Cisco AnyConnect Secure Mobility Client Administrator Guide, Version 4.0 – Configuring VPN Access [Cisco AnyConnect Secure Mobility Client]
🖥️
AnyConnect integrates support for RSA SecurID client software versions 1.1 and later that run on Windows 7 x86 (32-bit) and x64 (64-bit).
RSA SecurID software authentications reduce the number of items a user has to manage for safe and secure access to corporate assets. RSA SecurID Software Tokens on a remote machine generate a random one-time passcode that changes every 60 seconds. SDI stands for Security Dynamics, Inc. , which refers to a one-time password generation technology that uses hardware and software tokens.
Typically, users make an AnyConnect connection by clicking the AnyConnect icon in the toolbox, selecting the connection profile they wish to connect to, and then entering the appropriate credentials in the authentication dialog. The login (challenge) dialog corresponds to the authentication type configured for the tunnel group to which the user belongs. The input fields in the login dialog explicitly indicate the type of entry required for authentication.
For SDI authentication, the remote user enters a PIN (personal identification number) into the AnyConnect interface and receives an RSA SecurID passcode. After the user enters the passcode into the secure application, the RSA Authentication Manager validates the passcode and allows the user to access.
Users using RSA SecurID devices or software tokens see input fields that indicate whether the user must enter a passcode, PIN, PIN, or passcode, and the status line at the bottom of the dialog provides more information about the requirements. The user enters the software code PIN or passcode directly into the AnyConnect user interface.
The appearance of the initial login dialog depends on the settings of the secure portal: the user can access the secure portal either through the main login page, the main index URL, the tunnel group login page, or the tunnel group URL (URL/tunnel-group). To access the secure portal via the main login page, the “Allow user to select connection” checkbox must be set on the Network Access (client) AnyConnect connection profiles page. In both cases, the secure portal sends the client a login page. The main login page has a drop-down menu in which the user selects a tunnel combination; The tunnel group login page does not do this, since the tunnel group is specified in the URL.
In the case of the main login page (with a drop-down list of connection profiles or tunneling groups), the authentication type of the default tunnel group determines the initial setting of the password entry field naming. For example, if the default tunnel set uses SDI authentication, the field label is “Passcode”; But if the default tunnel set is using NTLM authentication, the field label is ‘Password’. In 2.1 and later, the field label is not dynamically updated with the user’s choice of a different tunnel set. For the tunnel group login page, the field label matches the tunnel group requirements.
The client supports entering RSA SecurID Software Token PINs in the password entry field. If an RSA SecurID Software Token is installed and the tunnel set authentication type is SDI, the field label is “Passcode” and the status bar states “Enter a username and passcode or PIN for the software token”. If a PIN is used, subsequent successive logins to the same tunnel combination and username are labeled “PIN” field. The client retrieves the passcode from the RSA SecurID Software Token DLL using the entered PIN. With each successful authentication, the client saves the tunnel set, username, and authentication type, and the saved tunnel set becomes the new default tunnel set.
AnyConnect accepts passcodes for any SDI authentication. Even when the password entry label is “PIN”, the user can still enter a passcode as per the status bar instructions. The client sends the passcode to the secure gate as is. If a passcode is used, subsequent successive logins of the same tunnel and username combination have a ‘passcode’ label field.
The RSAsecureIDIntegration profile setting has three possible values:
-
Automatic – the client first tries one method, and if it fails, the other method is tried. The default is to treat user input as a HardwareToken, and if that fails, treat it as a SoftwareToken. When the authentication is successful, the successful method is set as the new SDI token type and cached in the user’s preferences file. For the next authentication attempt, the SDI token type determines which method was tried first. In general, the token used for the current authentication attempt is the same token used for the last successful authentication attempt. However, when changing the username or selecting the group, it goes back to trying the default method first, as indicated in the input field label.
Noticeable
SDI code type is only meaningful for auto setup. You can ignore SKI Token Type records when the authentication mode is not automatic. HardwareToken as default avoids triggering next token mode.
-
SoftwareToken—The client always interprets the user’s input as a software token PIN, and the label of the input field is “PIN:”.
-
HardwareToken – The client always interprets the user’s input as a token passcode, and the label of the input field is “Passcode:”.
| Noticeable |
AnyConnect does not support token selection from multiple tokens imported into the RSA Software Token client software. Instead, the client uses the default setting specified via the RSA SecurID Software Token GUI. |
[ad_1]
Don’t forget to share this post with friends !
