000025819 - How to clear the node secret after a node verification failure

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025819
Applies ToRSA ACE/Server
RSA Authentication Manager
RSA ACE/Agent
Node Secret SecurID file
IssueClear the node secret following a node verification failure.
Authentication fails with node verification failure error. User <userID> attempted to authenticate with authentication method Native_securID.  the user belongs to the SystemDomain
Error: Node verification failed
Error: "ACCESS DENIED, PASSCODE Incorrect" Node verification failure
Node verification failure mismatch
 
CauseFirst Agent host authentication requests are sent using PW-code encryption, which is based on the primary IP address. Upon successful authentication, RSA ACE/Server generates a node secret and sends it to the Agent host. IP address override should be used to make sure you are not having a failure of the initial login with User <userID> attempted to authenticate using authentication method Native_SecurID.  the user belongs in the SystemDomain

Node verification failure means that the node secrets are not the same on RSA ACE/Server and the Agent host, or the node secret has been deleted on one side but not the other, for example, a reinstalled Agent has no node secret.

Resolution

How to clear the node secret after a node verification failure


 


Restore the SecurID (ACE) authentication service for the client:


 



  1. On the client, delete the node secret file. (The default file name is securid.) Either delete it from its default directory, which is usually /var/ace or \Windows\system32 (see table below), or use the Authentication Agent or RSA Security Center Advanced Tab (Clear Node Secret). Other partner devices might have slightly different syntax. For example, many Cisco devices call the node secret by the IP address of the RSA Authentication Manager primary instance with the extension of .sdi (for example, 192-168-100-100.sdi.) Cisco, like many other vendors, also stores the node secret in flash RAM. 


  2. On the RSA/ACE Server, edit the Agent Host and clear the Node Secret Created option.

    Note: For RSA Authentication Manager 6.1 RADIUS, see solution a29598.

     


  3. Restart the service that is authenticating, or if possible, the device itself.

    Note: Node secrets on most devices are cached, so the service that is authenticating (for example, the web server) must be restarted to clear its cache. However this does not always work and sometimes the device must be restarted to clear the node secret. 

     


  4. On the RSA ACE/Server, start the Database Administration program.

    UNIX-based systems: Run: sdadmin

    Version 6.1 on Windows: Go to Start > Programs > ACE Server > Database Administration - Host Mode (or use Remote Administration from your Windows workstation). Go to the Agent Hosts menu, and select Edit Agent Hosts. For the affected Agent Host, ensure that the Sent Node Secret option is clear, and that the IP address in the Network Address field is the correct.

    Version 7.1: Launch the RSA Security Console, and go to Access > Authentication Agents > Manage Existing. For the affected Agent, select Manage Node Secret in the context menu. If the node secret is set, clear the option and save your changes to the Agent.

     


  5. Reattempt authentication to verify correct operation.

    Note: By default, changes made to the primary ACE/Server database can take up to two minutes to replicate. The reverse is also true, so if you establish the node secret with the replica in the first authentication, and within seconds perform a second authentication and get a Node Verification Failed message on the primary, check to see if the primary or some other replica performed the second authentication. You might have to wait for the replication interval to complete.

 


If this solution does not resolve the issue, look for other possible causes of the Node verification failed error. See solutions 1.0.338055.2181026 (multi-homed client), 1.0.225375.2172285 (client has a new IP address), and 1.0.283668.2178070 (encryption type mismatch).

WorkaroundIP address changed
Notes
RSA Agent type Location of node secret ("securid") file
ACE Agent for NT (pre 4.4)%windir%\system32\
ACE Agent for NT (4.4.x)Clear from Control Panel RSA ACE/Agent "Advanced" tab Stored in Registry
ACE Agent 5.x for WindowsClear from Control Panel RSA ACE/Agent "Advanced" tab; Stored in Registry (See solution a18048 to manually remove Node Secret from the registry).
   Note: 6.1 agents started storing node secrets in the (WINDOWS)\system32 folder as a file called "securid", rather than the registry.
ACE Agent 6.0 / 6.1 for WindowsClear from Control Panel RSA ACE/Agent "Advanced" tab; Stored in Registry (See solution a18048 to manually remove Node Secret from the registry).
   Note: 6.1 agents started storing node secrets in the (WINDOWS)\system32 folder as a file called "securid", rather than the registry.
ACE Agent for UNIX (or UNIX RADIUS server)If $VAR_ACE is not defined using a custom value, then /var/ace/.
ACE Agent for VMSsys$specific:[sdti$acm5105]securid.;
Cisco PixStored in flash on the Cisco PIX Security Appliance. To see this file run show flash. The Node Secret file is named with the IP address of the primary RSA Authentication Server, and has an .SDI extension, for example, 10-10-10-2.sdi.
NetWare SYS:\System
Nokia IP SeriesIf $VAR_ACE is not defined using a custom value, then /var/ace/.
Lotus Domino\WINNT\system32
Raptor Firewall 5.0 on NT\Raptor\Eagle\Sg\
Raptor Firewall 6.0 on NT\Raptor\Firewall\Sg\
Raptor Firewall on Solaris/var/adm/sg/
Shiva LanRover VPNRun Shiva manager. On the Systems menu point to Clear and click ACE Node Secret.
Legacy Article ID1.0.370878.2182762

Attachments

    Outcomes