PDA

View Full Version : ASDM with two factor authentication

geemail99@gmail.com
10-06-08, 11:36 PM
Howdy all,

Our company policy is to have two factor authentication to administer
firewalls. This has been good for console and SSH administration of
Cisco ASA and PIX firewalls. However we are now moving to Cisco
Finesse image 7.2X and would like to use the ASDM.
The ASDM appears to cache the credentials and retry authentication/
authorization for each consecutive command issued. i.e. Show run, show
interfaces, sh route, etc etc. This obviously does not go down well
with our 2 factor authentication solution (SafeWord), which expects a
different token for each consecutive authentication request.

Could anyone advise of way to make the connection between the ASDM and
the firewall permanent (so each command does not require
authentication), or perhaps some wizardary on the AAA configuration???


Thanks in advance
dirk
shiran77@gmail.com
10-23-08, 01:52 PM
Dirk,

I came across the same issue so I opened a ticket with Cisco support.
This is the response I got from them:

"This is a known behavior of ASDM, it is not really a bug it is a
limitation caused by the way java works with the ASA here is the
explanation.

ASDM will not work with RSA Token Server generated passwords. RSA
Token Server generated passwords are one time use only. They get
expired after first usage. ASDM uses Java which caches authentication
when logged in initially. For all subsequent http transactions from
ASDM, Java uses cached authentication information while communicating
with device. Each action from ASDM to device is an independent http
transaction involving entire SSL handshake, but as Java uses it cached
authentication information users don't have to enter them again.

ASDM will only work if authentication mechanism configured uses
persistent passwords. So any one time password authentication won't
work, they are looking into implementing this feature in future
releases, let me know if you have any doubt about this."


I have not found any workaround for this, but I am keeping an eye on
future release of ASDM. He couldn't give me a timeframe on when we
could see it supported. Like me, it is probably not what you wanted
to hear but at least you know Cisco's stance on the issue.




On Oct 7, 12:36*am, "geemai...@gmail.com" <geemai...@gmail.com> wrote:
> Howdy all,
>
> Our company policy is to have two factor authentication to administer
> firewalls. This has been good for console and SSH administration of
> Cisco ASA and PIX firewalls. However we are now moving to Cisco
> Finesse image 7.2X and would like to use the ASDM.
> The ASDM appears to cache the credentials and retry authentication/
> authorization for each consecutive command issued. i.e. Show run, show
> interfaces, sh route, etc etc. This obviously does not go down well
> with our 2 factor authentication solution (SafeWord), which expects a
> different token for each consecutive authentication request.
>
> Could anyone advise of way to make the connection between the ASDM and
> the firewall permanent (so each command does not require
> authentication), or perhaps some wizardary on the AAA configuration???
>
> Thanks in advance
> dirk