RSA SecurID authentication and privilege level

Hello,
I'm new working with Cisco ACS, learning by seat of pants; most of the documentation on Cisco's website is fairly cryptic and does not use many pictures. Therefore,I would appreciate some help setting up privileges. We have ACS v5.2 which I have set up using RSA SecurID and appears to be working correctly. However, I'm having problems with the privilege level when I access a router it lands me in user mode. I'm trying to set up a administrator group for the routers and switches to have each member dropped in privilege level 15, exec mode but I'm having difficulty doing this.
Unfortunately, I'm unable to find any real useful information in reference to setting up RSA SecurID. It seems more of the information is geared around radius servers. Any help would be greatly appreciated. Thank you much!

Hello.
Remember AAA means authentication, authorization and accounting. In your case you authenticate with RSA , but you authorize with ACS policies. For TACACS+ and traditional IOS from routers and switches you can use a ACS policy element called "shell profile" which you can use to specify some attributes like privilege level. Then you can use the "shell profile" to create an authorization policy.
I'm attaching some screenshots. In this example I'm using AD instead of RSA because I don't have a RSA available. Please rate if it helps.

Similar Messages

Ise and switch authentication and privilege level

Hi Guys,
I'm working on an eval on vmware. I have got everything working for wlan authentication and I’m working on shell authentication for switches. On the ACS you have the possibility to give the user privilege level on the switch. You can do this with shell profiles in ACS.
Is there a way to get this done in ISE? I was thinking to make a result policy elements but I can't find a shell profile or privilege attributes like in ACS.
For the record, switch authentication is working with Active Directory. I only need to know how to give the right return attribute.
I appreciate any help!
Sander

@Sander,
You were in the right area.
Policy->Results->Authorization->Authorization Profiles.
Create AuthZ profile for Access-Accept and Under the Advanced Attributes Settings you can use:
Cisco:cisco-av-pair = shell:priv-lvl=15
or whatever privilege level you want to assign.
On your AuthZ rule, match the conditions and apply the created profile.

AAA Authorization with RADIUS and RSA SecurID Authentication Manager

Hi there.
I am in the process of implementing a new RSA SecurID deployment, and unfortunately the bulk of the IOS devices here do not support native SecurID (SDI) protocol. With the older RSA SecurID deployment version, it supported TACACS running on the system, now in 8.x it does not. Myself, along with RSA Support, are having problems getting TACACS working correctly with the new RSA Deployment, so the idea turned to possibly just using RADIUS
I have setup the RADIUS server-host, and configured the AAA authentication and authorization commands as follows:
#aaa new-model
#radius-server host 1.1.1.1 timeout 10 retransmit 3 key cisco123!
#aaa authentication login default group radius enable
#aaa authorization exec default group radius local
I have also tried
#aaa authorization exec default group radius if-authenticated local
I can successfully authenticate via SSH to User Mode using my SecurID passcode -- however, when I go to enter Priv Exec mode, it wont take the SecurID passcode - I just get an "access denied"
I've ran tcpdump on the RSA Primary Instance, looking for 1645/1646 traffic, and I dont get anything
I've turned on RADIUS debugging on the IOS device, and I dont get anything either
I did see this disclaimer in a Cisco doc: "The RADIUS method does not work on a per-username basis." -- not sure if this is related to my issue?
I'm beginning to wonder if IOS/AAA cant pass authorization-exec process to RSA SecurID

I don't have a solution, but can confirm I have the same problem and am also trying to find a solution.
I see no data sent to the RSA server when using the wireless AP. With other equipment on the same ACS, I do see the attempts going to the RSA server.
The first reply doesn't seem to apply to me, since it's not sending a request from the ACS machine to the RSA machine.

Since I upgraded to Lion, my RSA securid token and Cisco VPN client doesn't work any longer. Anyone have suggestions on how to fix that?

Since upgrading to Lion, I can no longer use VPN because my RSA securid token and CIsco VPN Client won't load. Any suggestioins out there?

.

