AnsweredAssumed Answered

RSA Auth manager 8.1 with Cisco Identity Services Engine - sdconf.rec

Question asked by Lane Frazier on Oct 30, 2019
Latest reply on Oct 31, 2019 by Edward Davis

RSA Auth Manager 8.1 Integration with Cisco ASA and Cisco Identity Services Engine


Our environment


RSA Auth Manager 8.1 sp 1 P3 – We know this is old code level we plan to do some upgrades soon.

Cisco ASA’s level and going to a newer version of Cisco Identity Services Engine 2.6


We have 1 primary RSA Auth Manager and 5 replicas.


We use RSA and the ASA’s for VPN access and control access to what the user can use with Identity Services Engine ACL’s


In our current implementation with RSA and the ASA ‘s We establish trust between ASA and RSA Auth Mgr with sdi token files. We don’t use Risk based Authentication


We have never needed to use sdconf.rec files. Now that we have a newer version of Cisco Identify services Engine being implemented. We want RSA Auth manager to communicate directly with Identity Services Engine and get the ASA hop out of the sequence.


We have 4 new Identity Service Engine with ip’s. (2 locations – datacenter and disaster recovery


In each site there is a Admin/Monitor box and a policy box

Can someone tell me what we need to do on the RSA Auth Manager side to have it communicate with Identity Services Engine.


Referring to RSA 8.1 SP1 Admin Guide p.69-71


I figure I need to add all 4 Identity Services engine hostname’s and ip’s as standard agents. Go to RSA Security Console>>Access>>Auth Agents and add standard agent and generate a sdconf.rec file

Q1 Do I add the Admin/Monitor as a agent or all 4.

Q2. Do I then give the (containing the sdconf.rec file) and the failover.dat file to admins to copy to each Identity Services host or would it only go on the Admin and Monitoring side ?


Q3.I’m also confused about what has to be done next. Do I need too generate a node secret and manually deliver that to the Identity Services machines? If so again which ones


I need some clarification on this whole process actually. I appreciate someone clearing clear up what needs to be done..