000014967 - RADIUS authentication failing with RSA Authentication Manager 7.1 SP4 or later software

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014967
Applies ToRSA Authentication Manager 7.1 SP4
RSA RADIUS
Microsoft Windows 2003
Microsoft Windows 2008 R2
 
IssueNode secret mismatch: cleared on server but not on agent
Verifying node secret for the agent '<primary_fqdn>' with IP address '<client_IP>' in security domain 'SystemDomain'
Node secret verification
RADIUS client sending the RADIUS authentication gets no response from the RSA RADIUS 7.1 Server
RSA RADIUS log file (yyyymmdd.log) in the <AMHOME>/radius/Service folder reports an 'Authentication Response (reject)' with 'Unable to find user rsatest with matching password'
[ERROR] Wrong OS username and password used to connect to RADIUS server
CauseThe node secret has been removed from the agent host record for the primary
There is a node mismatch between the authentication manager and RSA RADIUS server, not the authentication manager and RADIUS client
 
Resolution

 To re-establish the node secret between the authentication manager and RSA RADIUS Server you can use the following process;
1.     Locate and rename the node secret file (securid) to be securid.yyyymmdd.OLD (where‘yyyy’represents the year, ‘mm’represents the month and ‘dd’represents the day)
 


Supported platformFolder for node secret
Microsoft Windows 2003C:\Windows\system32
Microsoft Windows 2008 R2C:\Windows\SysWOW64

 
2.     Open a Windows Command Prompt and navigate to the <AMHOME>/config folder
NOTE: where <AMHOME> is the installation folder of RSA Authentication Manager 7.1 software
3.     Type in the following command; configUtil.cmd configure radius finalize-radius-restore
 
An example of running the command:
C:\RSA\AM71SP4\config>configUtil.cmd configure radius finalize-radius-restore
Action configure
Product radius
Module finalize-radius-restore

CLASSPATH=C:\RSA\AM71SP4\APPSER~1\patch_wls1000\profiles\default\sys_manifest_classpath\weblogic_patch.jar;C:\RSA\AM71SP4\APPSER~1\jdk\lib\tools.jar;C:\RSA\AM71SP4\APPSER~1\weblogic\server\lib\weblogic_sp.jar;C:\RSA\AM71SP4\APPSER~1\weblogic\server\lib\weblogic.jar;C:\RSA\AM71SP4\APPSER~1\modules\features\weblogic.server.modules_10.0.0.0.jar;C:\RSA\AM71SP4\APPSER~1\modules\features\com.bea.cie.common-plugin.launch_2.1.0.0.jar;C:\RSA\AM71SP4\APPSER~1\weblogic\server\lib\webservices.jar;C:\RSA\AM71SP4\APPSER~1\modules\ORGAPA~1.5/lib/ant-all.jar;C:\RSA\AM71SP4\APPSER~1\modules\NETSFA~1.0/lib/ant-contrib.jar;

PATH=C:\RSA\AM71SP4\APPSER~1\patch_wls1000\profiles\default\native;C:\RSA\AM71SP4\APPSER~1\weblogic\server\native\win\x64;C:\RSA\AM71SP4\APPSER~1\weblogic\server\bin;C:\RSA\AM71SP4\APPSER~1\modules\ORGAPA~1.5\bin;C:\RSA\AM71SP4\APPSER~1\jdk\jre\bin;C:\RSA\AM71SP4\APPSER~1\jdk\bin;C:\Windows/system32;C:/RSA/AM71SP4/utils/lib;C:/RSA/AM71SP4/db/bin;C:\RSA\AM71SP4\APPSER~1\weblogic\server\native\win\x64\oci920_8