ASDM and privilege level (using TACACS)

Hi experts,
Initial question: How can I force ASDM to ask for the enable password when the user click on Apply ?
Environment description:
I have an ASA 5510 connected to an ACS 5.0.
Security policy:
I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
ACS configuration:
Maybe I misunderstand the TACACS privilege level parameters on ACS.
I set a Shell Profile which gives the user the following privilege levels:
Default Privilege Level = 7
Maximum Privilege Level = 15
1st config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
! no authorization set
Results:
 On CLI: perfect
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
 On ASDM: policy security failure
When the user connects through ASDM, he gains privilege level 15 directly
It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
So OK for CLI, but NOK pour ASDM
2nd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
! no authorization command set
Results:
 On CLI: lose enable access
I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
 On ASDM: policy security failure
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
So NOK for CLI and ASDM
Question: Why do I have more access rights with ASDM as on CLI with the same settings ?
3rd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! specific authorization command set for ASDM applied
Results:
 On CLI: lose enable access (same as config 2)
 On ASDM: unenable to gain privilege level 15 --> acceptable
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
So NOK for CLI and Acceptable for ASDM
Question: Is there no possibility to move to enable mode on ASDM ?
4th config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! no aaa authentication for 'enable access', using local enable_15 account
! specific authorization command set for ASDM applied
Results:
 On CLI: acceptable
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
 On ASDM: unenable to gain privilege level 15 --> acceptable (same as config 3)
So Acceptable for CLI and ASDM
Questions review:
1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
3 - Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
Thanks for your help.

Thanks for your answer jedubois.
In fact, my security policy is like this:
A) Authentication has to be nominative with password enforcement policy
 --> I'm using CS ACS v5.1 appliance with local user database on it
B) Every "network" user can be granted priviledge level 15
 --> max user priviledged level is set to 15 in my authentication mechanism on ACS
C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
 --> SNMP trap sent to supervision server
E) The user password and enable password have to be personal.
So, I need only 2 priviledged level:
- monitor (any level from 1 to 14. I set 7)
- admin (level 15)
For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
ASDM interface is requested by the customer.
For ASDM, as I were not able to satisfy the security policy, I apply this:
1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
 --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
 --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
 --> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
 (ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
3- I remove "aaa authorization enable console TACACS" to use local enable password
 --> now I can't get admin access on ASDM: OK
 --> and I can get admin access on CLI entering the local enable password
At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
Thanks

RSA SecurID authentication

Hi,
I am trying to set up RSA authentication with OAM, and having problems.
1. if securid.pl is not proctected (using Anonymous Auth) or protected by a scheme not for SecurID Auth, I get "The page cannnot be displayed" at login, securid.pl shows in URL in the same browser. The securid.pl debug log shows info in fields: cookie, servename, and serverport.
2. if securid.pl is proctected with scheme "SecurID Authentication", RSA login hangs for 10-20 minutes, then "The page cannnot be displayed" shows up. The securid.pl debug log is not updated.
Any suggestions or hints? Thanks in advance.

Hi Vinod,
running an authentication test with ACE agent utility works fine. The ACE server log will be veriified tomorrow as I dont access to it.
1. How to tell if Securid.pl can connect to ACE agent? and connect to ACE server? Any indications in Access or WebGate trace logs to show securid.pl is trying to connect to ACE agent/server?
2. what is correct scheme to protect securid.pl?
the ACE server log will be veriified tomorrow ...
Thanks,
Charlie

RSA SecurID Authentication Plug-In

Hi all!
I am trying to integrate the SecurID PlugIn and have the following problems.
When i am trying to login for the first time i get back a file from the ace server called sdstatus.12. It is stored in the same directory where the sdconf.rec file resides. Both are binary files and not readable.
In the webgate log file i get the following error message "the access manager returned a fatal error with no detailed information"
Turning on the debug mode of the access server does not help. I can only see, that my credentials are passed by the webgate and you can see "Client 'name of the webgate' Authenticated"
Before the webgate makes the redirect to the error page i can find the following "Failed to get formname from credentials" in the debug file.
Any hints are welcome.
Kind regards
Gregor

Hi Gregor:
I assume you are already looking at the docs, right? I'm referring to:
http://download.oracle.com/docs/cd/E12530_01/oam.1014/e10356/rsa.htm
+"Oracle Access Manager enables integration of SecurID authentication by providing the following:+
*· +The HTML forms required for SecurID authentication operations+*
+· The CGI script required to authenticate users with the RSA ACE/Server+
+· The SecurID authentication plug-in, authn_securid, required for the Oracle Access Manager SecurID authentication scheme”+
The documentation goes on to mention that there are forms required for the SecurID system's New PIN and Next Tokencode Mode.
A first authentication would likely require a new PIN. Perhaps the appropriate form is missing or not installed properly?
Hope this helps. I've been a consultant to RSA for many years, but I've never actually installed this plug-in. If all the parts are properly installed and you still have problems, you should probably check with your SSE or RSA Tech Support.
_Vin

Tacacs AAA and privilege level 7

I've setup a group on tacacs server called acsrestricted and mapped it to AD security group. I've set this group to privilege level 7 on tacacs server.
I need this group to view the "show run" config on a router. Privilege level 7 allows the user to use some other show commands but not "show run". How can i configure this on tacacs?

