Issue with RADIUS Authentication with IDR using RSA Authenticate Application
In Organization, we have Users in two domains domainold1 and domainold2. Now all of them has mail as domainnew.ae, But old Users has two emails one as domainold1.ae or domainold2.ae and other with domainnew.ae. When we go to Management in Users>Management in RSA Secure-ID Access Portal, for all those accounts it shows two entries.
Also in RSA Authenticate Application we can only register with domainnew email.
Now take a case, User Ashish Joshi which has domainold1 mail as email@example.com and domainnew mail as firstname.lastname@example.org. Both of these emails has same account in AD with samAccountName as ajoshi. The User has registered in the RSA Authenticate application as email@example.com as this email in use now.
The User is trying to access a portal using Radius, and giving domainold1 account Name domainold1\ajoshi with password. Portal redirects the User, option to Approve or provide 8 digit Pass from Application. User is giving the 8 digit Pass, But the process is resulting in Failure of Authentication.
- Auth Agent
- Authentication Agent
- Community Thread
- Forum Thread
- rsa authenticate
- RSA SecurID
- RSA SecurID Access
- securid access mfa
- securid access radius ad
If there are two entries for one person in Users > Management, then that person is being synchronized as two different users and will be recognized by the RSA Cloud Authentication Service as two different users. I expect that if the user is concurrently in two different domains, that is the reason they are being synchronized twice to the Cloud - they will have two different entries in AD - one in each domain tree.
To check the two accounts for all users, you can get a report of all users from Users > Reports in the Cloud Administration Console.
In the test done with user ajoshi, it sounds like the userid and password from domainold is being authenticated OK by AD, which is why it gets to the point of prompting for step-up authentication. As you then enter an 8-digit passcode from an RSA Authenticate app registered to the domainnew user, you will get an authentication failure because that app is not valid for the domainold user. You can check the audit entries for the authenticate attempt under Users > User Event Monitor. For more detail, you can check the audit log - see Configure Audit Logging in the Cloud Administration Console.
Note: if you are not sending the audit log to syslog, you can still Generate and Download an Identity Router Log Bundle from every IDR (because your authentication test may have been processed by any one of your IDRs, and you won't know which one). The RADIUS audit log can be found in the log bundle at var/log/radiusj/radius-audit.log .
If all users exist under domainnew, from what you've describe here it sounds like the best way forward would be to only authenticate using domainnew. Change your Identity Source configuration to ensure it only synchronizes domainnew users. You will also need to delete all the domainold entries from the Cloud Administration Console. Delete a Cloud Authentication Service User explains how to do that.
PSB the Events logs of the radius login attempt
|Timestamp||User ID||Event Code||Description||Application||Method|
|Thu, 12 Apr 2018 06:34:51 UTC||ajoshi||20608||RADIUS - Device Biometrics authentication failed - Method timeout.||RADIUS: vpn1_portal_ae|
|Thu, 12 Apr 2018 06:34:44 UTCfirstname.lastname@example.org||201||LDAP password authentication succeeded.||PASSWORD|
|Thu, 12 Apr 2018 06:34:42 UTCemail@example.com||20301||Multifactor authentication initiated.||RADIUS: vpn1_portal_ae|
|Thu, 12 Apr 2018 06:34:17 UTC||ajoshi||20609||RADIUS - Authentication failed - Internal error.||RADIUS: vpn1_portal_ae|
|Thu, 12 Apr 2018 06:32:11 UTCfirstname.lastname@example.org||201||LDAP password authentication succeeded.||PASSWORD|
|Thu, 12 Apr 2018 06:32:09 UTCemail@example.com||20301||Multifactor authentication initiated.||RADIUS: vpn1_portal_ae|
|Thu, 12 Apr 2018 06:30:15 UTCfirstname.lastname@example.org||707||Approve enrollment succeeded.||iOS||APPROVE|