Authentication Manager 8.x Trusted realm logon with user alias fails on RADIUS Client
Originally Published: 2018-08-08
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.2.1, 8.x all versions
Platform: Linux
Platform (Other): RADIUS Client
O/S Version: Suse Linux
Issue
Tester_Alias = alias of Tester1 UserID in remote realm
Gibberish = non-existent UserID in either realm
Native Auth Agent --> am_localPrimary01 ==realm lookup userID/alias===> am_remotePrimary01
Real Time Monitor on am_localPrimary01 shows "Trusted Realm Authentication requested" "Success"
Real Time Monitor on am_remotePrimary01 shows "Trusted Realm Authentication" "Success"
RADIUS Client --> am_localPrimary01 ==realm lookup userID===> am_remotePrimary01
Real Time Monitor on am_localPrimary01 shows "Trusted Realm Authentication requested" "Success"
Real Time Monitor on am_remotePrimary01 shows "Trusted Realm Authentication" "Success"
RADIUS Client --> am_localPrimary01 ==realm lookup alias===> am_remotePrimary01
Real Time Monitor on am_localPrimary01 shows "Principal not found"
Real Time Monitor on am_remotePrimary01 shows nothing
Unknown UserID - alias, e.g. 'Gibberish' shows "Resolve user by User ID/alias/Trusted realm search" failure
Using NTRadPing to send authentication requests to am_localPrimary01, 192.168.17.87, which must lookup Tester1 and aliases in remote realm on am_remotePrimary01 server. 192.168.1.227. Does this mean if RADIUS client RADIUS_Client with IP 192.168.5.180 also exists on "local" server is am_localPrimary01 so that auth request accepted, does the group and alias also need to exist on am_localPrimary01 as well as "remote" is am_remotePrimary01 server. 192.168.1.227? So that RADIUS client is a duplicate of RADIUS_Client with IP address of 192.168.5.180 on both systems, both servers in the trusted realm.
1:10pm EDT Tester1 success
1:11pm Tester_Alias failure, nothing lookup remote, principle not found locally
Gibberish userID different failure UserID could not be discovered in the local realm of by searching configured trusted realms
Verbose loggin set 1:15pm
Tester1 success
Tester_Alias fails nothing in remote RTM, principle not found local RTM
Gibberish UserID gets "Resolve user by User ID/alias/Trusted realm search" failure
Comparing imsTrace.log on local am_localPrimary01 192.168.17.87 server and trusted realm remote server
Key difference
When the alias Tester_Alias attempts logon to RADIUS client on local am_localPrimary01 192.168.17.87, the local AM server does a SQL query * that gets
'com.rsa.authn.AuthenticationCommandException: Access Denied' so no lookup is done on trusted realm remote server LE 192.168.1.227
When non-existent user Gibberish attempts same logon, the local AM server does the same SQL query * which appears to trigger the trusted realm remote server Remote AM 192.168.1.227 to do a lookup, resulting in Failed to resolve user:Gibberish on agent:ImmutableAgent
Resolution
