Filter
Top Products
8-54
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 8 Managing Users and Identity Stores
Managing External Identity Stores
RSA SecurID Server
ACS supports the RSA SecurID server as an external database. RSA SecurID two-factor authentication
consists of the user’s personal identification number (PIN) and an individually registered RSA SecurID
token that generates single-use token codes based on a time code algorithm.
A different token code is generated at fixed intervals (usually each at 30 or 60 seconds). The RSA
SecurID server validates this dynamic authentication code. Each RSA SecurID token is unique, and it is
not possible to predict the value of a future token based on past tokens.
Thus when a correct token code is supplied together with a PIN, there is a high degree of certainty that
the person is a valid user. Therefore, RSA SecurID servers provide a more reliable authentication
mechanism than conventional reusable passwords.
You can integrate with RSA SecurID authentication technology in any one of the following ways:
• Using the RSA SecurID agent—Users are authenticated with username and passcode through the
RSA’s native protocol.
• Using the RADIUS protocol—Users are authenticated with username and passcode through the
RADIUS protocol.
RSA SecurID token server in ACS 5.3 integrates with the RSA SecurID authentication technology by
using the RSA SecurID Agent.
Configuring RSA SecurID Agents
The RSA SecurID Server administrator can do the following:
• Create an Agent Record (sdconf.rec), page 8-54
• Reset the Node Secret (securid), page 8-54
• Override Automatic Load Balancing, page 8-55
• Manually Intervene to Remove a Down RSA SecurID Server, page 8-55
Create an Agent Record (sdconf.rec)
To configure an RSA SecurID token server in ACS 5.3, the ACS administrator requires the sdconf.rec
file. The sdconf.rec file is a configuration record file that specifies how the RSA agent communicates
with the RSA SecurID server realm.
In order to create the sdconf.rec file, the RSA SecurID server administrator should add the ACS host as
an Agent host on the RSA SecurID server and generate a configuration file for this agent host.
Reset the Node Secret (securid)
After the agent initially communicates with the RSA SecurID server, the server provides the agent with
a node secret file called securid. Subsequent communication between the server and the agent relies on
exchanging the node secret to verify the other’s authenticity.
At times, you might have to reset the node secret. To reset the node secret:
• The RSA SecurID server administrator must uncheck the Node Secret Created check box on the
Agent Host record in the RSA SecurID server.
• The ACS administrator must remove the securid file from ACS.