000017317 - Citrix NetScaler to Cisco ACS to RSA AM 8.X Authentication Method Fails.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000017317
Applies ToCitrix netscaler sends RADIUS authentication requests to Cisco ACS which then forwards those as Native SecurID SDI authentication requests on UDP 5500 to an AM 8.1 server 

Verified that <UserID> has valid fixed passcode that can successfully logon to the Self-Service console.
RSA Authentication Manager (AM)  8.X

Cisco debug shows ACM_ACCESS_DENIED, which is an RSA API message. It is the generic auth failed message, and could be for a number of reasons including the PIN or TokenCode is incorrect. The node secret will not get created until after the first successful authentication, so an ACM_ACCESS_DENIED on a new setup will always be related to node secret not getting created. Debug also says ?RSACheckPasscodeState?
A success will show as ACM_OK

     ##Session ID on ACS is created## 

     AuthenStateManager,07/07/2014,20:25:57:690,DEBUG,3082451856,acquireOrCreateState: created sessionID=crpitsacs01/194136679/106,AuthenStateManager.cpp:62 

     ##NAS IP is matched against AAA client## 

     inboundProtocolManager,07/07/2014,20:25:57:691,DEBUG,3082451856,cntx=0000000825,sesn=crpitsacs01/194136679/106,NAS with IP = <NetSDc aler IP> matches AAAClient with IP =  <NetSDcalerP>,ProtocolDataUtils.cpp:495 

     ##AccessRequest packet## 

     Radius,07/07/2014,20:25:57:691,DEBUG,3082451856,cntx=0000000825,sesn=crpitsacs01/194136679/106,RADIUS PACKET:: Code=1(AccessRequest) Identifier=230 Length=49,RADIUSHandler.cpp:1330 

     Radius,07/07/2014,20:25:57:691,DEBUG,3082451856,NIL-CONTEXT, [1] User-Name - value: [e_ttaylor] ,AttributePrintHelper.cpp:75 

     Radius,07/07/2014,20:25:57:691,DEBUG,3082451856,NIL-CONTEXT, [2] User-Password - value: [****] ,AttributePrintHelper.cpp:75 

     Radius,07/07/2014,20:25:57:691,DEBUG,3082451856,NIL-CONTEXT,CTS_pac_opaque = false,RADIUSHandler.cpp:498 

     Radius,07/07/2014,20:25:57:691,DEBUG,3082451856,cntx=0000000825,sesn=crpitsacs01/194136679/106,Validate integrity related RADIUS attributes,RADIUSHandler.cpp:1022 

     ##RSA Identity store is selected## 

     RSA,07/07/2014,20:25:57:693,DEBUG,3082451856,cntx=0000000825,sesn=crpitsacs01/194136679/106,user=e_ttaylor,[RSAlIDStore::onPlainAuthenticateAndQueryEvent] TokenCache not enabled, Going to authenticate      with RSA,RSAIDStore.cpp:294 

     ##Got an error## 

     RSAAgent,07/07/2014,20:26:22:724,DEBUG,3034864528,cntx=0000000825,sesn=crpitsacs01/194136679/106,user=e_ttaylor,[RSAAgent::handleResponse] operation completed with ACM_ACCESS_DENIED      status,RSAAgent.cpp:237 

     ##Authentication failed## 

     AuthenSessionState,07/07/2014,20:26:22:725,DEBUG,3082451856,cntx=0000000825,sesn=crpitsacs01/194136679/106,user=e_ttaylor,[RSACheckPasscodeState::onRSAAgentResponse]      Authentication Failed,RSACheckPasscodeState.cpp:74

Citrix NetScaler login still fails with Auth Method failed.
ACS Failing Authentication Method with RSA SecurID.
Cisco ACS initial authentication using SDI to AM 8.1 method fails, appears same as when IP address override needed.
Activity Key: Principal authentication
Description: User ?jdoe? attempted to authenticate using authenticator ?SecurID_Native?. The user belongs to security domain ?SystemDomain?
Reason: Authentication method failed
CauseIt appears that the Citrix NetScaler login prompts were reversed, the Passcode needed to be entered in the Domain Password, and vice versa enter the Password into RSA Token.

To resolve this issue for some customers:

Cisco asked customer to create another RADIUS client (non-Citrix) to the Cisco ACS, with same ACS forwarding of Native SecurID authentication request to AM 8.1.

Legacy Article IDa66895