000029847 - Cisco ASA running IOS 9.3.2 fails to generate node secret when using SDI as the authentication protocol to RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 24, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000029847
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
  • A Cisco ASA running IOS 9.3.2 using the native SecurID authentication protocol for VPN access fails to generate the node secret during an authentication test under AAA server group test in the Cisco ASDM.  
  • The RSA Authentication Manager 8.x Authentication Activity logs show the authentication method failed error, which is typically associated with the wrong IP address being specified for the interface on the Cisco ASA, but that is not the case with IOS 9.3.2. 

CauseThis is a known defect with Cisco IOS 9.3.2. 
Resolution When contacting Cisco, reference CSCut28210.  Cisco will release an update to address this issue in the near future.

Until the fix is released, the two options to have authentication work would be either:
  • Rollback to Cisco IOS 9.3.1; or
  • Continue to use Cisco IOS 9.3.2 with RADIUS rather than the native SecurID authentication protocol.