RSA SecurID software authenticators reduce the number of items a user has to manage for safe and secure access to corporate assets. RSA SecurID Software Tokens residing on a remote device generate a random, one-time-use passcode that changes every 60 seconds. The term SDI stands for Security Dynamics, Inc. technology, which refers to this one-time password generation technology that uses hardware and software tokens.
NOTE: For more information on how to configure the ASA for SDI Taken Inegration, please refer to the previous link. This document addresses what needs to be done on the RSA SecureID software to make it work in pre-login mode.
How it Works?
The first time that a user runs the SecurID desktop application, a token storage database is created on the user’s computer. This database is a container for the tokens imported to the local hard drive. When a user performs a SecurID authentication, the application retrieves the tokencode from the token in the database. The default token storage database is a per-user database, meaning that it contains only those tokens that belong to a specific user of the computer. The per-user database is intended to be used by VPN client applications that are running in the user context.
What needs to be Done?
1. Install in single database mode: When using SecureID app with the SBL feature in Anyconnect, the user logs on to the VPN client before loggin on to Windows. Thus the user context is not known. Therefore, the SecurID desktop application cannot locate the user’s token.In this scenario, the user must configure the installation to create a single database that contains all of the tokens stored on the hard drive. To create a single database, you must install the desktop application from the msiexec command line, using the SETSINGLEDATABASE property. This property creates a single database in the All Users directory. When the user starts prelogon to the VPN client, for example, the VPN client retrieves a token from All Users.
2. Set VpnMode Policy: If you are using windows XP then you will also have to ensure that VpnMode policy is set. This policy ensures that the CISCO Vpn Client can funtion properly on XP machines when users log on to VPN client applciation with tokens stored on a TPM or a biometric device.
Points to note with using SecureID in single databse mode:
1. Due to the user context issues, the RSA SecurID Software Token for Windows supports prelogon VPN authentication and running the VPN client as a service for only one user who has been issued only one software token. However, the application supports a single user with multiple tokens if the VPN client application provides the option of selecting a token from a list.
2. The SETSINGLEDATABASE property should only be used on single-user machines. Do not use this property if multiple users share a computer, because doing so gives all users access to all tokens stored in the single database.
3. the single database mode is only supported as of RSA SecurID Software Token v4.1. None of the previous versions will work with SBL.
Hi,I'm having a problem routing LAN traffic out through the firewall. I've read the multiple posts with the same problem but their solutions have not worked for me. Traffic flow isInternet - Cisco ME3400 - Firepower2110 (ASA) - Switch - PC Netwo...
We are on ISE 2.4 and have configured AD <> ISE integration using WMI (to get information of AD users) Some providers suddenly went offline for no reason, we had to manually add back integration Is there a way to set an email alertin...
Hello, I recently tried to upgrade my ESA (virtual appliance) from 13.5.3-010 release to the latest GD release 184.108.40.2062/Once i download the stuff, and try to install , few seconds after i have the following kind of error (attached an extract) ...
For some reason the router does not recognise “AnyConnect-eap” command at all? it’s a 2921 15.2 iOS and has securityk9 and base? I can only use “eap query-identity”? does this only work on IOS-XE?I’m in process of setting up flexVPN remote ...