|Applies To||Citrix netscaler sends RADIUS authentication requests to Cisco ACS which then forwards those as Native SecurID SDI authentication requests on UDP 5500 to an AM 8.1 server |
Verified that <UserID> has valid fixed passcode that can successfully logon to the Self-Service console.
RSA Authentication Manager (AM) 8.X
Cisco debug shows ACM_ACCESS_DENIED, which is an RSA API message. It is the generic auth failed message, and could be for a number of reasons including the PIN or TokenCode is incorrect. The node secret will not get created until after the first successful authentication, so an ACM_ACCESS_DENIED on a new setup will always be related to node secret not getting created. Debug also says ?RSACheckPasscodeState?
##Session ID on ACS is created##
Citrix NetScaler login still fails with Auth Method failed.
ACS Failing Authentication Method with RSA SecurID.
Cisco ACS initial authentication using SDI to AM 8.1 method fails, appears same as when IP address override needed.
Activity Key: Principal authentication
Description: User ?jdoe? attempted to authenticate using authenticator ?SecurID_Native?. The user belongs to security domain ?SystemDomain?
Reason: Authentication method failed
|Cause||It appears that the Citrix NetScaler login prompts were reversed, the Passcode needed to be entered in the Domain Password, and vice versa enter the Password into RSA Token.|
To resolve this issue for some customers:
Cisco asked customer to create another RADIUS client (non-Citrix) to the Cisco ACS, with same ACS forwarding of Native SecurID authentication request to AM 8.1.
|Legacy Article ID||a66895|