HOW-TO: Selectively Enable or Disable RSA Secure ID Integration in Cisco VPN Client

If your company uses Cisco ASA firewall and allow remote access through it (Using Cisco VPN Client). Also, If your company uses 2FA (Two Factor Authentication), using RSA Secure ID and have given you a Soft token, they are now integrated, which means when you try to connect you are only prompted for the PIN of the RSA Token and not the entire Pass code (Look at the below, prompting for PIN and Not Pass code)

image

Neat isn’t it ? But consider this, You are a consultant working for more than one company, and just two or more companies, one using the RSA, and the other NOT using it. Or both using RSA, but different How do you take care of that ?

Cause, normally, it will pick one token and just blast away the pass-code with the pin you enter. Which means you can login to one company but not the others. This is a problem isn't it ?

Fortunately for us, there is a solution

You need to remember the following

SDIUseHardwareToken (Enables a connection entry to avoid using RSA soft token.)

0 = Yes, use RSA SoftID (default)
1 = No, ignore RSA SoftID software installed on the PC.

RadiusSDI (Tell the VPN client to assume Radius SDI is being used for extended authentication (XAuth).)

0 = No (default)
1 = Yes

Ok, now you know the above, Now what

 

First, if you have multiple companies, all using, RSA, and by default the PIN works for one of them, you can leave that as is or you can just disable the PIN function all together and yourself enter the passcode.

Open the PCF file (It will be in the installation folder). Since I use a 32 Bit client, the Location was

c:\Program Files(x86)\Cisco Systems\VPN Client\Profiles

image

Open the PCF Files in a Notepad and edit or add the lines in the PCF (If the lines already exist, just change the values ) in the file and save it

image

To Ignore the RSA Integration

RadiusSDI=0
SDIUseHardwareToken=1

To Use the RSA Integration

RadiusSDI=1
SDIUseHardwareToken=0

Once you set it to be ignoring the RSA, the prompt will change back to passcode.

image

Hope this has been helpful and thanks for reading. Dop let me know if you have any questions in the comments section

 

 

Comments

  1. Been trying to fix this for months. Thanks so much!

    ReplyDelete
  2. Thank you for posting this as I am on jumping off our corporate VPN several times a day

    ReplyDelete
  3. Still a useful fix after all these years, thank you

    ReplyDelete

Post a Comment

Popular posts from this blog

Juniper Aggregate Interfaces (LACP/No LACP)

HA Proxy for Exchange 2010 Deployment & SMTP Restriction

Configuring Multicasting with Juniper EX switches (Part 1)