000012847 - RSA Authentication Manager 7.1 replica RADIUS server does not authenticate when the primary server is down

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000012847
Applies ToRSA Authentication Manager 7.1
RSA SecurID Appliance 3.0
RSA Authentication Manager 7.1 RADIUS
IssueTroubleshoot communication authentication errors on the RSA Authentication Manager 7.1 replica RADIUS server that occur when the primary server is down
Replica RADIUS log shows messages that are similar to the following:
03/14/2009 13:27:19 Failed to initialize communications for SecurID authentication (result = 23)
03/14/2009 13:27:19 Unable to find user jgracias with matching password
03/14/2009 13:27:19 Sent reject response
CauseThe sdconf.rec file on the replica Authentication Manager 7.1 RADIUS server does not contain replica server information. This can happen if the RSA Authentication Manager servers are not rebalanced before the replica RADIUS server is configured. To resolve this issue, you must update the sdconf.rec file on the replica RSA Authentication Manager 7.1 RADIUS server.
Resolution

RSA Authentication Manager 7.1 replica RADIUS server does not authenticate when the primary server is down


 


To resolve communication authentication errors on the replica RADIUS server, update the sdconf.rec file on the replica RSA Authentication Manager 7.1 RADIUS server.


 


To update the sdconf.rec file on the replica RSA Authentication Manager 7.1 RADIUS server:


  1. Generate and download the sdconf.rec file on the primary RSA Authentication Manager 7.1 RADIUS server:

    a. Log on to the RSA Security Console.


    b. Select Access > Authentication Agents > Authentication Manager Contact List > Automatic Rebalance.


    c. Click Rebalance. You should see the primary and replica server(s) listed. (This step updates the contact list.)


    d. Generate and download a new sdconf.rec file. In the Security Console, go to Access > Authentication Agents > Generate Configuration File. Follow the prompts to download the file.
     
  2. Update the sdconf.rec file on the replica Authentication Manager 7.1 RADIUS server:

    a. Place the newly generated sdconf.rec in the directory.  This file needs to be in the following location:
    Windows: C:\Windows\System32
    UNIX-based systems: /var/ace
    Appliance: /usr/local/RSASecurity/RSAAuthenticationManager/radius/
    See the section below for special instructions on moving the file to an Appliance.

    b. Delete the sdstatus.12 file located on the server.

    c. Stop and restart the RSA RADIUS Server. On Windows, use the Windows Services applet, or on UNIX or the Appliance, run the following command in the same line:
    /usr/local/RSASecurity/RSAAuthenticationManager/server/rsaam restart radius
     
  3. Launch the agent and test authentication.
  4. Log on to the Security Console, check and select Setup > Instances. Verify that replica servers are listed and that their status is Running.
Notes

To move the sdconf.rec file to an Appliance:


  1. On the Appliance, copy the sdconf.rec file to the /tmp directory with a secure copy program using the emcsrv account and the Operating System password.
  2. Log on to the Appliance using an SSH client, and run the following commands:
    sudo su
    cd /tmp
    chmod 755 sdconf.rec
  3. Copy the sdconf.rec file from the /tmp directory to the following location:
    /usr/local/RSASecurity/RSAAuthenticationManager/radius/
If you are not using RSA RADIUS, see RSA authentication agent authenticating only to the Authentication Manager 7.1 primary.
 
Legacy Article IDa45224

Attachments

    Outcomes