000012163 - Resolving a node secret mismatch for RSA RADIUS server when authenticating to an RSA Authentication Manager

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000012163
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  3.0, 7.1
 
IssueRADIUS authentications fail to Authentication Manager.  The error message in the authentication activity logs is:
 
Node Secret Mismatch
ResolutionThe easiest way to resolve the node secret mismatch is to delete the RADIUS server through the Operations Console and re-add it.  
Note that if there are replica RADIUS servers, a large number of RADIUS clients and/or RADIUS profiles, and if the problematic server is the primary, this process may not be feasible.  

RSA SecurID Appliance or Unix server


  1. Login to the primary Authentication Manager's Security Console.
  2. Select:Access > Authentication Agents > Manage Existing.
  3. Click on the entry for the problematic RADIUS server and select Manage Node Secret.
  4. Check the option of Clear Node Secret.
  5. When prompted, check the option to Create a new random node secret, and export the node secret to a file
  6. Create a password then click Save to begin downloading the zip file. 
  7. Open the zip file to find a file named nodesecret.rec.
  8. Review the documentation on loading a new node secret for steps on how to use the agent_nsload utility to extract the node secret file and store it appropriately.  You can also extract it to another system with an RSA Authentication Agent on it (such as the RSA Authentication Agent for Windows), but be sure you back up that system's node secret first.  The file should be named securid, with no file extension.  
  9. Using the documentation mentioned above, use the agent_nsload utility to create the securid file, which is the extracted node secret.  
  10. Since this is an RSA SecurID Appliance, use WinSCP to copy the securid file to /tmp . 
  11. Using SSH,  login as emcsrv and sudo su to root.
  12. Check the /usr/local/RSASecurity/RSAAuthenticationManager/radius directory to see if there are existing securid or sdstatus.12 files.  If there are, rename them to securid.old and ststatus.12.old to back them up. 
  13. Copy the securid file from /tmp to /usr/local/RSASecurity/RSAAuthenticationManager/radius and change its file permissions:
chmod 777 securid

  1. From the Operations Console, navigate to Deployment Configuration > RADIUS Servers.
  2. Click on the primary RADIUS server and select Restart Server.
  3. Check the Yes, restart RADIUS server option and click the Restart Server button.
  4. When the RADIUS server is restarted, test authentication again.
 

Windows


  1. Login to the primary Authentication Manager's Security Console.
  2. Select:Access > Authentication Agents > Manage Existing.
  3. Click on the entry for the problematic RADIUS server and select Manage Node Secret.
  4. Check the option of Clear Node Secret.
  5. When prompted, check the option to Create a new random node secret, and export the node secret to a file
  6. Create a password then click Save to begin downloading the zip file. 
  7. Open the zip file to find a file named nodesecret.rec.
  8. Review the documentation on loading a new node secret for steps on how to use the agent_nsload utility to extract the node secret file and store it appropriately.  You can also extract it to another system with an RSA Authentication Agent on it (such as the RSA Authentication Agent for Windows), but be sure you back up that system's node secret first.  The file should be named securid, with no file extension.  
  9. Using the documentation mentioned above, use the agent_nsload utility to create the securid file, which is the extracted node secret.  
  10. Copy the securid file to C:\Temp.
  11. Using SSH,  login as emcsrv and sudo su to root.
  12. Check the C:\Program Files\RSA Security\RSA Authentication Manager\radius directory to see if there are existing securid or sdstatus.12 files.  If there are, rename them to securid.old and ststatus.12.old to back them up. 
  13. Copy the securid file from C:\Temp to C:\Program Files\RSA Security\RSA Authentication Manager\radius.
  14. Checkl file permissions.  They need to be read, write, execute for everyone.
  15. From the Operations Console, navigate to Deployment Configuration > RADIUS Servers.
  16. Click on the primary RADIUS server and select Restart Server.
  17. Check the Yes, restart RADIUS server option and click the Restart Server button.
  18. When the RADIUS server is restarted, test authentication again.
Legacy Article IDa52212

Attachments

    Outcomes