|Applies To||RSA ACE/Server|
UNIX (AIX, HP-UX, Solaris)
Sun Solaris / SPARC
A Node verification failure will occur when a user is trying to authenticate to a client machine that has a missing key and/or the "sent node secret" box for the client is unchecked and the node secret has already been sent. The securid file (aka the node secret) is created and sent when the authentication is successful. The node secret is a string of pseudorandom data known only to the client and the ACE/Server. The securid file resides on the client machine in the ace/data directory. An important component of this file is the correct IP address of the client machine.
|Issue||How to successfully authenticate users via RSA ACE/Server on UNIX when using Network Address Translation (NAT)|
Users unable to authenticate
Error: "Node verification failed" in ACE/Server logs
When a user tries to authenticate to a SecurID protected resource, a node verification failure with the NAT address (Network Address Translation) appears in the ACE/Server log monitor.
|Cause||The NAT address was not placed in the /etc/hosts file on the master ACE/Server.|
The NAT address was not placed in the secondary nodes of the client.
|Resolution||SCOL Link to PDF for AM 7.1 NAT https://knowledge.rsasecurity.com/patches/attach/a2752_IPAlias.pdf|
In an environment not using NAT, the ACE/Server administrator would simply use the administration utility to add a client machine to the database, activate a user on that machine, and then successfully authenticate to the client.
In an environment where NAT is being used, a dummy name must be given to the NAT address and placed with the IP address in the /etc/hosts file as well as the secondary nodes. Remove the securid file (if it exists) from the client's /ace/data directory and attempt to authenticate. This will create and send the correct securid file, allowing users to authenticate and node verification failures to end.
|Notes||ace/server ace/agent sdadmind|
|Legacy Article ID||6.0.1135693.2722507|