on Nov 13, 2018This section contains instructions on how to integrate Cisco ASA with RSA Authentication Manager as an authentication agent.
Architecture Diagram
RSA Authentication Manager
To configure your RSA Authentication Manager for use with an authentication agent, you must create an agent host record in the Security console of your Authentication Manager and download its configuration file (sdconf.rec).
- Hostname: Configure the agent host record name to match the hostname of the agent.
- IP Address: Configure the agent host record to match the IP address of the agent.
Note: Authentication Manager must be able to resolve the IP address from the hostname.
Cisco ASA
Follow the steps in this section to integrate Cisco ASA with RSA SecurID Access as an authentication agent.
Procedure
1. Login to Cisco ASDM and browse to Configuration > Device Management > Users/AAA > AAA Server Groups and click Add.
2. Enter a name for the AAA Server Group, choose SDI from the Protocol drop-down menu and click OK.
3. Highlight your SDI AAA Server Group and click to Add a server to the group.
4. Configure the SDI AAA Server and click OK.
- Interface Name: Select the interface that will be used to communicate with RSA Authentication Manager.
- Server Name or IP Address: Enter the Server Name or IP address of your primary RSA Authentication Manager.
Important! ONLY ADD THE PRIMARY RSA AUTHENTICATION MANAGER. DO NOT ADD REPLICAS. The Cisco ASA will learn about any RSA Authentication Manager replica servers at the time of the first authentication.
5. Click Apply.
SecurID Agent Integration Details
| RSA Authentication Agent API | Custom build |
| RSA SecurID Authentication API (REST) | N/A |
| RSA SecurID User Specification | All users |
| Display RSA Server Info | No |
| Perform Test Authentication | Yes |
| Agent Tracing | Yes |
RSA Authentication Agent Files (C and Java Agents)
| Agent Files | Location |
|---|---|
| sdconf.rec | None |
| sdopts.rec | None |
| Node secret | In memory |
| sdstatus.12 / jastatus.12 | In memory |
| rsa_api.properties | None |
API Details: (C and Java Agents only)
Cisco ASA implements a modified version of the RSA Authentication Agent. Important modifications include:
- sdconf.rec not utilized
- sdopts.rec not utilized
- server list stored in memory rather than file system
Refer to Cisco documentation for additional information.
Node Secret: (C and Java Agents only)
The Node Secret file is stored in flash memory on the Cisco ASA. The node secret file has its name based on the primary Authentication Manager server’s IP address with .sdi appended. (e.g. 10-10-10-2.sdi.) Delete this file to remove the node secret.
sdstatus.12: (C and Java Agents only)
Not implemented. The SDI Server List can be viewed by entering the following command from the console:
# show aaa-server
Agent Tracing:
Agent Tracing info can be enabled by entering the following command from the console:
# debug sdi
Next Step: Proceed to the Use Case Configuration Summary section for information on how to apply the Authentication Agent configuration to your use case.