Cisco ASA 5505 Configuration Manual page 652

AAA Server and Local Database Support
RSA/SDI Version Support
The adaptive security appliance supports SDI Versions 5.0 and 6.0. SDI uses the concepts of an SDI
primary and SDI replica servers. Each primary and its replicas share a single node secret file. The node
secret file has its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended.
A version 5.0 or 6.0 SDI server that you configure on the adaptive security appliance can be either the
primary or any one of the replicas. See the
for information about how the SDI agent selects servers to authenticate users.
Two-step Authentication Process
SDI Versions 5.0 and 6.0 use a two-step process to prevent an intruder from capturing information from
an RSA SecurID authentication request and using it to authenticate to another server. The agent first
sends a lock request to the SecurID server before sending the user authentication request. The server
locks the username, preventing another (replica) server from accepting it. This actions means that the
same user cannot authenticate to two adaptive security appliances using the same authentication servers
simultaneously. After a successful username lock, the adaptive security appliance sends the passcode.
RSA/SDI Primary and Replica Servers
The adaptive security appliance obtains the server list when the first user authenticates to the configured
server, which can be either a primary or a replica. The adaptive security appliance then assigns priorities
to each of the servers on the list, and subsequent server selection derives at random from those assigned
priorities. The highest priority servers have a higher likelihood of being selected.
NT Server Support
The adaptive security appliance supports Microsoft Windows server operating systems that support
NTLM Version 1, collectively referred to as NT servers.
NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated,
Note
which is a limitation of NTLM Version 1.
Kerberos Server Support
The adaptive security appliance supports 3DES, DES, and RC4 encryption types.
The adaptive security appliance does not support changing user passwords during tunnel negotiation. To
Note
avoid this situation happening inadvertently, disable password expiration on the Kerberos/Active
Directory server for users connecting to the adaptive security appliance.
Cisco ASA 5500 Series Configuration Guide using ASDM
31-6
Chapter 31 Configuring AAA Servers and the Local Database
"RSA/SDI Primary and Replica Servers" section on page 31-6
OL-20339-01