000026375 - How to clear RSA ACE/Server node secret on Cisco VPN 3000 Series Concentrator or a Cisco ASA

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026375
Applies ToRSA ACE/Server
RSA SecurID Authentication Manager
Cisco VPN 3000 Concentrator Cisco ASA 5000 5500
 
IssueHow to clear RSA ACE/Server node secret on Cisco VPN 3000 Series Concentrator or a Cisco ASA
 
ResolutionOn Cisco ASA the Node secrets are stored in Flash RAM which is called disk0:.  Older versions use Hex, newer version use the dotted decimal notation, so a Node secret for an RSA Server with IP address of 142.141.235.138 will either be named 8E-ED-EB-8A.SDI (Older versions with HEX used) or it will be named 142-141-235-138.SDI. 
To delete the Node secret on a Cisco ASA, telnet or connect with SSH, find the file and type either
     delete /noconfirm disk0:/142-141-235-138.SDI
or
     delete disk0:\142-141-235-138.SDI /noconfirm
 

On the Concentrator Series Manager, Under: Administration --> File Management, delete the node secret file whose name is based on the ACE/Server IP address with .SDI appended. NOTE: You must convert the IP address from dotted decimal to hexadecimal format to match the address.  e.g C0A8081E.SDI represents ACE server address 192.168.8.30.  There is a [Delete] function for this file on Cisco 3000s.


You may also have to delete the node secret on the Agent Host entry for this Cisco on the ACE server.
RSA ACE/Server versions prior to 5.0 use the concept of a master and a slave server, which share a single node secret file (SECURID). On the VPN Concentrator, you can configure one pre-5.0 master ACE/Server and one slave server globally, and one master and one slave server per each group.
RSA ACE/Server version 5.0 uses the concepts of a Primary and Replica server. A version 5.0 ACE/Server that you configure on the VPN Concentrator can be either the Primary or any one of the Replicas. You can have one Primary server and up to 10 Replicas; use the documentation for configuration instructions. The Primary and all the Replicas can authenticate users. Each Primary and its Replicas share a single node secret file. The node secret file's name is based on the hexadecimal value of the ACE/Server IP address with .SDI appended. The VPN Concentrator obtains the server list when the first user authenticates to the configured server, which can be either a Primary or a Replica. The VPN Concentrator then assigns priorities to each of the servers on the list, and subsequent server selection derives at random from those assigned priorities. The highest priority servers have a higher likelihood of being selected.

Legacy Article IDa13140

Attachments

    Outcomes