|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1, 8.1 SP1
|Issue||A specified user is getting an authentication failure; however, the server does not display an access denied message. The problem is intermittent or sporadic. Sometimes after entering the On-Demand Tokencode (ODT), the user ends up back at the login or logon prompt instead of being allowed access, yet no authentication failure appears in the Authentication Manager logs or in the real time authentication activity monitor.|
|Tasks||To troubleshoot this or similar ODA authentication failures, you need network packet captures running on the primary and on any replica servers in the deployment. These packet captures should be filtered on port 5500 UDP for authentication and port 25 TCP for SMTP mail.|
|Resolution||Start the TCP dump on the primary and all replicas in separate SSH sessions to capture both SMTP and authentication traffic. Make sure the tcpdump command saved the output to a file. When the next intermittent ODA login failure happens, you will capture the packets. Once the data is logged, stop the captures and send the network packet capture files to RSA support. |
The capture files will show if both the primary and any replicas are sending an email, if the replica is sending two emails, or if the primary and any replicas are not sending any emails.
login as: rsaadmin
login as: rsaadmin
am81p:/usr/sbin # cd /tmp
Big Picture of an On-Demand Authentication
For an ODA/ODT login success,
From the Authentication Agent
Note: If the authentication in Step 3 takes more than 60 seconds after the PIN is entered in Step 1 some agents timeout and do not send the Step 3 authentication request and nothing shows in the authentication activity logs because the authentication request never arrived. Moreover, the user has to enter their PIN again to trigger a second email/SMS ODT.