Introduction
This document describes how to configure a Cisco IOS® device to authenticate AnyConnect clients with One Time Passwords (OTPs) and the use of a Rivest-Shamir-Addleman (RSA) SecurID server.
RSA SecurID software tokens use the same industry-leading, time-based algorithm as the RSA SecurID hardware tokens. Instead of being stored in hardware, the software token symmetric key is secured on the user’s PC, laptop, smartphone or USB device. To configure the RSA SecurID authentication server record In the Security Gateway Management Interface (SGMI), in the left pane, under Assets, click Authentication Servers. In the right pane, on the Authentication Server tab, click New > RSA SecurID.
Note: OTP authentication does not work on Cisco IOS versions that have the fix for the enhancement requests CSCsw95673 and CSCue13902.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- RSA SecurID server setup
- SSLVPN configuration on the Cisco IOS headend
- Web-VPN
Components Used
The information in this document is based on these software and hardware versions:
- CISCO2951/K9
- Cisco IOS Software, C2951 Software (C2951-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc1)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Background Information
Although the AnyConnect client has always supported OTP-based authentication, prior to the fix for Cisco bug ID CSCsw95673, the Cisco IOS headend did not process RADIUS Access-Challenge messages. After the initial login prompt (where users enter their 'permanent' usernames and passwords), RADIUS sends the 'Access-Challenge' message to the Cisco IOS gateway, which asks users to enter their OTP:
At this point, the AnyConnect client is expected to show an additional pop-up window that requests users for their OTP, but since the Cisco IOS device did not process the Access-Challenge message, this never happens and the client sits idle until the connection times out.
However, as of Version15.2(4)M4, Cisco IOS devices should be able to process the challenge-based authentication mechanism.
Configure
Network Diagram
One of the differences between the Adaptive Security Appliance (ASA) and Cisco IOS headends is that Cisco IOS Router/switches/Access Points (APs) only support RADIUS and TACACS. They do not support the RSA-proprietary protocol SDI. The RSA server however supports both SDI and RADIUS. Therefore, in order to use OTP authentication on a Cisco IOS headend, the Cisco IOS device must be configured for RADIUS protocol and the RSA server as a RADIUS token server.
Note: For more details about the differences between RADIUS and SDI, refer to the Theory section of RSA Token Server and SDI Protocol Usage for ASA and ACS. If SDI is required, then an ASA must be used.
Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.
- Configure the authentication method and the Authentication, Authorization, and Accounting (AAA) server group:
- Configure the RADIUS server:
- Configure the router to act as an Secure Sockets Layer VPN (SSLVPN) server:
Note: For more a detailed configuration guide on how to set up SSLVPN on a Cisco IOS device, refer to AnyConnect VPN (SSL) Client on IOS Router with CCP Configuration Example.
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
In order to troubleshoot the entire authentication process for an incoming AnyConnect client connection, you can use these debugs:
- debug radius authentication
- debug aaa authentication
- debug webvpn authentication
The Output Interpreter Tool (registered customers only) supports certain show commands. Use the Output Interpreter Tool in order to view an analysis of show command output.
Note: Refer to Important Information on Debug Commands before you use debug commands.
RSA SecurID Software Token is a free application tool which uses cost-effective RSA SecurID® authenticator to protect your networked data and information with with a strong RSA SecurID authentication.
Rsa Securid App Windows 10
RSA SecurID Software Token as the name of the app says uses software tokens for one-time passwords which is one of the most effective ways to protect your device.
If you want to download it for Android and iOS you could easily do it from the links bellow:
How to download and use RSA SecurID Software Token for PC / Mac
If you want to download RSA SecurID Software Token for PC / Mac / Windows you will need to use a thirty party software such as BlueStacks.
With BlueStacks emulator you will be able to run RSA SecurID Software Token on your computer and laptop.
Download Rsa Securid Windows
It is very easy just download BlueStacks, start the software and search for “RSA SecurID Software Token” into the app market.
Related Posts
Rsa Securid For Windows 7
You have been blocked from seeing ads.