Anyway, after setting up an authentication source using a Windows 2003/2008 Active Directory domain controller and importing a batch of time based RSA key token, I set up the ASA to authenticate off the Radius server. Here's the necessary config on the ASA:
aaa-server rsaapp protocol sdi aaa-server rsaapp (INSIDE) host 10.14.14.50 MY_PASSWORD_FOR_RADIUS_CLIENT tunnel-group employees type remote-access tunnel-group employees general-attributes address-pool employees-pool authentication-server-group rsaapp default-group-policy operations tunnel-group operations ipsec-attributes pre-shared-key * Here are several important things to do: 1. set up DNS entries for the RSA box and the ASA, both forward and reverse/PTR. The box seems to be looking for its FQDN. You can use the host file for setup. 2. make sure the ASA, RSA box, and domain controller all have accurate time (via NTP, etc.) 3. setup a radius client on the RSA box and use the same pass phrase you used in the ASA aaa-server config 4. assign token devices to users... start off with one user for testing. 5. Re-synchronize the token. I'm not 100% sure this is necessary, but I tried several tokens, and this seemed necessary. 6. Have the user log into the self-service console: https://myrsaappliance.mydomain.local:7004/console-selfservice He or she should log into the console with their active directory username and password. He or she should then set a PIN on the token. 7. Wait for a minute or a two, and then have the user log into the VPN appliance with the Cisco client. This seemed to be necessary, as the token didn't seem to work at first. After running through the configuration again, I tried waiting, and this worked.