Authentication Agent Configuration - Cisco ASA RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development Employee on Nov 13, 2018Last modified by RSA Information Design and Development Employee on Jan 25, 2019
Version 6Show Document
  • View in full screen mode

This section contains instructions on how to integrate Cisco ASA with RSA Authentication Manager as an authentication agent.

Architecture Diagram

RSA Authentication Manager

To configure your RSA Authentication Manager for use with an authentication agent, you must create an agent host record in the Security console of your Authentication Manager and download its configuration file (sdconf.rec).

  • Hostname: Configure the agent host record name to match the hostname of the agent.
  • IP Address: Configure the agent host record to match the IP address of the agent.

Note:  Authentication Manager must be able to resolve the IP address from the hostname.


Cisco ASA

Follow the steps in this section to integrate Cisco ASA with RSA SecurID Access as an authentication agent.


1. Login to Cisco ASDM and browse to ConfigurationDevice Management > Users/AAA > AAA Server Groups and click Add.

2. Enter a name for the AAA Server Group, choose SDI from the Protocol drop-down menu and click OK.

3. Highlight your SDI AAA Server Group and click to Add a server to the group.

4. Configure the SDI AAA Server and click OK.

  • Interface Name: Select the interface that will be used to communicate with RSA Authentication Manager.
  • Server Name or IP Address: Enter the Server Name or IP address of your primary RSA Authentication Manager.

Important! ONLY ADD THE PRIMARY RSA AUTHENTICATION MANAGER. DO NOT ADD REPLICAS. The Cisco ASA will learn about any RSA Authentication Manager replica servers at the time of the first authentication.

5. Click Apply.

SecurID Agent Integration Details

RSA Authentication Agent APICustom build
RSA SecurID Authentication API (REST)N/A
RSA SecurID User SpecificationAll users
Display RSA Server InfoNo
Perform Test AuthenticationYes
Agent TracingYes

RSA Authentication Agent Files (C and Java Agents)

Agent FilesLocation
Node secretIn memory
sdstatus.12 / jastatus.12In memory


API Details: (C and Java Agents only)

Cisco ASA implements a modified version of the RSA Authentication Agent. Important modifications include:

  • sdconf.rec not utilized
  • sdopts.rec not utilized
  • server list stored in memory rather than file system

Refer to Cisco documentation for additional information.

Node Secret: (C and Java Agents only)

The Node Secret file is stored in flash memory on the Cisco ASA. The node secret file has its name based on the primary Authentication Manager server’s IP address with .sdi appended. (e.g. 10-10-10-2.sdi.) Delete this file to remove the node secret.

sdstatus.12: (C and Java Agents only)

Not implemented. The SDI Server List can be viewed by entering the following command from the console:

# show aaa-server

Agent Tracing:

Agent Tracing info can be enabled by entering the following command from the console:

# debug sdi


Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the Authentication Agent configuration to your use case.