1. Home
  2. Networking Firewalls
  3. ASDM with two factor authentication

ASDM with two factor authentication

Howdy all,

Our company policy is to have two factor authentication to administer firewalls. This has been good for console and SSH administration of Cisco ASA and PIX firewalls. However we are now moving to Cisco Finesse image 7.2X and would like to use the ASDM. The ASDM appears to cache the credentials and retry authentication/ authorization for each consecutive command issued. i.e. Show run, show interfaces, sh route, etc etc. This obviously does not go down well with our 2 factor authentication solution (SafeWord), which expects a different token for each consecutive authentication request.

Could anyone advise of way to make the connection between the ASDM and the firewall permanent (so each command does not require authentication), or perhaps some wizardary on the AAA configuration???

Thanks in advance dirk

Reply to
geemail99
Loading thread data ...

Dirk,

I came across the same issue so I opened a ticket with Cisco support. This is the response I got from them:

"This is a known behavior of ASDM, it is not really a bug it is a limitation caused by the way java works with the ASA here is the explanation.

ASDM will not work with RSA Token Server generated passwords. RSA Token Server generated passwords are one time use only. They get expired after first usage. ASDM uses Java which caches authentication when logged in initially. For all subsequent http transactions from ASDM, Java uses cached authentication information while communicating with device. Each action from ASDM to device is an independent http transaction involving entire SSL handshake, but as Java uses it cached authentication information users don't have to enter them again.

ASDM will only work if authentication mechanism configured uses persistent passwords. So any one time password authentication won't work, they are looking into implementing this feature in future releases, let me know if you have any doubt about this."

I have not found any workaround for this, but I am keeping an eye on future release of ASDM. He couldn't give me a timeframe on when we could see it supported. Like me, it is probably not what you wanted to hear but at least you know Cisco's stance on the issue.

Reply to
shiran77

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.