-Async1

ppp authentication pap user-radius

Two radius servers

------------------

If the first fails or can't be reached then the second will be used

aaa new-model

radius-server host 10.1.1.1 key 0 secret_key

radius-server host 10.2.1.1 key 0 secret_key

aaa authentication ppp user-radius group AceServers group AceServers2

aaa group server radius AceServers

server 10.1.1.1 auth-port 1645 acct-port 1646

deadtime 1

aaa group server radius AceServers2

server 10.2.1.1 auth-port 1645 acct-port 1646

deadtime 2

interface Group-Async1

ppp authentication pap user-radius

Thanks

Paddy

poulid · ‎02-16-2007

Hello. I realize this post has been inactive for a long time, but I had a quick question.

We are in the investigation stages of RSA, and we already use RADIUS for authentication on our AS5350. When RSA comes into play, do we just change our RADIUS statement to point to the RSA server, and the RSA server becomes the RADIUS and RSA server?

darpotter · ‎02-16-2007

Depends.

If you already have a fully featured AAA server (eg Cisco Secure ACS) you might want to stick with have and it "back end" onto RSA.

You might do this because the RSA RADIUS server is somewhat functionally limited.

ACS for example can back end onto RSA for both RADIUS and TACACS+ for authentication and then perform localised authorisation and policy (eg filtering by network access device)

This is a very popular deployment model.

Darran

daviddtran · ‎02-16-2007

Darran,

What you're offering with Cisco ACS is completely overkilled.

1) In case you don't know, RSA SecurID server version 6.1 also bundles in Radius Server (aka

Steelbelt Radius) so it can offer a lot more

than the old native RSA radius server in version 5.1 or lower.

2) If you do not want to use Radius on the RSA

Server due to some requirements, you can use

Microsoft IAS server that is FREE with Microsoft Windows server.

Why pay for Cisco SecureACS server for

Functionalities such as TACACS server that

this user does not even need?

my 2c.

poulid · ‎02-16-2007

We currently use MS IAS, which works fine for us. Sounds like using the RSA server as the RADIUS server would work perfect, giving us the two prong authentication we are looking for.

Thanks again folks, as always this forum has helped a lot.

darpotter · ‎02-16-2007

Think you missed the "If you already..."

daviddtran · ‎02-16-2007

Since you're already using MS IAS, what you

want to do is to proxy off the Radius connection

from the MS IAS to the RSA SecurID server with

Radius server running. That way, you don't

have to make changes on the Cisco devices.

Service providers do this all the time. I also

use SecurID RSA server but I proxy the connection from my freeRadius server to the

RSA SecurID server and it works like a charm.

Good luck to you.

David

CCIE Security

poulid · ‎02-16-2007

We only have one device that would need to be changed, so it wouldn't be a really big deal. Thanks for all the help.