RSA Auth manager 8.1 with Cisco Identity Services Engine - sdconf.rec
RSA Auth Manager 8.1 Integration with Cisco ASA and Cisco Identity Services Engine
RSA Auth Manager 8.1 sp 1 P3 – We know this is old code level we plan to do some upgrades soon.
Cisco ASA’s level 188.8.131.52 and going to a newer version of Cisco Identity Services Engine 2.6
We have 1 primary RSA Auth Manager and 5 replicas.
We use RSA and the ASA’s for VPN access and control access to what the user can use with Identity Services Engine ACL’s
In our current implementation with RSA and the ASA ‘s We establish trust between ASA and RSA Auth Mgr with sdi token files. We don’t use Risk based Authentication
We have never needed to use sdconf.rec files. Now that we have a newer version of Cisco Identify services Engine being implemented. We want RSA Auth manager to communicate directly with Identity Services Engine and get the ASA hop out of the sequence.
We have 4 new Identity Service Engine with ip’s. (2 locations – datacenter and disaster recovery
In each site there is a Admin/Monitor box and a policy box
Can someone tell me what we need to do on the RSA Auth Manager side to have it communicate with Identity Services Engine.
Referring to RSA 8.1 SP1 Admin Guide p.69-71
I figure I need to add all 4 Identity Services engine hostname’s and ip’s as standard agents. Go to RSA Security Console>>Access>>Auth Agents and add standard agent and generate a sdconf.rec file
Q1 Do I add the Admin/Monitor as a agent or all 4.
Q2. Do I then give the AM_Config.zip (containing the sdconf.rec file) and the failover.dat file to admins to copy to each Identity Services host or would it only go on the Admin and Monitoring side ?
Q3.I’m also confused about what has to be done next. Do I need too generate a node secret and manually deliver that to the Identity Services machines? If so again which ones
I need some clarification on this whole process actually. I appreciate someone clearing clear up what needs to be done..
- Auth Agent
- Authentication Agent
- Community Thread
- Forum Thread
- RSA SecurID
- RSA SecurID Access
Manual node secret creation is not used with Cisco devices, it is created automatically on the first successful authentication when (a) both sides agree there is no node secret and (b) userid and passcode are correct.
Refer to the ISE Integration Guides here for Securid (or called SDI) setup: