000026218 - How to successfully authenticate users via RSA ACE/Server on UNIX when using Network Address Translation (NAT)

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026218
Applies ToRSA ACE/Server
UNIX (AIX, HP-UX, Solaris)
Sun Solaris / SPARC
A Node verification failure will occur when a user is trying to authenticate to a client machine that has a missing key and/or the "sent node secret" box for the client is unchecked and the node secret has already been sent. The securid file (aka the node secret) is created and sent when the authentication is successful. The node secret is a string of pseudorandom data known only to the client and the ACE/Server. The securid file resides on the client machine in the ace/data directory. An important component of this file is the correct IP address of the client machine.
IssueHow to successfully authenticate users via RSA ACE/Server on UNIX when using Network Address Translation (NAT)
Users unable to authenticate
Error: "Node verification failed" in ACE/Server logs
When a user tries to authenticate to a SecurID protected resource, a node verification failure with the NAT address (Network Address Translation) appears in the ACE/Server log monitor.
CauseThe NAT address was not placed in the /etc/hosts file on the master ACE/Server.
The NAT address was not placed in the secondary nodes of the client.
ResolutionSCOL Link to PDF for AM 7.1 NAT https://knowledge.rsasecurity.com/patches/attach/a2752_IPAlias.pdf
In an environment not using NAT, the ACE/Server administrator would simply use the administration utility to add a client machine to the database, activate a user on that machine, and then successfully authenticate to the client.

In an environment where NAT is being used, a dummy name must be given to the NAT address and placed with the IP address in the /etc/hosts file as well as the secondary nodes. Remove the securid file (if it exists) from the client's /ace/data directory and attempt to authenticate. This will create and send the correct securid file, allowing users to authenticate and node verification failures to end.
Notesace/server ace/agent sdadmind
Legacy Article ID6.0.1135693.2722507

Attachments

    Outcomes