Michael
I am not sure that I am understanding your post correctly. As I understand it you have created a group for some users who would operate at privilege level 7. I gather that this works and that users in this group do authenticate and are assigned to privilege level 7. You say that some show commands are assigned to them but not the show run command. This would seem to be simple to solve - you make sure that show with a parameter of run is assigned to them. But there is something not simple that makes this not work. Part of the Cisco implementation of privilege levels is that in show run a user can not view any parameter that they do not have permission to change.
Perhaps it might work for your situation if you give those users access to show config. show config does not have the same restriction as show run.
HTH
Rick
Sent from Cisco Technical Support iPad App

Has anyone been able get RSA SecurID installed and working on Mavericks? If so please enlighten me!

I just migrated from 10.7.5 to 10.9 (new MacBook Pro). Fantastic migration except for the VPN/Secur ID portion. Has anyone migrated or re-installed RSA SecurID onto 10.9?
I went to this link: http://www.emc.com/security/rsa-securid/rsa-securid-software-authenticators/mac- os.htm
And the install package would not open. I realize in the support section for the product that it does not designate Mavericks (10.9) but in the past they have always been a couple of OSX versions behind and there has been a way to get it to work. I hope so. Really looking forward to using this new MacBook with Mavericks. Everything else seems to work great!
Best Regards;
Scott

I installed RSA SecurID after updated to 10.9, but it didn't work.
the issue is following:
"Error loading application, please contack your administratot"
I tried to install it again, and can use to gain the passcode. but the SecurID cannot work well after i restart my MBP.
the error information is same as the last.

Privilege Levels on FWs, switches and Routers

One question - I am bothered with the privilege level settings.
Is there a default mapping between a priv lvl and teh commands you are allowed to execute or one needs to define that.
EX: I want somebody to only have the right of executing sh run on a device and nothing more.Can this be done?
Thx,
Vlad

I would start by configuring a privilege level and then use the ? to list all the commands available at that level.
privilege level 0 - Includes the disable, enable, exit, help, and logout commands.
privilege level 1 - Normal level on Telnet; includes all user-level commands at the router> prompt.
privilege level 15 - Includes all enable-level commands at the router# prompt.
Commands available at a particular level in a particular router can be found by typing a ? at the router prompt. Commands may be moved between privilege levels by using the privilege command, as illustrated in the example. While this example shows local authentication and authorization, the commands work similarly for TACACS+ or RADIUS authentication and exec authorization (more granularity in control of the router may be achieved with implementation of TACACS+ command authorization with a server.)
Additional details on the users and privilege levels presented in the example:
User six is able to Telnet in and execute the show run command, but the resulting configuration is virtually blank because this user cannot configure anything (configure terminal is at level 8, not at level 6). The user is not permitted to see usernames and passwords of the other users, or to see Simple Network Management Protocol (SNMP) information.
User john is able to Telnet in and execute the show run command, but only sees commands that he can configure (the snmp-server community part of the router configuration, since this user is our network management administrator). He can configure snmp-server community because configure terminal is at level 8 (at or below level 9), and snmp-server community is a level 8 command. The user is not permitted to see usernames and passwords of the other users, but he is trusted with the SNMP configuration.
User inout is able to Telnet in, and, by virtue of being configured for autocommand show running, sees the configuration displayed but is disconnected thereafter.
User poweruser is able to to Telnet in and execute the show run command. This user is at level 15, and is able to see all commands. All commands are at or below level 15; users at this level can also view and control usernames and passwords.
HTH

Page and Record level Authentication / Access control.

Hi,
I hope some of you might have come across this kind of issues. I am trying to setup page level authentication and record level access control. Please see below for the detailed description.
1. Does APEX have any functionality where I can implement my page level authentication schemes.
Say there are 5 pages/tabs and 10 users, and I want to restrict access as follows.
All users can read the data in all the pages.
User 1 thru 8 can read all the pages and edit page 1 and 2
User 9 and 10 can read and delete the records inside the page.
2. Is there any mechanism, that supports record level access control.
Example : There is a page, it shows a product information of all the products. Is there a mecanism inside APEX wherein this page shows only the products created by it's creater (any end user)
Is there a way in APEX, we can implement this functionality without having user information stored in the DB. ?
Thanx in advannce.
Vijay.

