Skip to main content

 

 

Cisco Defense Orchestrator

RSA Security Two-Factor Authentication

This article provides information about two-factor authentication using RSA Security agent for RA VPN.

You can configure RSA using one of the following approaches: 

  • Define the RSA Server directly in CDO as a RADIUS server and use the server as the primary authentication source in the RA VPN.

    When using this approach, the user must authenticate using a username that is configured in the RSA RADIUS server and concatenates the password with the one-time temporary RSA token, separating the password and token with a comma: password,token.

    In this configuration, it is typical to use a separate RADIUS server (such as one supplied in Cisco ISE) to provide authorization services. You would configure the second RADIUS server as the authorization and, optionally, accounting server. 
     
  • Integrate the RSA server with a RADIUS or AD server that supports direct integration and configure the RA VPN to use the non-RSA RADIUS or AD server as the primary authentication source. In this case, the RADIUS/AD server uses RSA-SDI to delegate and orchestrate the two-factor authentication between the client and the RSA Server.

    When using this approach, the user must authenticate using a username that is configured in the non-RSA RADIUS or AD server and concatenate the password with the one-time temporary RSA token, separating the password and token with a comma: password,token.

    In this configuration, you would also use the non-RSA RADIUS server as the authorization and, optionally, accounting server. 

See the RSA documentation for information about the RSA-side configuration. https://community.rsa.com/.

  • Was this article helpful?