If you use a recent Cisco VPN Client with the RSA SecurID integration, you only have to enter your PIN instead of a passcode.  At some point one of the VPN concentrators I connect to changed its configuration and my PIN prompt changed back to Password¹.

I did some digging into how the RSA integration works and discovered that the magic begins with stauto32.dll.  stauto32.dll is the RSA SecurID Software Token API which allows third-party vendors to retrieve passcodes from a token.

There are also two very important entries you can modify in your PCF file which affect the VPN Client's integration with the SecurID soft token.

My .pcf file was missing the RadiusSDI parameter.  Once I added it I was able toggle the Cisco VPN Client PIN/Password prompt by changing the value of RadiusSDI in my .pcf file to 1/0.

So if you only want to be prompted for your PIN with a Cisco VPN Client, make sure that in your .pcf file you have:

RadiusSDI=1
SDIUseHardwareToken=0

Files

• vpnclient.ini (varies based on client) – %ProgramFiles%\Cisco Systems\VPN Client\
• .pcf profile file (varies based on client) – %ProgramFiles%\Cisco Systems\VPN Client\Profiles

Resources

• Preconfiguring the VPN Client for Remote Users (cisco.com) – Documents all of the available .PCF file parameters including SDIUseHardwareToken and RadiusSDI.
• RSA's SecurID Token for Windows Desktops – RSA has exceptional documentation.
• RSA's Cisco AnyConnect VPN Client documentation (PDF) – Lead me to stauto32.dll

1. Actually I found an old email with the new .pcf file and a warning that if I didn't start using it my VPN client would stop working, but I assumed I'd installed the new profile everywhere. [back]

Tags: Cisco, ipsec, Radius, RSA, SecurID, Security, VPN

Posted on Tuesday, July 14th, 2009 at 11:00 am | Filed under Software, Technology
You can follow any responses to this entry through the Comments feed.
Post a Comment | Trackback URL | Permalink URL