Vijay,
When a user creates the product why not store the user who created it in a column in the same table. That way you can write something like this: 
CREATE TABLE products_tab
productid NUMBER PRIMARY KEY,
product_name VARCHAR2(200),
user_created VARCHAR2(30)
); 
SELECT
productid,
product_name,
( CASE
 WHEN user_created = :F_USER THEN
 --link to edit page goes here
 ELSE '<nbsp>'
 END ) edit_link,
( CASE
 WHEN user_created = :F_USER THEN
 --link to delete page goes here
 ELSE '<nbsp>'
 END ) delete_link
FROM products_tab 
I don't believe you can use an authorization scheme on a button the way you desired. It either displays the column or it doesn't. 
Hope this helps. 
chet

RSA SecurID

I have been use RSA securid authentication with Portal 3.0. Now I am trying to migrate to Portal 6.0. In Portal 6.0 authentication is done using Identity Server and it does not have RSA SecurID authentication. Any workaround or solutions.

The SecureID module is not available "out the box"
but it is available as a "addOn" module fpr Identity server:
http://wwws.sun.com/software/download/inter_ecom.html
Cheers,
Alex :-)

Only one UPN suffix works with OAM plugin for RSA-integrated Authentication

Only one UPN suffix works with OAM plugin for RSA-integrated Authentication while others give "CredentialsRejected" error
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-
Has anyone seen this before and might know the answer? Any suggestions? Thanks!
I have setup an OAM authentication scheme that uses a custom plugin to use RSA ACE server - all pretty much exactly as it is outlined in the chapter called "Integrating the RSA SecurID Authentication Plug-in" in Oracle Access Manager Integration Guide. Here's the problem:
Everything works fine when I use a particular UPN suffix to login to the RSA Securid Login form that is presented, eg. [email protected], but if I create another user that uses a different UPN suffix as defined in Active Directory, (eg. [email protected]), the credentials are rejected. This happens before the secuirid.pl script even gets a chance to run. After hitting "POST" the user is present with the same login screen he was just at, as expected during an authentication failure.
More info:
- I have performed successful anonymous ldap queries for both users in Active Directory using LDP. Both users exist in the same domain and in the same OU. If I change the UPN (in AD and the RSA database) to something different from the "good" one, on either user, it fails. If I change the UPN to the "good one" on either user (in AD and the RSA database) it works.
- if I test users with either the "good" or the "bad" UPN via the RSA agent tester that sits on the OAM box, both of them show as authenticating successfully. However, it doesn't work for the "bad" UPN when I try to access via a web browser on a remote client (but does work with the "Good" UPN)
- I am not using SSL in any of this yet, it's all http://
- yes, I already got rid of the "-w" parameter in the first line of the perl script, as per the "login can fail if the Login Attribute Contains an "@" Character in Integration Guide Troubleshooting section
- here's an example of the settings in rsa securid authentication scheme:
action:/OracleAccessManager/securid-cgi/securid.pl
form:/OracleAccessManager/securid-forms-adforest/securid-std-login.html
creds:login password domain newpin newpin2
passthrough:yes
authn_securid fullformdir="C:\apache\Apache2\htdocs/OracleAccessManager/securid-forms-adforest/",machine="MyComputer.mydomain.com:80"
credential_mapping obMappingBase="%domain%",obMappingFilter="(&(objectclass=user)(userPrincipalName=%login%))"
Environment:
OAM 7.0.4.3
RSA Ace Server 5.2
Windows 2003 domain with multiple UPNs defined in Active Direcory Domains and Trusts
Error as seen in the oblog.log for the webgate on the server that holds the RSA login pages and perl script:
Message^A plugin for the authentication scheme SecurID Authentication has denied authentication for credentials ([email protected]
password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2= Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST).
ReqReq^POST /OracleAccessManager/securid-cgi/securid.pl HTTP/1.1 ReqProto^HTTP/1.1 ReqHost^www.MyComputer.mydomain.com. ReqStatLine^
ReqStatus^200 ReqRawUri^/OracleAccessManager/securid-cgi/securid.pl ReqUri^/OracleAccessManager/securid-cgi/securid.pl
ReqFilename^C:/apache/Apache2/htdocs/OracleAccessManager/securid-cgi/securid.pl ReqPath^ ReqArgs^
2009/07/13@15:19:49.665000 45688 46472 AUTHENTICATION ERROR 0x00001515
\Oblix\coreid\palantir\webgate\src\authentication_event_handler.cpp:1361 "Authentication failed" HTTPStatus^401
authenticationSchemeName^SecurID Authentication AuthenticationStatus^majorCode = 11[CredentialsRejected], minorCode = 47[AuthnPluginDenied],
StatusMsg = , GSN = 0, needInfo = NONE Creds^[email protected] password=(omitted) domain=dc=ourdomain,dc=com newpin= newpin2=
Resource=/OracleAccessManager/securid-cgi/securid.pl RequesterIP=10.250.1.2 Operation=POST
Only error seen in log produced by the RSA agent that sits on the Access server:
[20804] 12:27:08.915 File:ACNETSUB.C Line:326 # CheckServerAddress: server 0 detected from address 10.250.88.100
[20804] 12:27:08.915 File:udpmsg.c Line:968 # Entering decrypts_ok_legacy()
[20804] 12:27:08.915 File:udpmsg.c Line:999 # decrypts_ok_legacy: decrypt() wpcode1 failed; wpcode0 next ***********
[20804] 12:27:08.915 File:udpmsg.c Line:1089 # Leaving decrypts_ok_legacy(), result=1
[20804] 12:27:08.915 File:ACEXPORT.C Line:820 # Entering AceGetUserData()
[20804] 12:27:08.915 File:ACEXPORT.C Line:833 # Leaving AceGetUserData() return: ACE_SUCCESS
[20804] 12:27:08.915 File:ACEXPORT.C Line:579 # Entering AceGetAuthenticationStatus()
[20804] 12:27:08.915 File:ACEXPORT.C Line:592 # Leaving AceGetAuthenticationStatus() return: ACE_SUCCESS

