Using an IP address override to fix an initial authentication failures with RSA Authentication Manager when the error Authentication Method Failed displays
Originally Published: 2014-11-07
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1, 8.x
Issue
- Authentication from a specific agent is failing.
- On the agent side, Error 13002 may display for a Windows agent.
- In the authentication activity log, the result is Authentication method failed:
Description: User “<user ID>" attempted to authenticate using authenticator “SecurID_Native”.
The user belongs to security domain “<security domain>”
Result Key: Failure
Result Key: AUTHN_METHOD_FAILED
Result: Authentication method failed
The user belongs to security domain “<security domain>”
Result Key: Failure
Result Key: AUTHN_METHOD_FAILED
Result: Authentication method failed
Cause
Before the node secret is created, the initial encryption algorithm uses the agent's IP address to complete the authentication request. The agent encrypts the authentication request with its' primary IP address, but with so many IP addresses assigned to ethernet and wireless interfaces this becomes a percentage thing. What you think is the agent's primary IP address might not be what the agent selects when running the RSA authentication agent software.
Customer Support seen many instances where a secondary IP address was used, either from a multihomed agent or from a second Network Interface Card (NIC), such as wireless or sometimes the management IP address for VPN type devices. The problem arises when the Authentication Manager server tries to decrypt the authentication request with what it believes is the primary IP address for that agent, as defined in the agent host record in the Security Console under Access > Authentication Agents. It is this encryption and decryption with different IP addresses that causes every passcode to be incorrect.
The IP address override option forces the agent to encrypt with a specific IP address; thereby, not allowing the agent to choose its own primary IP for the initial RSA agent encryption.
Resolution
Alternatively, create a text file named sdopts.rec that is saved on the agent to the same directory as the sdconf.rec file, with an entry like this:
CLIENT_IP=192.168.131.22
Workaround
- Get a list of all known IP addresses for the agent.
- Navigate to Access > Authentication Agents > Manage Existing.
- Enter an IP address from the list into the IP Address field (not the Alternate IP Address field) in the agent record and click Save.
- With the Authentication Activity Monitor open, test authentication from the agent. Repeat this process until authentication is successful.
Notes
2014-11-06 03:11:21,336, [AgentProtocolServer Core Thread #1], (MethodLoginHandler.java:80), trace.com.rsa.ims.authn.HandlerBase, DEBUG, server.domain.com,,,,Method returned response AuthenticationContextImpl[brokerState=in_progress,methodState=<null>,sessionCtx=<null>, methodAuthenticationState=failed,netAddress=/10.0.0.8,agent=<null>,zombieSession=false,authenticationState=<null>,requestHiddenParameters=<null>, principalId=<UserID>,usingTransientSession=true,desiredPolicyGuid=<null>,session=[SessionImpl id=21d8364be087a8c01ba5db0ecc58294b-NypsV/e4UfaC creationTime=1415243481202 principal=null],identitySourceGui2014-11-06 03:11:21,336, [AgentProtocolServer Core Thread #1], (MethodLoginHandler.java:80), trace.com.rsa.ims.authn.HandlerBase, DEBUG, server.domain.com,,,,Method returned response AuthenticationContextImpl[brokerState=in_progress,methodState=<null>,sessionCtx=<null>, methodAuthenticationState=failed,netAddress=/10.0.0.8,agend=<null>,principalGuid=<null>,authenticationPolicy=<null>,directRequest=true, sessionChoiceAction=0,newAuthInfo=<null>,emergencyAuthentication=false,responsePromptParameters=<null>,principal=Principal{key=cfd637f1649d658e1b971b145b355ef5, userID='jdoe', firstName='John', middleName='null', lastName='Doe', email='null', beginDate=null, inactiveDate=null, lastLogin= Wed Nov 05 18:36:02 UTC 2014, certDN='', description='null', password='*****', enabled=true, identitySource=000000000000000000001000d0011000, securityDomain=f635a137649d658e1c695fcc81207ce9, identitySourceKey='cfbb6e4b649d658e1b9716a998c953a4', rowVersion=294, lastUpdatedBy='admin', lastUpdatedOn=Thu Oct 30 19:24:45 UTC 2014, startDate=Fri Oct 17 16:22:00 UTC 2014, expirationDate=null, registrationFlag=true, impersonatableFlag=false, ] impersonatorFlag=false, failPasswordCount=0, failPasswordDate=null, changePasswordFlag=true, changePasswordDate=Fri Oct 17 16:23:32 UTC 2014, lockoutFlag=false, expireLockoutDate=null, attributes=null, authenticators=[ 0, 3 ], administrator=false, securityQuestionsAnswers=null, securityQuestionsRequiredAuthn=3, securityQuestionsRequiredReg=5, securityQuestionsLocaleLanguage=null, securityQuestionsLocaleCountry=null, securityQuestionsLocaleVariant=null, firstRBAuthenticationDate=null, lastUsedSecondaryAuth=-1},agentDetails=Agent [ID: 068e2d24649d658e1b0a1afe3147c7ba, name: <agent name>, address: 10.0.0.8, type: 7, security domain ID: f635a137649d658e1c695fcc81207ce9],userDetails=<null>,authnPolicyDetails=<null>,credentialValidation=false,message=<null>, transactionContext=<null>,step=<null>,sessionId=21d8364be087a8c01ba5db0ecc58294b-NypsV/e4UfaC,desiredAuthenticationMethodId=SecurID_Native, authenticator=com.rsa.ims.admin.Authenticator@1b3ea794,gradedAuthenticationRequest=false,emergencyAuthenticationRequest=false,responseHiddenParameters= [ObjectParameter[promptKey=SecurID_WpCodes,value=,masked=false,helpObject=<null>], ObjectParameter[promptKey=SecurID_AuthenticationMode,value=100, masked=false,helpObject=<null>]]]
