000035558 - "Invalid authentication handle" reported by the Cisco AnyConnect client when using RSA SecurID Access Cloud Authentication Service RADIUS

Document created by RSA Customer Support Employee on Sep 19, 2017Last modified by RSA Customer Support Employee on Sep 30, 2017
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000035558
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router
IssueThe message of "Invalid authentication handle" from a Cisco ASA means that the authentication ticket was removed before the user responded.  It may be displayed by the Cisco VPN Client or on the Cisco AnyConnect Secure Mobility Client.
It is essentially a timeout error.  It means that the RADIUS authentication response was not received by Cisco ASA before the configured or default authentication timeout set in that product
CauseThere are two main possibilities that could cause a timeout problem:
  • The time taken to authenticate is genuinely longer than the timeout configured for Cisco, or
  • The authentication response was not delivered to Cisco for some reason
The problem typically can occur when out-of-band authentication is used, because the default Cisco timeout of 12 seconds is not sufficient time for that type of authentication to complete.
ResolutionWhen configuring the Cisco ASA for RADIUS authentication with the RSA Cloud Authentication Service, make sure the timeout value is explicitly set to 120 seconds.  For more information, see:
RSA has seen the invalid authentication handle error occurring when Cisco AnyConnect is used with Cloud Authentication Service RADIUS, even when the timeouts in both Cisco ASA and the Cisco client are already set to 120.  To fix this issue, ensure that the Cisco client profile has a ServerList HostEntry configured, as shown below.

<ServerList>
      <HostEntry>
          <HostName>label for UI</HostName>
          <HostAddress>hostname or IP address of the ASA</HostAddress>
      </HostEntry>
</ServerList>

 

If ServerList HostEntry is not configured, then a 12 second timeout will be used by Cisco no matter what the actual timeout value is set to. 

Attachments

    Outcomes