What are the logs you see at the ACE server end? You can try passing an additional parameter debug="true" to the authn_securid plug-in - it should generate some more logs at the access server - I think in apps\common\bin.
Also does "ReqHost^www.MyComputer.mydomain.com" look right in the logs?
-Vinod

ACS with RSA for privilege level 'enable' authentication

Has anyone experienced problems with privilege level "Enable" password authentication via ACS using RSA two factor authentication? We have recently deployed ACS and use RSA two factor authentication for the telnet connection without any problems. When configuring the networking device and ACS to use RSA for the privelledge level authentication "enable" this fails. We get prompted to enter the token code and the RSA server indicates that authentication is succesful however the network device (ASA or switch) seems to reject it.
Are there any tricks to this?
Thanks in advance!

David
Like Collin the first thing that I think of is that you can not use the same token code to authenticate enable mode that was used to authenticate user mode. Beyond that I am not aware of things that should prevent this working. Are you sure that the ACS authentication server is configured to allow that user access to privilege mode?
Perhaps it would be helpful if you would post the config (especially all the aaa related parts) of a device that is having that problem. And it might help find the issue if you would run debug for authentication, try to login to enable mode, and post the output.
HTH
Rick

ISE Authentication Policy for RSA Securid and LDAP for VPN

We are working on replacing our existing ACS server with ISE. We have 2 groups of users, customers and employees. The employee's utilize RSA securid for authentication while the customers use Window authentication. We have integrated the AD into ISE using LDAP and this has been tested. We are now working on trying to get the rsa portion to work. We are wanting to utilize the authorization policy to assign the group-policy/IP for both clients via the LDAP user attributes.
Here is my question:
Under the authentication policy should we look @ an identity store that has RSA securid users, LDAP users and then internal users. I assume if the user isn't present in the RSA store it will then look @ the LDAP, will this present an issue with overhead in our RSA environment. With the legacy ACS the descsion on where to authenticate the user was done on the ACS, either Windows or RSA. The employee users will still also be present in the LDAP so we can utilize the attributes for IP address/group policy. The number of customer vpn's is several times larger than employees and I am afraid that if we have to query the securid servers for every authentication vpn authentication attempt this could cause issues. Our utilimate goal is to move to any connect and utilize a single url for all authentication but allow ise to instruct the asa what attributes to hand to the client such as dns/Dacl.
Thanks,
Joe

That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks.

RSA SecurID authentication and privilege level

Similar Messages

Maybe you are looking for