RSA SecurID software authenticators reduce the number of items a user has to manage for safe and secure access to corporate assets. RSA SecurID Software Tokens residing on a remote device generate a random, one-time-use passcode that changes every 60 seconds. The term SDI stands for Security Dynamics, Inc. technology, which refers to this one-time password generation technology that uses hardware and software tokens.
NOTE: For more information on how to configure the ASA for SDI Taken Inegration, please refer to the previous link. This document addresses what needs to be done on the RSA SecureID software to make it work in pre-login mode.
How it Works?
The first time that a user runs the SecurID desktop application, a token storage database is created on the user’s computer. This database is a container for the tokens imported to the local hard drive. When a user performs a SecurID authentication, the application retrieves the tokencode from the token in the database. The default token storage database is a per-user database, meaning that it contains only those tokens that belong to a specific user of the computer. The per-user database is intended to be used by VPN client applications that are running in the user context.
What needs to be Done?
1. Install in single database mode: When using SecureID app with the SBL feature in Anyconnect, the user logs on to the VPN client before loggin on to Windows. Thus the user context is not known. Therefore, the SecurID desktop application cannot locate the user’s token.In this scenario, the user must configure the installation to create a single database that contains all of the tokens stored on the hard drive. To create a single database, you must install the desktop application from the msiexec command line, using the SETSINGLEDATABASE property. This property creates a single database in the All Users directory. When the user starts prelogon to the VPN client, for example, the VPN client retrieves a token from All Users.
2. Set VpnMode Policy: If you are using windows XP then you will also have to ensure that VpnMode policy is set. This policy ensures that the CISCO Vpn Client can funtion properly on XP machines when users log on to VPN client applciation with tokens stored on a TPM or a biometric device.
Points to note with using SecureID in single databse mode:
1. Due to the user context issues, the RSA SecurID Software Token for Windows supports prelogon VPN authentication and running the VPN client as a service for only one user who has been issued only one software token. However, the application supports a single user with multiple tokens if the VPN client application provides the option of selecting a token from a list.
2. The SETSINGLEDATABASE property should only be used on single-user machines. Do not use this property if multiple users share a computer, because doing so gives all users access to all tokens stored in the single database.
3. the single database mode is only supported as of RSA SecurID Software Token v4.1. None of the previous versions will work with SBL.
Just received information from our Mac group that Catalina OS seems to have issue with ciscod.exe. State is is a 32b app. Is this true and if so, any other modules use 32 bit and when will they go to 64b?
Hello, The Firepower with Fxos V 2.3(1.91) has been reported with the following vulnerability on port 443CVE-2018-11763 Fix suggested is to upgrade Apache Server to latest version. How can i achieve this ? Thanks
Hello. When I connected a Cisco 3500 Series Camera to a Cisco 3800 Series Switch, the camera always comes back with a Class C ip address (192.168.X.X) despite the camera having the IP address configured statically. We do no use Class C ips, we use Class A...
When creating a new wlan for personal devices that would authenticate through ISE, they used the integrated ISE guest portal to authenticate users via their active directory credentials. The goal was for ISE to view AD attributes and determine whether a s...
I've got a fairly new Firepower 4110 pair, running ASA 9.12.x software. I noticed that the new chassis doesn't have an LED for Active/Standby. All LEDs on both chassis are always green.
Is this correct or might this be added in a future software...