If you use a recent Cisco VPN Client with the RSA SecurID integration, you only have to enter your PIN instead of a passcode. At some point one of the VPN concentrators I connect to changed its configuration and my PIN prompt changed back to Password1.
I did some digging into how the RSA integration works and discovered that the magic begins with stauto32.dll. stauto32.dll is the RSA SecurID Software Token API which allows third-party vendors to retrieve passcodes from a token.
There are also two very important entries you can modify in your PCF file which affect the VPN Client's integration with the SecurID soft token.
| SDIUseHardwareToken | Enables a connection entry to avoid using RSA soft token. |
| 0 = Yes, use RSA SoftID (default) 1 = No, ignore RSA SoftID software installed on the PC. |
|
| RadiusSDI | Tell the VPN client to assume Radius SDI is being used for extended authentication (XAuth). |
| 0 = No (default) 1 = Yes |
My .pcf file was missing the RadiusSDI parameter. Once I added it I was able toggle the Cisco VPN Client PIN/Password prompt by changing the value of RadiusSDI in my .pcf file to 1/0.
So if you only want to be prompted for your PIN with a Cisco VPN Client, make sure that in your .pcf file you have:
RadiusSDI=1 SDIUseHardwareToken=0
Files
- vpnclient.ini (varies based on client) – %ProgramFiles%\Cisco Systems\VPN Client\
- .pcf profile file (varies based on client) – %ProgramFiles%\Cisco Systems\VPN Client\Profiles
Resources
- Preconfiguring the VPN Client for Remote Users (cisco.com) – Documents all of the available .PCF file parameters including SDIUseHardwareToken and RadiusSDI.
- RSA's SecurID Token for Windows Desktops – RSA has exceptional documentation.
- RSA's Cisco AnyConnect VPN Client documentation (PDF) – Lead me to stauto32.dll
- Actually I found an old email with the new .pcf file and a warning that if I didn't start using it my VPN client would stop working, but I assumed I'd installed the new profile everywhere. [back]
