RADIUS with AM Configuration - Cisco ASA RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Nov 13, 2018Last modified by RSA Information Design and Development Employee on Jan 25, 2019
Version 6Show Document
  • View in full screen mode

This section contains instructions on how to integrate Cisco ASA with RSA Authentication Manager using RADIUS.

Architecture Diagram

RSA Authentication Manager

To configure your RSA Authentication Manager for use with a RADIUS Agent, you must configure a RADIUS client and a corresponding agent host record in the Authentication Manager Security Console.

The relationship of agent host record to RADIUS client in the Authentication Manager can 1 to 1, 1 to many or 1 to all (global).

RSA Authentication Manager listens on ports UDP 1645 and UDP 1812.


Cisco ASA

Follow the steps in this section to integrate Cisco ASA with RSA SecurID Access as a RADIUS client.


1. Login to Cisco ASDM and browse to ConfigurationDevice Management > Users/AAA > AAA Server Groups and click Add.

2. Enter a name for the AAA Server Group, choose RADIUS from the Protocol drop-down menu and click OK.

3. Highlight your RADIUS AAA Server Group and click to Add a server to the group.

4. Configure the RADIUS AAA server settings. If you are planning to integrate with AnyConnect using RADIUS, and intend to use software token automation, click to open SDI Messages Message Table. If not, click OK to continue.

  • Interface Name: Select the interface that will be used to communicate with RSA SecurID Access.
  • Server Name or IP Address: Enter the Server Name or IP address of your RSA Authentication Manager server.
  • Timeout: Set to 10 seconds.
  • Server Authentication Port: Set to 1645 or 1812.
  • Server Secret Key: Enter the RADIUS shared secret.  It must match the secret as entered in the RSA RADIUS server.

5. If integrating AnyConnect with RADIUS, and you intend to use software token automation, enter the values exactly as shown below into the SDI Messages Message Table and then click OK.

Message NameMessage Text
ready-for-sys-pinARE YOU PREPARED
new-pin-methDo you want
next-ccode-and-reauthPIN Accepted
next-codeWait for token to change
new-pin-sys-okNew PIN Accepted
new-pin-supAre you satisfied with
new-pin-reqEnter a new PIN

Repeat steps 3 through 5 for replica RSA Authentication Manager servers.

6. Click Apply.


Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the RADIUS configuration to your use case.