HOW-TO: Selectively Enable or Disable RSA Secure ID Integration in Cisco VPN Client

If your company uses Cisco ASA firewall and allow remote access through it (Using Cisco VPN Client). Also, If your company uses 2FA (Two Factor Authentication), using RSA Secure ID and have given you a Soft token, they are now integrated, which means when you try to connect you are only prompted for the PIN of the RSA Token and not the entire Pass code (Look at the below, prompting for PIN and Not Pass code)


Neat isn’t it ? But consider this, You are a consultant working for more than one company, and just two or more companies, one using the RSA, and the other NOT using it. Or both using RSA, but different How do you take care of that ?

Cause, normally, it will pick one token and just blast away the pass-code with the pin you enter. Which means you can login to one company but not the others. This is a problem isn't it ?

Fortunately for us, there is a solution

You need to remember the following

SDIUseHardwareToken (Enables a connection entry to avoid using RSA soft token.)

0 = Yes, use RSA SoftID (default)
1 = No, ignore RSA SoftID software installed on the PC.

RadiusSDI (Tell the VPN client to assume Radius SDI is being used for extended authentication (XAuth).)

0 = No (default)
1 = Yes

Ok, now you know the above, Now what


First, if you have multiple companies, all using, RSA, and by default the PIN works for one of them, you can leave that as is or you can just disable the PIN function all together and yourself enter the passcode.

Open the PCF file (It will be in the installation folder). Since I use a 32 Bit client, the Location was

c:\Program Files(x86)\Cisco Systems\VPN Client\Profiles


Open the PCF Files in a Notepad and edit or add the lines in the PCF (If the lines already exist, just change the values ) in the file and save it


To Ignore the RSA Integration


To Use the RSA Integration


Once you set it to be ignoring the RSA, the prompt will change back to passcode.


Hope this has been helpful and thanks for reading. Dop let me know if you have any questions in the comments section




  1. Been trying to fix this for months. Thanks so much!

  2. Thank you for posting this as I am on jumping off our corporate VPN several times a day

  3. Great tips! With NordVPN, you can protect your IP address and your internet activity from your ISP so that it is not passed to third parties, including advertisers or government.

    NordVPN offers military-grade encryption with a strict no logs policy along with a host of other features:

    P2P allowed
    Onion Over VPN
    Malware and cyber threat protection
    Blazing speeds
    Global network
    Kill Switch
    Unlimited bandwidth
    Double encryption
    Bitcoin accepted

    Plus you'll enjoy an uninterrupted streaming experience with no bandwidth throttling or buffering. Just download the app and click the 'on' button to get instant protection.

    Join now at one of the lowest prices for yearly subscriptions in the industry:


Post a Comment

Popular posts from this blog

Juniper Aggregate Interfaces (LACP/No LACP)

HA Proxy for Exchange 2010 Deployment & SMTP Restriction

Configuring Multicasting with Juniper EX switches (Part 1)