000036447 - Authentication fails to RSA Authentication Manager 8.x with Cisco Adaptive Security Appliance 9.8 (2) using native SecurID protocol

Document created by RSA Customer Support Employee on Jul 13, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036447
Applies ToRSA Product Set:  SecurID
RSA Product:  Authentication Manager 
RSA Version/Condition: 8.x
Platform (Other): Cisco Adaptive Security Appliance 9.8 (2)
  • Unable to authenticate to RSA Authentication Manager 8.x servers from Cisco Adaptive Security Appliance using native SecurID protocol.
  • The software version running on the Cisco Adaptive Security Appliance is 9.8 (2).
  • Error seen as authentication failed on the Cisco Adaptive Security Appliance command line prompt.
  • Communication packets between the Cisco agent and Authentication Manager server was verified by performing a tcpdump on the primary Authentication Manager appliance.
  • No error log entries were seen on the Authentication Manager server real time activity monitor after performing a couple of authentications from the Cisco Adaptive Security Appliance over UDP port 5500.

  • The exact cause for the Native SecurID authentications to fail over the port UDP 5500 when authenticating from the Cisco Adaptive Security Appliance 9.8 (2) is yet to be identified.

  • However, this looks like an incompatibility issue with RSA Authentication Manager 8.x and Cisco ASA running version 9.8 (2) specifically

  • Below is the snippet.of the version information from theCisco ASA:

    Cisco Adaptive Security Appliance Software Version 9.8(2)
    Firepower Extensible Operating System Version 2.2(2.52)
    Device Manager Version 7.8(2)

WorkaroundUse RADIUS protocol as an alternative protocol to native SecurID protocol by creating the Cisco Adaptive Security Appliance as a RADIUS client on the Authentication Manager server.

Review the article on how to Add a RADIUS client agent for the ASA.
NotesKindly take note that this is very specific to one version of Cisco ASA running the software specific version 9.8 (2) and is not a generic solution for all versions of Cisco ASA.