top of page

How to authenticate Cisco ISE GUI with RSA Tokens?

Cisco Identity Services Engine (ISE) can be configured to use RSA Authentication Manager as an External Identity Source using both Native SecurID and RADIUS authentication protocols. Simple or rule-based authentication policies are used to determine which External Identity Source is applied.

I can remember the day,when I worked on a project in which the customer wanted to utilize hardware tokens and RSA SecurID server for their VPN and TACACS+ authentications in correlation with Cisco ISE.

Since they were migrating from ACS (5.8) to ISE (2.3) , we had to add the RSA server to the ISE configuration.

After a week one of the technicians of that IT-Company called me to ask if they can use RSA tokens in order to authenticate to ISE GUI or not?

My answer was : A HUGE YESSSS !!!!

Here I have listed the order of operations for you to accomplish this task:

1. Add the RSA server to your ISE deployment.

  • Add the server under Administration > Identity Management > External Identity Sources > RSA SecurID

2. Set admin access to use the new RSA server for authentication.

  • Go to Administration > System > Admin Access > Authentication > Authentication Method.

  • For the Authentication Type, set it to Password Based.

  • Set the Identity Source (drop down menu) to the RSA server you configured in Step1


3. Create the admin user.

  • Attention : username provided here must match what is configured for a user account on the RSA SecurID server.

  • Go to Administration > System > Admin Access > Administrators > Admin Users and click Add.

  • Choose Create an Admin User to create a new users or Select from Network Access Users if you have a user account you want to use already defined.

  • No matter which option you will choose, on the following screen you need to put a check mark next to External *This tells your ISE to send the username and password/token to the external identity source you set in Step 2. Setting this disables all of the password fields because an internal ISE password is not set. It also excludes the account from being automatically disabled if it is inactive.

  • Select the Admin Groups to set the access level you want to allow for this user (e.g. Super Admin for full access).

  • All other fields, such as email and description, is optional and only for your internal information.

Congrats ! Your configuration is done! :)

In order to verify your config you can open the ISE admin GUI from a different browser (anony browser etc.) or just log out of the current session,, then you can see an Identity Source field (drop down menu) under the Password field. It will be set to the RSA SecurID server you configured in Step 1 by default.

Try logging in using the admin user account you created in Step 3. RSA token will be written in the Password field.

You can always fall back to a local admin account by changing the Identity Source on the login page to Internal if the RSA login fails or ISE loses connection to the RSA SecurID server.

Thank you for reading my article and I hope it was informative for you!

Author: Mike Ghahremani

Editor : Jimmy Harold

Userful links:




All product names, logos, and brands are property of their respective owners in the Austria or other countries.

All company, product and service names used on this website are for identification purposes only. Pheniix is notaffiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, Openstack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies.

Use of these names, logos, and brands does not imply endorsement.

The opinions expressed on pheniix are personal perspectives and not those of Cisco , Dimension Data or any other comany. Pheniix runs as an independent blog.

#RSA #Tokens #CISCOISE #Cisco #MikeGhahremani #Jimmy221 #Authentication #ISESupport #ACS #VPN

bottom of page