HOW-TO: Selectively Enable or Disable RSA Secure ID Integration in Cisco VPN Client

If your company uses Cisco ASA firewall and allow remote access through it (Using Cisco VPN Client). Also, If your company uses 2FA (Two Factor Authentication), using RSA Secure ID and have given you a Soft token, they are now integrated, which means when you try to connect you are only prompted for the PIN of the RSA Token and not the entire Pass code (Look at the below, prompting for PIN and Not Pass code)

image

Neat isn’t it ? But consider this, You are a consultant working for more than one company, and just two or more companies, one using the RSA, and the other NOT using it. Or both using RSA, but different How do you take care of that ?

Cause, normally, it will pick one token and just blast away the pass-code with the pin you enter. Which means you can login to one company but not the others. This is a problem isn't it ?

Fortunately for us, there is a solution

You need to remember the following

SDIUseHardwareToken (Enables a connection entry to avoid using RSA soft token.)

0 = Yes, use RSA SoftID (default)
1 = No, ignore RSA SoftID software installed on the PC.

RadiusSDI (Tell the VPN client to assume Radius SDI is being used for extended authentication (XAuth).)

0 = No (default)
1 = Yes

Ok, now you know the above, Now what

 

First, if you have multiple companies, all using, RSA, and by default the PIN works for one of them, you can leave that as is or you can just disable the PIN function all together and yourself enter the passcode.

Open the PCF file (It will be in the installation folder). Since I use a 32 Bit client, the Location was

c:\Program Files(x86)\Cisco Systems\VPN Client\Profiles

image

Open the PCF Files in a Notepad and edit or add the lines in the PCF (If the lines already exist, just change the values ) in the file and save it

image

To Ignore the RSA Integration

RadiusSDI=0
SDIUseHardwareToken=1

To Use the RSA Integration

RadiusSDI=1
SDIUseHardwareToken=0

Once you set it to be ignoring the RSA, the prompt will change back to passcode.

image

Hope this has been helpful and thanks for reading. Dop let me know if you have any questions in the comments section

 

 

Comments

  1. UnknownSeptember 8, 2014 at 2:10 AM

    Been trying to fix this for months. Thanks so much!

    ReplyDelete
  2. UnknownMay 6, 2016 at 8:41 PM

    Thank you for posting this as I am on jumping off our corporate VPN several times a day

    ReplyDelete
  3. Irish EyesJune 27, 2019 at 4:02 PM

    Still a useful fix after all these years, thank you

    ReplyDelete

Post a Comment

Popular posts from this blog

Juniper Aggregate Interfaces (LACP/No LACP)

Image
Last week, I was implementing link aggregation on Juniper EX Series switches (EX4200). I was moving them off HP switches and putting them into Juniper. We were moving VMWare ESX boxes, NetApp and some physical boxes, though the configuration is very simple, I would like to mention how to do those with these boxes. Points to remember: You will explicitly need to create “Aggregated Ethernet” interfaces on juniper You cannot have more than 64 AE interfaces on a single Virtual Chassis You cannot change the algorithm for load balancing between the multiple links. (If you are interested in the Junipers LAG algorithm read this ) Now having said this, lets look at the common steps, you need to create the Aggregated Ethernet interfaces on the Juniper. root@EX4200#set chassis aggregated-devices ethernet device-count  4 The above command will create 4 “ae” interfaces, after you commit, you should see ae0 – ae 3 created. You can have any value between 1 and 64 in...
Read more

Exporting Contacts out of Blackberry with Windows Contacts

Image
So, you are trying to get your contacts out of your blackberry and sync it to your Android / iPhone / Windows Phone, or just want to sync it to your Google account for backup purposes. Here are a few tips that will get you started – I have just enumerated some methods. Option 1: Use Blackberry Desktop 6 (Manual) (Not the most updated software) – It can directly export out your contacts out in the CSV Format. Please read the official How-To here Option 2: Using Blackberry Desktop 7 (Manual) If you have a Blackberry Desktop 7 – Which most likely you may end up having, here is how you can do it – For people who don’t want to use the sync (Option 3) Step 1: Backup BB Contacts to Windows Contacts Connect your Phone to your Windows (Assuming you have Windows 7/8/8.1) Click On Organizer Select Configure Select “One-Way to Your Computer and Windows Contacts (You may Sync it to your outlook, but that’s not covered in this blog) Click on Sync Organizer (Sync All) on ...
Read more

Configuring Multicasting with Juniper EX switches (Part 1)

Image
Configuring multicast routing using Protocol Independent Multicast in a all Juniper environment is as simple as the Cisco environment, but when I searched, I dint find good articles or KB’s explaining this, so I decided to write one. I am fairly certain that if you have searched and arrived at this post, you know the basics of multicasting and IGMP, but yet, for the benefit of all readers, I will in brief describe the need for multicast. Please note, that this is just the IPv4 version of the story presented in a understandable manner and not all aspects of multicast are covered, but only the ones needed for this post. What is Multicast ? In IPv4 we have 3 kinds of packets, Unicast – One Source, One Destination Broadcast – One source and all destinations Multicast – One source and many destinations Now, all of us are familiar with the first one, we use it almost every minute we are on a network connected equipment. To, explain all this, lets choose different ...
Read more