000029226 - Cisco ASA authenticates to the RSA Authentication Manager 8.1 primary but not to the replica

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 7, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029226
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
 
Issue
The Authentication Manager instance's real time authentication activity monitor reports Activity Key "Node secret verification" where the reason is "Node secret mismatch: cleared on agent but not on server" when an authentication is sent to the Authentication Manager replica instance from Cisco ASA.  For example,


User-added image
CauseThere is a known problem with regards to the node secret and the Cisco ASA when using native SecurID authentication to an RSA Authentication Manager deployment.
ResolutionFollow the steps below to resolve the issue:

From the Authentication Manager interface


  1. Clear the node secret from the agent host record of the Cisco ASA device in the Security Console (Access > Authentication Agents > Manage Existing).
  2. Click the context arrow next to the Authentication Agent's name and select Manage Node Secret.
  3. Check Clear the node secret and click Save.
 User-added image
 

From the Cisco ASA


Clear any node secret file (n-n-n-n.SDI, where n-n-n-n is the IP address of the server) from the Cisco ASA flash drive (i. e., memory cache).  Refer to Cisco documentation on how to remove files from the flash drive.
 

Recreating the node secret and testing authentication


At this point, neither the Authentication Manager deployment nor the Cisco ASA have a node secret.  The next successful authentication will reset the node secret on both devices.
  1. From the Authentication Manager's primary instance, select Reporting > Real Time Activity Monitors > Authentication Activity Monitor.
  2. On the pop up window, click Start Monitor.
  3. From the Cisco ASA, perform at test authentication to the Authentication Manager's primary instance. This authentication will generate a new node secret to replace the one deleted above. The Authentication Manager will store a copy of the node secret in the authentication agent's record in the Security Console and send another copy of the node secret to the Cisco ASA device to store.  The Cisco ASA stores the node secret based on the IP address of the Authentication Manager instance. For example, if the Authentication Manager primary has an IP address of 192.168.100.100, the node secret file on the Cisco ASA would be named 192-168-100-100.SDI.
  4. Make a copy of the node secret SDI file on the Cisco ASA and name it with the IP address of the Authentication Manager replica instance.  Note that the octet's of the IP address are divided with dashes, not full stops.  If the Authentication Manager's replica IP address is 192.168.200.200, the filename in the Cisco ASA device for the replica node secret would be 192-168-200-200.SDI.
  5. As the Authentication Manager primary instance replicates its records to the replica, the node secrets on the Cisco ASA now match the Authentication Manager deployment.
  6. Now perform a test authentication to the replica to ensure it is working as expected before using in production.  Keep an eye on the Authentication Activity Monitor to confirm authentications are working properly to the replica.

Attachments

    Outcomes