000020504 - How to set an IP address override for an RSA ACE/Agent and RSA Authentication Agent

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020504
Applies ToRSA ACE/Agent
RSA ACE/Server
RSA Authentication Manager
RSA Authentication Agent
Multi-homed system with 2 or more NIC cards
Multiple NIC cards installed on the network firewall or NAT server
IssueSet an IP address override for an RSA ACE/Agent and RSA Authentication Agent
Set IP Address Override, or use the client IP override keyword CLIENT_IP in sdopts.rec
Error: Access Denied, bad user password
Error: Access Denied, PASSCODE Incorrect
Cross Realm XR ACCESS DENIED, bad passcode
Authentication Method Failed - AUTHN_METHOD_FAILED - User "<User ID>" attempted to authenticate using authenticator "SecurID_Native". The user belongs to security domain "SystemDomain"
CauseCross-realm authentication is RSA ACE version 4, and any agent host that provides cross-realm authentication needs an IP address override.

How to set an IP address override for an RSA ACE/Agent and RSA Authentication Agent


If your authentication agent has multiple IP addresses (multi-homed), you must select an IP address from the system configuration of your agent host through IP Address Override, and match it to the primary IP address for the authentication agent host on the RSA Authentication Manager server or appliance. The initial encryption between an agent host and RSA Authentication Manager server is based on this known IP address. (IP Address Override ensures that the agent host's IP address matches what is used by RSA Authentication Manager. If they do not match, all authentications fail.)


To set an IP Address Override, you can either use the RSA/ACE Authentication Agent for Windows utility IP Address Override (RSA Security Center > Advanced tab), or manually configure sdopts.rec, which works in older agents and certain Partner Agents.


The sdopts.rec file, which should be located in the same directory as sdconf.rec, can be used on both Windows NT and UNIX to provide an IP address override for the agent. You may create sdopts.rec in either /ace/data on a UNIX agent host or /winnt/system32 on a Windows agent host. If the UNIX agent host does not have either of those directories, create the directory /var/ace and save the file there. Alternatively, you can save sdopts.rec in the same directory as the node secret file (securid) and set the environment variable VAR_ACE to the path of the directory that contains sdopts.rec. Any RSA ACE/Agent version 5.x honors the /var/ace variable because it is coded into the API.


In the sdopts.rec file, use the keyword CLIENT_IP to specify the overriding IP address. For example:

;Any line of text preceded by a semicolon is ignored (is considered a comment).
;Do not put a blank space between a keyword and it's equal sign, after the IP Address,
;and after the comma that separates an IP Address from a priority value,
e.g. if your Agent Primary IP is, and you configured
;your Auth Agent Host entry with, then


This example shows only the CLIENT_IP keyword, but you can include other supported keywords.


If you set the IP address override in sdopts.rec, restart the agent. When an RSA ACE/Server administrator adds information about your agent host to the server database, the server administrator must configure the Network Address setting using the same IP address specified in sdopts.rec. If the two IP addresses do not match, communication between the agent and server fails. On Windows NT, if you have already set the overriding IP address in the Agent Control Panel, sdopts.rec is ignored.


Note: The sdopts.rec file might be incompatible with DHCP if the registered IP address of the agent host changes from the CLIENT_IP setting in sdopts.rec.


Also note that with a Windows agent, you can set IP override: Go to the Control Panel, and launch RSA Security Center. Locate Advanced Settings, and set the IP address override. You should clear the node secret on both the agent and the RSA Authentication Manager server, and then restart RSA Security Center to test authentication.


For more information, see the following solutions:

NotesThe ISA Web filter for RSA SecurID authentication is supported solely by Microsoft. The ISA Server has been fully tested and certified by RSA Security. For more information on this partner solution including the implementation guide, go to the Secured by RSA web site.
Legacy Article IDa2808