SecurID and PIX - ASDM logging in twice?

jcotter · ‎07-11-2005

We have a normally operating SecurID server working here and it provides authentication for numerous routers and VPN connections, but for some reason we cannot seem to make PIX authentication work. Looking at the log of the ACE server shows that ASDM gets authenticated for the sign on and then seconds later it tries to authenticate AGAIN and the second request is treated as a multiple sign-on attack by the ACE server and then subsequently denied.

Has anyone seen this? I've been over it and over it, but there doesn't seem to be anything I can do to get this to work properly. Telnet authentication works fine from the PIX, btw. It's just ASDM access.

gfullage · ‎07-11-2005

Not sure why ASDM is trying to authenticate twice, but there's an option within ACs that should get you around this.

Under the Group there's a config option called "Token Card Settings". This is generally used for ISDN B channels where the 2nd B channel goes up and down as needed, and the router will use the same token credentials to try and bring that B channel up. ACs can be configured to cache the token from the 1st B channel and use it to authenticate the 2nd B channel.

This option should work for you in this scenario where ASDM is trying to do 2 authentications one straight after the other. You can enable the caching for a specified time period, so to be more secure, enable it just for 10 seconds or so, assuming that's the time period when you're seeing ASDM is sending the 2nd authentication.

jcotter · ‎07-13-2005

I appreciate the advice, but I am not running ACS - I'm running RSA's ACE server. And I've looked through and there are no options available for me to cache the sign on for any length of time. Anyone else have an idea?