Cisco 7604 Configuration Guide - Page 209
SDI Server Support, Two-step Authentication Process, SDI Primary and Replica Servers
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 209 highlights
Chapter 11 Configuring AAA Servers and the Local Database AAA Server and Local Database Support SDI Server Support The FWSM can use RSA SecureID servers for VPN authentication. These servers are also known as SDI servers. When a user attempts to establish VPN access and the applicable tunnel-group record specifies a SDI authentication server group, the FWSM sends to the SDI server the username and one-time password and grants or denies user access based on the response from the server. This section contains the following topics: • SDI Version Support, page 11-5 • Two-step Authentication Process, page 11-5 • SDI Primary and Replica Servers, page 11-5 SDI Version Support The FWSM offers the following SDI version support: • Versions prior to Version 5.0-SDI versions prior to 5.0 use the concept of an SDI master and an SDI slave server which share a single node secret file (SECURID). • Versions 5.0-SDI Version 5.0 uses the concepts of an SDI primary and SDI replica servers. Each primary and its replicas share a single node secret file. The node secret file has its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended. A Version 5.0 SDI server that you configure on the FWSM can be either the primary or any one of the replicas. See the "SDI Primary and Replica Servers" section on page 11-5 for information about how the SDI agent selects servers to authenticate users. Two-step Authentication Process SDI Version 5.0 uses a two-step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server. The SDI agent first sends a lock request to the SecurID server before sending the user authentication request. The server locks the username, preventing another (replica) server from accepting it. This means that the same user cannot authenticate to two FWSMs using the same authentication servers simultaneously. After a successful username lock, the FWSM sends the passcode. SDI Primary and Replica Servers The FWSM obtains the server list when the first user authenticates to the configured server, which can be either a primary or a replica. The FWSM then assigns priorities to each of the servers on the list, and subsequent server selection derives at random from those assigned priorities. The highest priority servers have a higher likelihood of being selected. NT Server Support The FWSM supports authentication of VPN-based management connections with Microsoft Windows server operating systems that support NTLM Version 1, which we collectively refer to as NT servers. When a user attempts to establish VPN access and the applicable tunnel-group record specifies an NT authentication server group, the FWSM uses NTLM Version 1 to for user authentication with the Microsoft Windows domain server. The FWSM grants or denies user access based on the response from the domain server. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 11-5