ASDM with two factor authentication - Firewalls

This is a discussion on ASDM with two factor authentication - Firewalls ; Howdy all, Our company policy is to have two factor authentication to administer firewalls. This has been good for console and SSH administration of Cisco ASA and PIX firewalls. However we are now moving to Cisco Finesse image 7.2X and ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: ASDM with two factor authentication

  1. ASDM with two factor authentication

    Howdy all,

    Our company policy is to have two factor authentication to administer
    firewalls. This has been good for console and SSH administration of
    Cisco ASA and PIX firewalls. However we are now moving to Cisco
    Finesse image 7.2X and would like to use the ASDM.
    The ASDM appears to cache the credentials and retry authentication/
    authorization for each consecutive command issued. i.e. Show run, show
    interfaces, sh route, etc etc. This obviously does not go down well
    with our 2 factor authentication solution (SafeWord), which expects a
    different token for each consecutive authentication request.

    Could anyone advise of way to make the connection between the ASDM and
    the firewall permanent (so each command does not require
    authentication), or perhaps some wizardary on the AAA configuration???


    Thanks in advance
    dirk

  2. Re: ASDM with two factor authentication

    Dirk,

    I came across the same issue so I opened a ticket with Cisco support.
    This is the response I got from them:

    "This is a known behavior of ASDM, it is not really a bug it is a
    limitation caused by the way java works with the ASA here is the
    explanation.

    ASDM will not work with RSA Token Server generated passwords. RSA
    Token Server generated passwords are one time use only. They get
    expired after first usage. ASDM uses Java which caches authentication
    when logged in initially. For all subsequent http transactions from
    ASDM, Java uses cached authentication information while communicating
    with device. Each action from ASDM to device is an independent http
    transaction involving entire SSL handshake, but as Java uses it cached
    authentication information users don't have to enter them again.

    ASDM will only work if authentication mechanism configured uses
    persistent passwords. So any one time password authentication won't
    work, they are looking into implementing this feature in future
    releases, let me know if you have any doubt about this."


    I have not found any workaround for this, but I am keeping an eye on
    future release of ASDM. He couldn't give me a timeframe on when we
    could see it supported. Like me, it is probably not what you wanted
    to hear but at least you know Cisco's stance on the issue.




    On Oct 7, 12:36*am, "geemai...@gmail.com" wrote:
    > Howdy all,
    >
    > Our company policy is to have two factor authentication to administer
    > firewalls. This has been good for console and SSH administration of
    > Cisco ASA and PIX firewalls. However we are now moving to Cisco
    > Finesse image 7.2X and would like to use the ASDM.
    > The ASDM appears to cache the credentials and retry authentication/
    > authorization for each consecutive command issued. i.e. Show run, show
    > interfaces, sh route, etc etc. This obviously does not go down well
    > with our 2 factor authentication solution (SafeWord), which expects a
    > different token for each consecutive authentication request.
    >
    > Could anyone advise of way to make the connection between the ASDM and
    > the firewall permanent (so each command does not require
    > authentication), or perhaps some wizardary on the AAA configuration???
    >
    > Thanks in advance
    > dirk



+ Reply to Thread