Re: RSA SecurID authentication with ASDM to ASA-SM

p.hruby · ‎04-24-2013

Hi,

I'd like to configure ASDM access to ASA-SM using RSA SecurID authentication.

I've followed instructions in this document: http://www.rsa.com/rsasecured/guides/imp_pdfs/Cisco_ASA_AuthMan7.1.pdf

When I test access from CLI everything looks fine:

asa-vss/admin/act# test aaa-server authentication RSA

Server IP Address or name: xx.xx.xx.xx

Username: testuser

Password: **********

INFO: Attempting Authentication test to IP address <xx.xx.xx.xx> (timeout: 12 seconds)

INFO: Authentication Successful

sh run:

aaa-server RSA protocol sdi

reactivation-mode timed

aaa-server RSA (MGMT) host xx.xx.xx.xx

aaa authentication http console RSA LOCAL

asa-vss/admin/act# sh ver

Cisco Adaptive Security Appliance Software Version 8.5(1)17 <context>

Device Manager Version 6.5(1)

When I try to use ASDM, I'm unable to login and I can see lot of authentication error (Token reuse) messages on RSA server monitor window.

It looks like ASDM 6.5(1) for ASA-SM doesn't support RSA/SDI authentication. Could anyone confirm this? Or am I doing something wrong?

Petr

Marcin Latosiewicz · ‎04-24-2013

Petr,

In general we support RSA as Authentication mechanisms for admins.

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/aaa_servers.html#wp1052971

My suggestion - go up to latest ASDM 7.0 (it's downward comaptible).

But it looks like the problem might be on ASA's side.

debug aaa common 255

is the debug to start with.

You might also consider going to ASA 9.0 :-)

M.

p.hruby · ‎04-24-2013

Hi Marcin,

are those versions supported with ASA service module (Cat6500) ?

Petr

Marcin Latosiewicz · ‎04-24-2013

Petr,

Yes, ASA SM is just a different data plane with same control plane we are used to.

If in doubt:

http://www.cisco.com/en/US/docs/security/asa/compatibility/asamatrx.html

Under:

ASA 9.0(2)

ASDM 7.1(2).

Now just to be completely honest, we'd need to get some debugs to see what's going on. But 8.5 was proto-release to introduce support for ASA SM.

M.

p.hruby · ‎04-24-2013

Marcin,

thanks for useful link.

ASA 8.5(1)

ASDM 6.5(1).

No

YES

No

According the document, this is the only ASA 8.X option for ASA-SM.

The other choice is upgrade to version ASA 9.X

It looks like ASDM 6.5(1) is the only choice (there is no "and later" in ASDM column) when I don't want to upgrade to ASA 9.X.

Petr

Marcin Latosiewicz · ‎04-24-2013

Petr,

Obviously, it's up to you :-)

What I would suggest though is to divide and conquer the problem.

i.e. check if SSH is also affected.

check if HTTP has problems when using local etc etc.

Same debug applies, the SDI debugs are not that useful for non-developer folks.

M.

p.hruby · ‎04-25-2013

Hi Marcin,

I appreciate your help. But I'd like to avoid deeper troubleshooting of this box, because it is implemented in production network.

It would be useful for me if someone, who has practical experience with this design could tell me:

"Yes, http authentication works with SDI on ASASM with this version of ASDM" or "No, this is not supported in this version of ASA/ASDM"

Anyway, thanks for you suggestions

Petr

masghar0472 · ‎10-20-2015

I have the same issue as well with ASA-5545 running Version 9.2(2)4 in multi-context mode and ASDM Version 7.5(1). Anyone found a working solution?

p.hruby · ‎04-26-2013

Response from Cisco TAC:

Unfortunately the OTP authentication for ASDM is not supported on FWSM or ASASM. This is only for ASA5500 series currently.

Marcin Latosiewicz · ‎04-26-2013

Petr,

Can you give me the case number? I'm hoping the engineer filed a documentation bug at least.

M.

p.hruby · ‎04-26-2013

I've sent it via internal message

P.

pagosojayson · ‎07-09-2018

Hi Guys,

I would like to ask if this still hold true? Is RSA SecurID authentication with ASDM still supported on ASA-SM?

Regards,

Jayson