000033521 - How to get a Cisco ACS server to work with RSA Authentication Manager 8.1.0 SP1 when sdopts.rec won't upload

Document created by RSA Customer Support Employee on Jul 13, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000033521
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.0 SP1
Platform: Linux
Platform (Other): Cisco Secure ACS SE versions 4.2(1) Patch 3 and later support the native RSA SecurID authentication method.
O/S Version: Suse Linux
 
IssueWith any new agent including the Cisco ACS Server, before the node secret symmetric encryption key is created, initial authentication packets are encrypted with an algorithm that uses the primary IP address of the agent.  If an agent has more than one IP address, there can be a kind of hit or miss situation, where the authentication agent primary IP address, which is used for decryption, is not the same IP address used for encryption on the agent.  Symptoms of this problem include; 
1.    The node secret does not exist yet 
2.    The Real Time Authentication Monitor on the Authentication Manager Security Console shows a failure but with no details as in “User ‘<UserID>’ attempted to authenticate using authenticator "SecurID_Native". The user belongs to security domain the SystemDomain”. Authentication method failed 
Real Time Auth Monitor 
3.    /opt/rsa/am/server/logs/imsTrace.log set to verbose show the following;
   - Failed to get synchronization chunk size 
   - com.rsa.common.DataNotFoundException: 
   - No data for 0000-Global-0000.auth_manager.synchronization.primary_sync.chunksize.kilobytes 
   - Failed to get primary retry count
 
Tasks

use the Cisco ACS Management Interface IP address

Resolution

Though the Cisco ACS upload for sdopts.rec did not work,
Cisco ACS sdconf.rec
if you use the Management IP address for the Authentication Agent entry primary,
Add New ACS
that has fixed this problem every time in the past.

Notes

An IP Address Override in SecurID means to force which IP address an agent will use for initial encryption before the node secret is generated and sent to the agent.  It is not the AM server IP address. There are two ways to set this; through an Agent Interface such as the RSA Control Center on Windows agents, under Advanced Tools 
LAC override
or with a file called sdopts.rec, 
use a line like this
                CLIENT_IP=10.51.2.42
 

Attachments

    Outcomes