000031946 - Reset the node secret used to secure communications between the CISCO ACS 5.x and RSA Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000031946
Applies ToRSA Product Set : SecurID
RSA Product/Service Type : RSA Authentication Manager
RSA Version/Condition: 8.1 Service Pack 1
Platform : SUSE Enterprise Linux
O/S Version : 11 Service Pack 3
Product Description : SecurID Appliance
IssueFrom the Security Console, the real-time authentication activity monitor reports 'Node secret mismatch: cleared on agent but not on server' or 'Node secret mismatch: cleared on server but not on agent' or 'Node secret mismatch:  agent and server using different node secrets'.
TasksTo reset the node secret (CISCO ACS)
  1. Logon to the CISCO ACS with an administrative account
  2. Browse to User and Identity Stores > External Identity Stores > RSA SecurID Token Servers
    1. Edit the specified RSA SecurID Token Servers
    2. Open the ACS Instance Settings tab, and Edit the ACE Instance
    3. Open the Reset Agent Files tab
    4. Make the checkbox next to Remove securid file on submit, click OK and then click Submit
To reset the node secret (authentication manager)
  1. Logon to the Security Console with an administrative account
  2. Click the Access tab > Authentication Agents > Manage Existing > select Unrestricted or Restricted tab and use the Search Criteria to search for the Authentication Agent > left-click the Authentication Agent name > Mange Node Secret
  3. Make the checkbox next to Clear the node secret and click Save
User-added image

ResolutionWhere a node secret mismatch appears in the real-time authentication activity monitor or an authentication activity report an administrator must reset the node secret.
NotesAfter the authentication agent (CISCO ACS) initially communicates with the authentication manager instance, a node secret is generated; where a copy is stored in the authentication agent record in the authentication manager database and another copy of the node secret is send to the authentication agent.

Activity Key: Node secret sent is seen in a real-time authentication activity monitor when the authentication manager sends a node secret to the authentication agent.
Refer to the URL https://community.emc.com/docs/DOC-37405
 for the RSA Ready integration guide for Cisco Secure Access Control System (ACS) and RSA Authentication Manager 8.1.