Your environment has been set.
Config PATH: C:\RSA\AM71SP4\APPSER~1\patch_wls1000\profiles\default\native;C:\RSA\AM71SP4\APPSER~1\weblogic\server\native\win\x64;C:\RSA\AM71SP4\APPSER~1\weblogic\server\bin;C:\RSA\AM71SP4\APPSER~1\modules\ORGAPA~1.5\bin;C:\RSA\AM71SP4\APPSER~1\jdk\jre\bin;C:\RSA\AM71SP4\APPSER~1\jdk\bin;C:\Windows/system32;C:/RSA/AM71SP4/utils/lib;C:/RSA/AM71SP4/db/bin;C:\RSA\AM71SP4\APPSER~1\weblogic\server\native\win\x64\oci920_8Config CLASSPATH: C:/RSA/AM71SP4/uninstall/lib/framework-common.jar;C:/RSA/AM71SP4/uninstall/lib/framework-config.jar;C:/RSA/AM71SP4/uninstall/lib/framework-migration.jar;C:/RSA/AM71SP4/uninstall/lib/framework-thirdparty.jar;C:/RSA/AM71SP4/uninstall/lib/radius-local-oc.jar;C:/RSA/AM71SP4/uninstall/lib/radius-config-oc.jar;C:/RSA/AM71SP4/uninstall/lib/common-am.jar;C:/RSA/AM71SP4/utils/jars/ims-server-o.jar;C:/RSA/AM71SP4/utils/jars/am-server-o.jar;C:/RSA/AM71SP4/utils/jars/clu-common.jar;C:/RSA/AM71SP4/uninstall/lib/install-utils.jar;C:/RSA/AM71SP4/uninstall/lib/gen-replica-pkg.jar;C:/RSA/AM71SP4/uninstall/lib/setup-replication.jar;C:/RSA/AM71SP4/uninstall/lib/bootstrap-license.jar;C:/RSA/AM71SP4/uninstall/lib/install-key.jar;C:/RSA/AM71SP4/uninstall/lib/install-am-keystore.jar;C:/RSA/AM71SP4/uninstall/lib/install-ctkip-keystore.jar;C:/RSA/AM71SP4/utils/lib/install-ctkip-keystore.jar;C:/RSA/AM71SP4/utils/lib/manage-nodes.jar;C:/RSA/AM71SP4/utils/lib/manage-backups.jar;C:/RSA/AM71SP4/utils/jars/replication-api.jar;C:/RSA/AM71SP4/utils/jars/systemfields-o.jar;C:/RSA/AM71SP4/utils/lib/gen-radius-pkg.jar;C:/RSA/AM71SP4/utils/lib/gen-db-pkg.jar;C:/RSA/AM71SP4/utils/lib/manage-oc-administrators.jar;C:/RSA/AM71SP4/utils/lib/manage-trusts.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/jdom-1.0.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/jsafe-3.6.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/jsafeJCE-3.6.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/certj-2.1.1.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/struts-core-1.3.5.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/spring-2.0.7.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/jargs-1.0.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/xmlspy-schema-2006-sp2.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/jline-0.9.91rsa-1.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-dbcp-1.2.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-digester-1.6.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-validator-1.3.0.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-fileupload-1.2.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-io-1.2.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-chain-1.1.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/log4j-1.2.11rsa-3.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-beanutils-1.7.0.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-collections-3.0.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-logging-1.0.4.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/xercesImpl-2.7.1.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-lang-2.2.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-httpclient-3.0.1.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/commons-codec-1.3.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/dbunit-2.0.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/iScreen-1-1-0rsa-2.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/ognl-2.6.7.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/iScreen-ognl-1-1-0rsa-2.jar;C:/RSA/AM71SP4/utils/jars/thirdparty/oscache-2.3.2rsa-1.jar;C:/RSA/AM71SP4/utils/resources;C:/RSA/AM71SP4/server/servers/rsa-help/eclipse/plugins/org.eclipse.help.webapp_2.0.2/eclipseurl.jarConfig JAVA_OPTIONS:  -Dconfig.home=C:/RSA/AM71SP4/config -Dinventory.file=C:/RSA/AM71SP4/uninstall/resources/rsainventory.properties -Dinput.file=C:/RSA/AM71SP4/uninstall/resources/inputdata.properties -Dproperties.directory=C:/RSA/AM71SP4/utils\etc -Duninstall.resources.dir=C:/RSA/AM71SP4\uninstall\resources -Dinstall.log.dir=C:/RSA/AM71SP4\install\logs\config
readSecrets PropDir: C:/RSA/AM71SP4/utils\etc
Action: stop
Using service/script 'Steel-Belted Radius'/'radiuswrapper.bin'
Stopping RADIUS Service...
Done.
Action: start
Using service/script 'Steel-Belted Radius'/'radiuswrapper.bin'
Starting RADIUS Service...
Checking XUI Connection...
Done.
RADIUS Server Cert Generation: SUCCESS
RADIUS Server Cert Install: SUCCESS
Action: stop
Using service/script 'Steel-Belted Radius'/'radiuswrapper.bin'
Stopping RADIUS Service...
Done.
Action: start
Using service/script 'Steel-Belted Radius'/'radiuswrapper.bin'
Starting RADIUS Service...
Checking XUI Connection...
Done.
RemoteCommand: Properties dir: C:/RSA/AM71SP4/utils\etc
RemoteCommand: Connecting to Local AM as rsaadmin
RemoteCommand: Successfully logged in to AM
AM Registration: unregistering old server
AM Registration: SUCCESS
Storing Node Secret into 'C:\Windows\SysWOW64\securid'
Storing sdconf.rec into 'C:\Windows\SysWOW64\sdconf.rec'
RADIUS Agent Configuration: SUCCESS
RADIUS Registration: SUCCESS
Action: stop
Using service/script 'Steel-Belted Radius'/'radiuswrapper.bin'
Stopping RADIUS Service...
Done.
Action: start
Using service/script 'Steel-Belted Radius'/'radiuswrapper.bin'
Starting RADIUS Service...
Checking XUI Connection...
Done.

