000023415 - Cisco VPN Client login automation with RSA Software Token or SD800 token not working with RADIUS authentication set up on Cisco ASA and PIX

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023415
Applies ToLogin automation
Cisco VPN Client
IssueCisco VPN Client login automation with RSA Software Token or SD800 token not working with RADIUS authentication set up on Cisco ASA and PIX
VPN Client continues to prompt for "passcode" when it should be prompting for "pin".
CauseCisco has a bug ID CSCse09458 that did not allow software integration to work via RADIUS for the PIX or ASA devices.
Resolution

Two steps must be taken to fix this issue.


1. Upgrade the PIX or ASA device to 7.2.1(24) or later.


2. Enable an attribute under the ipsec tunnel-group config attr named "radius-sdi-xauth". 


When enabled, it will allow the prompt "Enter Username and Password" to be sent in the XAUTH


exchange and elicit appropriate behavior on the client side for Radius/SDI proxy.


 


Example config


 tunnel-group CiscoACS-Appliance ipsec-attributes


 pre-shared-key *


 peer-id-validate nocheck


 radius-sdi-xauth


 See Cisco Support for the upgrade or further details on this issue. Note that the radius-sdi-xauth setting may have to be set using the ASA server's CLI interface.

Legacy Article IDa34088

Attachments

    Outcomes