Solved: Web Authentication with RSA SecureID on a Cisco Switch

support · ‎02-05-2012

Hi,

I've recently been looking into linking in our Cisco 2960S Gb Switch with RSA SecureID via Radius

I've already managed to link it in for ssh access

but I've not managed to get it working for http / web access to the switch

I think this is because we're using "single use" tokens for maximum security with RSA SecureID

and the web interface attempts to authenticate multiple times against the Radius part of the RSA SecureID server

(okay on the first authentication, but each time after it's going to want a different token code)

I was wondering if anyone knew a way around this? (if there's a way to get the switch to just authenticate once instead of multiple times against the radius server)

For info the switch is a WS-C2960S-24TS-L with IOS 15.0(1)SE2

camejia · ‎02-08-2012

Hello Chris,

Can you test the following configuration?

aaa group server radius webtac_grp

server

cache expiry 1

cache authorization profile httpauth

cache authentication profile httpauth

!

aaa authentication login httpauth cache webtac_grp group webtac_grp

aaa authorization exec httpauth cache webtac_grp group webtac_grp

aaa authorization network httpauth cache webtac_grp group webtac_grp

aaa cache profile httpauth

all

ip http server

ip http authentication aaa login-authentication httpauth

ip http authentication aaa exec-authorization httpauth

radius-server host key ******

I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.

NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.

If this was helpful please rate.

Regards.

View solution in original post

camejia · ‎02-08-2012

Hello Chris,

Can you test the following configuration?

aaa group server radius webtac_grp

server

cache expiry 1

cache authorization profile httpauth

cache authentication profile httpauth

!

aaa authentication login httpauth cache webtac_grp group webtac_grp

aaa authorization exec httpauth cache webtac_grp group webtac_grp

aaa authorization network httpauth cache webtac_grp group webtac_grp

aaa cache profile httpauth

all

ip http server

ip http authentication aaa login-authentication httpauth

ip http authentication aaa exec-authorization httpauth

radius-server host key ******

I know for sure the above configuration works when using TACACS+ instead of RADIUS in order to avoid the multiple prompts due to the JAVA Applets authentication when accessing the IOS GUI. I have not tested it against RSA acting as backend Authentication server.

NOTE: As "aaa authorization exec" is configured the RSA should be sending Attribute Service-Type with value Administrative for it to work as expected.

If this was helpful please rate.

Regards.

support · ‎02-13-2012

yep that's spot on

I needed to modify it a bit for our setup, but it looks a bit like this

aaa cache profile httpauth

all

aaa group server radius webrad_grp

server 10.10.0.30 auth-port 1812 acct-port 1813

cache expiry 1

cache authorization profile httpauth

cache authentication profile httpauth

!

aaa authentication login httpauth cache webrad_grp group webrad_grp

aaa authorization exec httpauth cache webrad_grp group webrad_grp

aaa authorization network httpauth cache webrad_grp group webrad_grp

ip http secure-server

ip http authentication aaa login-authentication httpauth

ip http authentication aaa exec-authorization httpauth

it remembers the credentials for an hour or so

to reset them for http access (since the token changes all the time) all I need to do is

clear aaa cache group webrad_grp all