|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1, 8.x
|Issue||Authentication to a specific agent is failing. On the agent side, "Error 13002" may display for a WIndows agent. |
In the authentication activity log, the message is> authentication method failed.
|Cause||This is a classic SecurID problem, compounded by RSA terminology that is less than intuitive. You have not successfully authenticated from this agent yet, which means the node secret (symmetric encryption key) used between the agent and the Authentication Manager server has not yet been created. To correct the issue,|
Before the node secret is created, the initial encryption algorithm uses the agent's IP address to complete the authentication request. The agent encrypts the request with its primary IP address, usually its main IP, but never its NATed IP because it has no idea what that is. However, we have seen plenty of instances where a secondary IP was used, either from a second NIC, or wireless or sometimes the management IP for VPN type devices. The problem arises when the Authentication Manager server tries to decrypt the authentication request. It decrypts using the primary IP address as defined in the agent host record. See below, where 192.168.1.19 is the real IP address of the agent and 10.42.46.31 is the NATted IP address of the agent in all packets arriving at the Authentication Manager server.
The less than clearly named IP address override forces the agent to encrypt with a specific IP address, not allowing the agent to choose its own primary IP for RSA encryption.
|Notes||The output of the/opt/rsa/am/server/logs/imsTrace.log with log level set to verbose:|
2014-11-06 03:11:21,336, [AgentProtocolServer Core Thread #1], (MethodLoginHandler.java:80), trace.com.rsa.ims.authn.HandlerBase,