Cisco Systems OL-24201-01 manual RSA SecurID Server, Configuring RSA SecurID Agents

Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

RSA SecurID Server

ACS supports the RSA SecurID server as an external database. RSA SecurID two-factor authentication consists of the user’s personal identification number (PIN) and an individually registered RSA SecurID token that generates single-use token codes based on a time code algorithm.

A different token code is generated at fixed intervals (usually each at 30 or 60 seconds). The RSA SecurID server validates this dynamic authentication code. Each RSA SecurID token is unique, and it is not possible to predict the value of a future token based on past tokens.

Thus when a correct token code is supplied together with a PIN, there is a high degree of certainty that the person is a valid user. Therefore, RSA SecurID servers provide a more reliable authentication mechanism than conventional reusable passwords.

You can integrate with RSA SecurID authentication technology in any one of the following ways:

•Using the RSA SecurID agent—Users are authenticated with username and passcode through the RSA’s native protocol.

•Using the RADIUS protocol—Users are authenticated with username and passcode through the RADIUS protocol.

RSA SecurID token server in ACS 5.3 integrates with the RSA SecurID authentication technology by using the RSA SecurID Agent.

Configuring RSA SecurID Agents

The RSA SecurID Server administrator can do the following:

•Create an Agent Record (sdconf.rec), page 8-54

•Reset the Node Secret (securid), page 8-54

•Override Automatic Load Balancing, page 8-55

•Manually Intervene to Remove a Down RSA SecurID Server, page 8-55

Create an Agent Record (sdconf.rec)

To configure an RSA SecurID token server in ACS 5.3, the ACS administrator requires the sdconf.rec file. The sdconf.rec file is a configuration record file that specifies how the RSA agent communicates with the RSA SecurID server realm.

In order to create the sdconf.rec file, the RSA SecurID server administrator should add the ACS host as an Agent host on the RSA SecurID server and generate a configuration file for this agent host.

Reset the Node Secret (securid)

After the agent initially communicates with the RSA SecurID server, the server provides the agent with a node secret file called securid. Subsequent communication between the server and the agent relies on exchanging the node secret to verify the other’s authenticity.

At times, you might have to reset the node secret. To reset the node secret:

•The RSA SecurID server administrator must uncheck the Node Secret Created check box on the Agent Host record in the RSA SecurID server.

•The ACS administrator must remove the securid file from ACS.