000025194 - Error: 'Node verification failed' in ACE/Server activity monitor while authenticating with Replica using TACACS+

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000025194
Applies ToRSA ACE/Server
Primary and Replica
TACACS+
IssueError: "Node verification failed" in ACE/Server activity monitor while authenticating with Replica using TACACS+
Primary and Replica servers authenticate with SecurID
Stopped the Primary server; Replica server authenticates using sdshell
CauseThe TACACS or Radius "caches" the node secret and if  the node secret is changed, TACACS or RADIUS will continue using the old node secret until it is restarted. Thus even though sdshell authenticates with new SecurID file, authentication using TACACS+ or RADIUS does not work.

Patch 3 generates a new node secret each time the node secret is cleared. RADIUS or TACACS uses the node secret which is in cache and causes node verification failure. In order to clear the node secret in Cache, the radius or TACACS daemon should be stopped and started.
ResolutionA. If the Master server is not authenticating using TACACS:

  1. Verify if local authentication is working.
  2. Verify if _sdtacplusd is running on the Master server.

      ps -ef | grep tac
  
  3. If TACACS is not running start TACACS daemon.

     #cd ace/prog
     #./_sdtacplusd start

  4. If any changes are made in sdtacplus.cfg run the following command to update the information
     #./_sdtacplusd -C sdtacplus.cfg   [The command starts with an underscore]

  5. Run ps -ef | grep tac

      Example output:

      root 18798     1  0 14:52:47 pts/5    0:00 _sdxtacacsd -s -csdtacacs.cfg ( extended tacacs is not required)
      root 18800     1  0 14:52:47 pts/5    0:00 _sdtacplusd -Csdtacplus.cfg -d16383

      Note:
      a. The first line indicates the presence of extended TACACS using 49/udp on the machine.
      b. The second line indicates _sdtacplusd daemon running using 49/tcp. The -d16383 in second line indicates the debug level
          specified in sdtacplus.arg file.
      c. Although extended TACACS is not supported by RSA Security, both _sdxtacacsd and _sdtacplusd can be running on
          the same machine.
      d. It is not necessary to run extended TACACS and hence the first line in above output does not show up.

  B. If the Slave server is not authenticating using TACACS:

1. Slave server must be added as client on Master server. Authenticate from the Slave.
2. This will create a node secret (SecurID) file on the Slave.
3. Stop the Master server.
4. Verify if _sdtacplusd is running on the Slave server.
5. Try authentication with Slave using TACACS+ from a router. This will confirm the Slave server authentication as backup.
6. If the TACACS daemon is not started, it can be started and updated by the following:

      #cd ace/prog
      #./_sdtacplusd start
      #cd ace/data
      #./_sdtacplusd -C sdtacplus.cfg   [The command starts with an underscore]
Legacy Article IDa3079

Attachments

    Outcomes