8-58
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter8 Managing Users and Identity Stores
Managing External Identity Stores
Thus when a correct token code is supplied together with a PIN, th ere is a high degree of certainty that
the person is a valid user. Therefore, RSA SecurID servers provide a more reliable authentication
mechanism than conventional reusable passwords.
You can integrate with RSA SecurID authentication technology in any one of the following ways:
Using the RSA SecurID agent—Users are authenticated with username and passcode through the
RSA’s native protocol.
Using the RADIUS protocol—Users are authenticated with username and passcod e through the
RADIUS protocol.
RSA SecurID token server in ACS 5.4 integrates with the RSA SecurID authentication technology by
using the RSA SecurID Agent.
Configuring RSA SecurID Agents
The RSA SecurID Server administrator can do the following:
Create an Agent Record (sdconf.rec), page 8-58
Reset the Node Secret (securid), page 8-58
Override Automatic Load Balancing, page 8-58
Manually Intervene to Remove a Down RSA SecurID Server, page 8-59

Create an Agent Record (sdconf.rec)

To configure an RSA SecurID token server in ACS 5.4, the ACS administrator requires the sdconf.rec
file. The sdconf.rec file is a configuration record file that specifies how the RSA agent communicates
with the RSA SecurID server realm.
In order to create the sdconf.rec file, the RSA SecurID server administrator should add the ACS host as
an Agent host on the RSA SecurID server and generate a configuration file for this agent host.

Reset the Node Secret (securid)

After the agent initially communicates with the RSA SecurID server, the server provides the agent with
a node secret file called securid. Subsequent communication betwe en the server and the agent relies on
exchanging the node secret to verify the other’s authenticity.
At times, you might have to reset the node secret. To reset the node secret:
The RSA SecurID server administrator must uncheck the Node Secret Created check box on the
Agent Host record in the RSA SecurID server.
The ACS administrator must remove the securid file from ACS.

Override Automatic Load Balancing

RSA SecurID Agent automatically balances the requested loads on the RSA SecurID servers in the
realm. However, you do have the option to manually balance the load. You can specify which server each
of the agent hosts must use and assign a priority to each server so that the agent host directs
authentication requests to some servers more frequently than others.
You must specify the priority settings in a text file and save it as sdopts.rec, which you can then upload
to ACS.