Configuration complete
Exiting...

C:\RSA\AM71SP4\config>

Should you see a failure with the login credentials during the ‘Checking XUI Connection...’ process then the RSA RADIUS administrative account name and password are incorrect.
 
Example:
Checking XUI Connection...

[ERROR] Wrong OS username and password used to connect to RADIUS server

[SOLUTION] RADIUS server is not configured properly ; Please re-run the RADIUS server configuration again

com.rsa.authmgr.radius.exception.RadiusSystemException: Wrong OS username and password used to connect to RADIUS server
Retrying (timer 5766 ms)

Use the following process to determine what RSA RADIUS administrative account name and password are stored in the authentication manager configuration;
 
1.Download RSASCheck-5.0.88.zip from URL https://community.emc.com/docs/DOC-16578 (registration will be required to get access to RSASCheck if you do not already have an account. Registration for an account is free.)
2.Create a folder called <AMHOME>/RSASCheck
   ** where <AMHOME> is the folder location for the install RSA Authentication Manager 7.1 SP4 software usually /usr/local/RSASecurity/RSAAuthenticationManager on supported UNIX platforms or C:\Program Files\RSA Security\RSA Authentication Manager for supported Microsoft Windows platforms **
3.Copy the RSASCheck-5.0.88.zip file into the <AMHOME>/RSASCheck folder and unpack the zip file
4.Create a folder called <AMHOME>/config/debug using the account that has the file ownership of the RSA Authentication Manager software e.g. rsaadmin.
5.Copied all XML files from <AMHOME>/RSASCheck folder into <AMHOME>/config/debug folder
6.At the command line navigate to the <AMHOME>/config folder as the 'root' user
7.Use the following command as 'root' to reveal the RSA RADIUS administrative account:
    
  
UNIX./configUtil.sh configure debug rsa.radius.os.admin.username
WindowsconfigUtil.cmd configure debug rsa.radius.os.admin.username

    
   Example
  
   …
   rsa.radius.os.admin.username=[RadiusKE3H7uFi]
  
   Configuration complete
   Exiting...

  
  
    
   Use the following command as root to reveal the RSA RADIUS administrative account password:
    
  
UNIX./configUtil.sh configure debug rsa.radius.os.admin.password
WindowsconfigUtil.cmd configure debug rsa.radius.os.admin.password

    
   Example
  
   …
   rsa.radius.os.admin.password=[NT6m7bSyea,--)]
  
   Configuration complete
   Exiting...

 
 
Having revealed the RADIUS Admin username check that it matches the local operating system RADIUS account that was created during the installation of the RSA Authentication Manager 7.1 software. If the RADIUS Admin username matches then update the local operating system RADIUS account password with the revealed RADIUS Admin password.
 
Re-establish the node secret between the authentication manager and RSA RADIUS Server with the following command; configUtil.cmd configure radius finalize-radius-restore
IMPORTANT: should you still get an error then please contact RSA Customer Support, referring to this knowledge article for the steps taken and provide any error messages seen.

Legacy Article IDa57882

Attachments

    Outcomes