Sdi Server Support; Sdi Version Support; Two-Step Authentication Process; Sdi Primary And Replica Servers - Cisco 7604 Configuration Manual

Chapter 11 Configuring AAA Servers and the Local Database

SDI Server Support

The FWSM can use RSA SecureID servers for VPN authentication. These servers are also known as SDI
servers. When a user attempts to establish VPN access and the applicable tunnel-group record specifies
a SDI authentication server group, the FWSM sends to the SDI server the username and one-time
password and grants or denies user access based on the response from the server.
This section contains the following topics:
•
•
•

SDI Version Support

The FWSM offers the following SDI version support:
•
•

Two-step Authentication Process

SDI Version 5.0 uses a two-step process to prevent an intruder from capturing information from an RSA
SecurID authentication request and using it to authenticate to another server. The SDI agent first sends
a lock request to the SecurID server before sending the user authentication request. The server locks the
username, preventing another (replica) server from accepting it. This means that the same user cannot
authenticate to two FWSMs using the same authentication servers simultaneously. After a successful
username lock, the FWSM sends the passcode.

SDI Primary and Replica Servers

The FWSM obtains the server list when the first user authenticates to the configured server, which can
be either a primary or a replica. The FWSM then assigns priorities to each of the servers on the list, and
subsequent server selection derives at random from those assigned priorities. The highest priority servers
have a higher likelihood of being selected.

NT Server Support

The FWSM supports authentication of VPN-based management connections with Microsoft Windows
server operating systems that support NTLM Version 1, which we collectively refer to as NT servers.
When a user attempts to establish VPN access and the applicable tunnel-group record specifies an NT
authentication server group, the FWSM uses NTLM Version 1 to for user authentication with the
Microsoft Windows domain server. The FWSM grants or denies user access based on the response from
the domain server.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
SDI Version Support, page 11-5
Two-step Authentication Process, page 11-5
SDI Primary and Replica Servers, page 11-5
Versions prior to Version 5.0—SDI versions prior to 5.0 use the concept of an SDI master and an
SDI slave server which share a single node secret file (SECURID).
Versions 5.0—SDI Version 5.0 uses the concepts of an SDI primary and SDI replica servers. Each
primary and its replicas share a single node secret file. The node secret file has its name based on
the hexadecimal value of the ACE/Server IP address with .sdi appended.
A Version 5.0 SDI server that you configure on the FWSM can be either the primary or any one of
the replicas. See the "SDI Primary and Replica Servers" section on page 11-5
how the SDI agent selects servers to authenticate users.
AAA Server and Local Database Support
for information about
11-5