SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
Respected Contributor
Respected Contributor


Hello Guys!


We need to enable MFA on our Cisco Wireless LAN, i was checking if this is compatible with RSA CAS on RSA Ready, unfortunately nothing is mentioned regarding the new authentication methods(Biometric or push to approve).


Could you please advise on that.

Labels (1)
12 Replies
Apprised Contributor Apprised Contributor
Apprised Contributor

One way to view this question is, where do you put the RSA agent?  If you are planning to put the Authentication agent on your Windows platform, to authenticate as the Windows platform connects to a wireless network, you would need the Windows MFA agent in order to authenticate against the RSA SecurID Access cloud, which can be found here

RSA MFA Agent Downloads for Microsoft Windows 


If you only needed to authenticate with a token passcode against RSA SecurID Authentication Manager, you could use the Authentication Agent for Windows, which can be found here  


If the Cisco Wireless Access is authenticating users for Wireless access, then the RSA Authentication agent is not on Windows it is on the Cisco, which means you need to look for a Cisco Partner Guide for that particular product to integrate to RSA 2-factor or multi-factor authentication.  You would need to search RSA Link for your particular Cisco Product Partner Guide.  


Employee (Retired) Employee (Retired)
Employee (Retired)

Hassan Mehsen‌,


To make accessing the Cisco Partner Guides easier, here is a direct link to them:  Cisco Systems Inc. - Technology Integrations.





Hello Eric,


What we are looking for here is to enable MFA while users are trying to access the WLAN which is managed by a Cisco WLC.


I have already checked the RSA Ready document Cisco Wireless LAN Controller WLC 2100 and 4400 - RSA SecurID Access Standard Agent Implementation Guide, however, its only mentioning the integration with authentication manager using ODA or software tokens, nothing is mentioned regarding the RSA cloud authentication service by using the new authentication methods (Biometric or push to approve).


Hassan Mehsen‌ - if the Cisco device (with RSA  agent) is utilizing Authentication Manager version 8.4 Patch 4 or above you could make use of the new PIN+Approve functionality.  

See the RSA AM 8.4 Patch 13 readme for more information about this Patch 4 and above feature.


Hope that helps,


The Implementation guide is from 2013, so that definitely means it uses the original UDP Agent API to Authentication Manager.  I don't think you can use this Cisco Product with the Cloud Access.  Unless anyone else has a different approach, but you get push to approve and Bio-metric from CAS, not from AM


Thanks Jay,


im looking for the integration with RSA CAS( fully cloud solution) and not the hybrid one.


My question here if this integration is possible and if we can use the authentication methods which you mentioned while accessing our WLAN.


Ted pointed out that AM 8.4 P4 and above can leverage PIN+Approve on a CAS registered device if your AM is integrated with CAS and the IDR.

You can read about it under Patch 4 New Features in the AM readme for any patch higher than p4.  See 

Authenticate with a Push Notification to Your Mobile Device; No Agent Updates Required 


So Cisco sends the authentication to AM, and AM talks to CAS to check the Push to Approve and responds back to Cisco whether to grant access or not.


So in order to move with such integration radius should be implemented between Cisco WLC and our AM, which the AM  then  proxy the authentication request to the CAS for MFA capabilities?

Could you please assist me on how the association will happen when a client is trying to connect to a WLAN.


If the Cisco device uses RADIUS then you could target your Authentication Manager's RADIUS server and use the AM->Cloud Authentication Service (CAS) capability discussed above.

Or you could target the RADIUS client at our Identity Router (IDR) virtual appliance (IDRs contain a RADIUS server) which would forward the request to the Cloud Authentication Service.