Verified that <UserID> has valid fixed passcode that can successfully logon to the Self-Service console.
RSA Authentication Manager (AM) 8.X
Cisco debug shows ACM_ACCESS_DENIED, which is an RSA API message. It is the generic auth failed message, and could be for a number of reasons including the PIN or TokenCode is incorrect. The node secret will not get created until after the first successful authentication, so an ACM_ACCESS_DENIED on a new setup will always be related to node secret not getting created. Debug also says ?RSACheckPasscodeState?
A success will show as ACM_OK
##Session ID on ACS is created##
AuthenStateManager,07/07/2014,20:25:57:690,DEBUG,3082451856,acquireOrCreateState: created sessionID=crpitsacs01/194136679/106,AuthenStateManager.cpp:62
##NAS IP is matched against AAA client##
inboundProtocolManager,07/07/2014,20:25:57:691,DEBUG,3082451856,cntx=0000000825,sesn=crpitsacs01/194136679/106,NAS with IP = <NetSDc aler IP> matches AAAClient with IP = <NetSDcalerP>,ProtocolDataUtils.cpp:495
##AccessRequest packet##
Radius,07/07/2014,20:25:57:691,DEBUG,3082451856,cntx=0000000825,sesn=crpitsacs01/194136679/106,RADIUS PACKET:: Code=1(AccessRequest) Identifier=230 Length=49,RADIUSHandler.cpp:1330
Radius,07/07/2014,20:25:57:691,DEBUG,3082451856,NIL-CONTEXT, [1] User-Name - value: [e_ttaylor] ,AttributePrintHelper.cpp:75
Radius,07/07/2014,20:25:57:691,DEBUG,3082451856,NIL-CONTEXT, [2] User-Password - value: [****] ,AttributePrintHelper.cpp:75
Radius,07/07/2014,20:25:57:691,DEBUG,3082451856,NIL-CONTEXT,CTS_pac_opaque = false,RADIUSHandler.cpp:498
Radius,07/07/2014,20:25:57:691,DEBUG,3082451856,cntx=0000000825,sesn=crpitsacs01/194136679/106,Validate integrity related RADIUS attributes,RADIUSHandler.cpp:1022
##RSA Identity store is selected##
RSA,07/07/2014,20:25:57:693,DEBUG,3082451856,cntx=0000000825,sesn=crpitsacs01/194136679/106,user=e_ttaylor,[RSAlIDStore::onPlainAuthenticateAndQueryEvent] TokenCache not enabled, Going to authenticate with RSA,RSAIDStore.cpp:294
##Got an error##
RSAAgent,07/07/2014,20:26:22:724,DEBUG,3034864528,cntx=0000000825,sesn=crpitsacs01/194136679/106,user=e_ttaylor,[RSAAgent::handleResponse] operation completed with ACM_ACCESS_DENIED status,RSAAgent.cpp:237
##Authentication failed##
AuthenSessionState,07/07/2014,20:26:22:725,DEBUG,3082451856,cntx=0000000825,sesn=crpitsacs01/194136679/106,user=e_ttaylor,[RSACheckPasscodeState::onRSAAgentResponse] Authentication Failed,RSACheckPasscodeState.cpp:74
Citrix NetScaler login still fails with Auth Method failed.
ACS Failing Authentication Method with RSA SecurID.
Cisco ACS initial authentication using SDI to AM 8.1 method fails, appears same as when IP address override needed.
Activity Key: Principal authentication
Description: User ?jdoe? attempted to authenticate using authenticator ?SecurID_Native?. The user belongs to security domain ?SystemDomain?
Reason: Authentication method failed
To resolve this issue for some customers:
Cisco asked customer to create another RADIUS client (non-Citrix) to the Cisco ACS, with same ACS forwarding of Native SecurID authentication request to AM 8.1.
Related Articles
RSA AM 7.1 to 8.1 Migration - RSA AM 7.1 Migration Export Utility fails at the install due to RADIUS Number of Views How to reset the system fingerprint -RSA AM Number of Views RSA AM License Support Number of Views How to Configure Palo Alto Global Protect VPN to support RSA AM to be LDAP + Passcode Number of Views How to verify RSA Authentication Manager (AM) 8.1 is sending syslog data to a remote syslog server. Number of Views
