000011593 - Appliance performing cross realm with min/max port enabled through firewall is not enabled by default

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011593
Applies ToSecurID Appliance 3.0
Redhat Linux Rpath
Cross Realm
minport
maxport
firewall
Authentication Manager 7.1
IssueAppliance 3.0 performing cross realm
Errors you would see if you did not have the iptables rule in place:
audit.runtime.com.rsa.authmgr.internal.protocol.ace.crossrealm.remote.b,ERROR
"AUTHN_METHOD_FAILED"
"XR Passcode Accepted"

Cross realm authentication only works one way when performing port range Specification
CauseFirewall blocking random ports.
Resolution

Iptables needs to be modified to allow port usage that was used in the min port max port that was set.

This needs to be done from the RSAHOME/utils

./rsautil store -a add_config auth_manager.cross_realm.min_port 10000 Global 501

./rsautil store -a add_config auth_manager.cross_realm.max_port 10011 Global 501

This will allow this server to use 10000 through 10011


 This is what the IPtables looks like on a stock Appliance.

 

etc/sysconfig

 

We need to add the range 10000 - 10011 in this example;

 

#Example:

#--------------------------------------------------------------------------------------------

-A RSA-INPUT -p udp -m udp --dport 10000 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 10001 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 10002 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 10003 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 10004 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 10005 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 10006 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 10007 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 10008 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 10009 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 10010 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 10011 -j ACCEPT

#---------------------------------------------------------------------------------------------

 

 

 

 

*filter

:INPUT DROP

:FORWARD DROP

:RSA-INPUT - [0:0]

-A INPUT -j RSA-INPUT

-A FORWARD -j RSA-INPUT

-A RSA-INPUT -i lo -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 1161 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 1162 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 1645 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 1646 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 1812 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 1812 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 1813 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 1813 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 2334 -j ACCEPT

-A RSA-INPUT -p udp -m udp --dport 5500 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 5550 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 5556 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 5580 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 7002 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 7004 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 7006 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 7008 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 7012 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 7014 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 7022 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 7072 -j ACCEPT

-A RSA-INPUT -p tcp -m tcp --dport 7082 -j ACCEPT

 

-A RSA-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A RSA-INPUT -p tcp -m state --state new -m tcp --dport 22 -j ACCEPT

 

#-A RSA-INPUT -p udp -d 230.1.2.3 -j ACCEPT

#-A RSA-INPUT -p tcp -m tcp --dport 2234 -j ACCEPT

#-A RSA-INPUT -p tcp -m tcp --dport 7082 -j ACCEPT

#-A RSA-INPUT -p tcp -m tcp --dport 8098 -j ACCEPT

#-A RSA-INPUT -d 127.0.0.0/255.0.0.0 -i ! lo -j REJECT --reject-with icmp-port-unreachable

#-A RSA-INPUT -m limit --limit 0/min -j LOG --log-prefix "RSA SecurID Appliance firewall denied: " --log-lev

el 7

COMMIT 

Legacy Article IDa50268

Attachments

    Outcomes