|Applies To||RSA ACE/Server|
Legacy RSA ACE/Agent (pre-version 5.0)
|Issue||Authentication fails for an ACE/Agent connecting to an ACE/Server through a firewall|
NT event log message on the agent: Signature violation:MAC
|Cause||A firewall has changed the UDP source port number of the authentication packet which the agent subsequently rejects.|
|Resolution||Since the release of ACE/Server 2.3 (and its associated Agent/Server protocol for authentication packets) a Message Authentication Code (MAC) is used between the ACE/Server and the ACE/Agent to verify that the reply for a particular authentication has come from the correct ACE/Server. In performing this MAC check the source UDP port number is used.|
The sequence with a direct connection would be the following:
ACE/Agent sends an authentication to the ACE/Server.
ACE/Server notices which UDP port number the ACE/Agent used and (with some other data known uniquely to ACE/Server and Agent) creates a MAC signature.
ACE/Server sends response to the ACE/Agent and includes the MAC signature.
ACE/Agent receives the data packet, creates its own MAC signature and compares it with the signature in the packet to ensure they are the same.
In certain conditions where a firewall is being used, the firewall will receive the packet from the ACE/Agent, then when sending onward to the ACE/Server use its own generated UDP port number. When the ACE/Server responds and generates the MAC check, it will use the UDP port number of the firewall, not the original ACE/Agent.
When the response packet is received by the ACE/Agent, it compares the MAC in the received packet against one it generates for itself and will find that it is wrong - hence the error message.
There are two possible courses of action:
RSA Security strongly recommends upgrading both ACE/Agent and ACE/Server to version 5.0 and higher. The protocol has been changed to resolve this problem, but the requirement is that the ACE/Agent that is used must be a version 5.0 agent.
In circumstances where it is not possible to perform such an upgrade, a utility has been made available to lower the protocol to 'pre-ACE/Server 2.3'.
WARNING: USE OF THE UTILITY DOWNGRADES THE STRENGTH OF YOUR SECURITY. IT CAN ALLOW AN UNOFFICIAL ACE/SERVER RESPONSE TO BE SENT TO YOUR ACE/AGENT. IT SHOULD ONLY BE USED WHERE AN UPGRADE IS NOT POSSIBLE.
The utility, which runs on an NT or W2K machine, will allow you to convert an sdconf.rec file for a 4.1 system into an earlier version, this converted file will then be placed on the ACE/Agent beyond the firewall. Where ACE/Server 5.0 is already being used, the sdconf.rec file that must be converted is the one that the ACE/Server has produced for the legacy agent.
This utility is available for download, in a password protected ZIP file. The password to unlock the ZIP file is Pj4c8n7T5, the file can be downloaded from SecurCare Online.
|Legacy Article ID||a2491|