000029015 - Using an IP address override to fix an initial authentication failures with RSA Authentication Manager when the error Authentication Method Failed displays

Document created by RSA Customer Support Employee on Sep 6, 2017Last modified by RSA Customer Support on Jun 29, 2018
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000029015
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1, 8.x
  • Authentication from a specific agent is failing.  
  • On the agent side, Error 13002 may display for a Windows agent.  
  • In the authentication activity log, the result is Authentication method failed:

Description: User “<user ID>" attempted to authenticate using authenticator “SecurID_Native”.  
             The user belongs to security domain “<security domain>”
Result Key: Failure
Result:     Authentication method failed
CauseThis is a classic SecurID problem, compounded by RSA terminology that is less than intuitive.  You have not yet successfully authenticated from this agent, which means the node secret  - a symmetric encryption key - used between the agent and the Authentication Manager server has not yet been created.

Before the node secret is created, the initial encryption algorithm uses the agent's IP address to complete the authentication request.  The agent encrypts the authentication request with its' primary IP address, but with so many IP addresses assigned to ethernet and wireless interfaces this becomes a percentage thing.  What you think is the agent's primary IP address might not be what the agent selects when running the RSA authentication agent software.

Customer Support seen many instances where a secondary IP address was used, either from a multihomed agent or from a second Network Interface Card (NIC), such as wireless or sometimes the management IP address for VPN type devices.  The problem arises when the Authentication Manager server tries to decrypt the authentication request with what it believes is the primary IP address for that agent, as defined in the agent host record in the Security Console  under Access > Authentication Agents.  It is this encryption and decryption with different IP addresses that causes every passcode to be incorrect.

The IP address override option forces the agent to encrypt with a specific IP address; thereby, not allowing the agent to choose its own primary IP for the initial RSA agent encryption.
ResolutionAs shown in the example below, the IP address entered for the IP Address Override on the agent in the RSA Control Center is (at left).  This matches the IP Address value for the authentication agent entry in the Security Console (at right).

Alternatively, create a text file named sdopts.rec that is saved on the agent to the same directory as the sdconf.rec file, with an entry like this:

WorkaroundIf authentications continue to fail,
  1. Get a list of all known IP addresses for the agent. 
  2. Navigate to Access > Authentication Agents > Manage Existing.
  3. Enter an IP address from the list into the IP Address field (not the Alternate IP Address field) in the agent record and click Save. 
  4. With the Authentication Activity Monitor open, test authentication from the agent.  Repeat this process until authentication is successful.

NotesThe output below is from the/opt/rsa/am/server/logs/imsTrace.log where the Authentication Manager server log level is set to Verbose.  The information comes from a user named John Doe (jdoe) using an agent that encrypted the authentication request using IP address, which does not match the IP in the agent record entry in the Security Console, so the method returned the error response shown in red:
2014-11-06 03:11:21,336, [AgentProtocolServer Core Thread #1], (MethodLoginHandler.java:80), trace.com.rsa.ims.authn.HandlerBase,  DEBUG, server.domain.com,,,,Method returned response AuthenticationContextImpl[brokerState=in_progress,methodState=<null>,sessionCtx=<null>, methodAuthenticationState=failed,netAddress=/,agent=<null>,zombieSession=false,authenticationState=<null>,requestHiddenParameters=<null>, principalId=<UserID>,usingTransientSession=true,desiredPolicyGuid=<null>,session=[SessionImpl id=21d8364be087a8c01ba5db0ecc58294b-NypsV/e4UfaC  creationTime=1415243481202 principal=null],identitySourceGui2014-11-06 03:11:21,336, [AgentProtocolServer Core Thread #1], (MethodLoginHandler.java:80), trace.com.rsa.ims.authn.HandlerBase, DEBUG, server.domain.com,,,,Method returned response AuthenticationContextImpl[brokerState=in_progress,methodState=<null>,sessionCtx=<null>, methodAuthenticationState=failed,netAddress=/,agend=<null>,principalGuid=<null>,authenticationPolicy=<null>,directRequest=true, sessionChoiceAction=0,newAuthInfo=<null>,emergencyAuthentication=false,responsePromptParameters=<null>,principal=Principal{key=cfd637f1649d658e1b971b145b355ef5,  userID='jdoe', firstName='John', middleName='null', lastName='Doe', email='null', beginDate=null, inactiveDate=null, lastLogin= Wed Nov 05 18:36:02 UTC 2014, certDN='', description='null', password='*****', enabled=true, identitySource=000000000000000000001000d0011000,  securityDomain=f635a137649d658e1c695fcc81207ce9, identitySourceKey='cfbb6e4b649d658e1b9716a998c953a4', rowVersion=294, lastUpdatedBy='admin',  lastUpdatedOn=Thu Oct 30 19:24:45 UTC 2014, startDate=Fri Oct 17 16:22:00 UTC 2014, expirationDate=null, registrationFlag=true, impersonatableFlag=false, ] impersonatorFlag=false, failPasswordCount=0, failPasswordDate=null, changePasswordFlag=true, changePasswordDate=Fri Oct 17 16:23:32 UTC 2014, lockoutFlag=false,  expireLockoutDate=null, attributes=null, authenticators=[ 0, 3 ], administrator=false, securityQuestionsAnswers=null, securityQuestionsRequiredAuthn=3,  securityQuestionsRequiredReg=5, securityQuestionsLocaleLanguage=null, securityQuestionsLocaleCountry=null, securityQuestionsLocaleVariant=null,  firstRBAuthenticationDate=null, lastUsedSecondaryAuth=-1},agentDetails=Agent [ID: 068e2d24649d658e1b0a1afe3147c7ba, name: <agent name>, address:,  type: 7, security domain ID: f635a137649d658e1c695fcc81207ce9],userDetails=<null>,authnPolicyDetails=<null>,credentialValidation=false,message=<null>, transactionContext=<null>,step=<null>,sessionId=21d8364be087a8c01ba5db0ecc58294b-NypsV/e4UfaC,desiredAuthenticationMethodId=SecurID_Native, authenticator=com.rsa.ims.admin.Authenticator@1b3ea794,gradedAuthenticationRequest=false,emergencyAuthenticationRequest=false,responseHiddenParameters= [ObjectParameter[promptKey=SecurID_WpCodes,value=,masked=false,helpObject=<null>], ObjectParameter[promptKey=SecurID_AuthenticationMode,value=100, masked=false,helpObject=<null>]]]