This article provides steps on how to re-create a node secret for the RADIUS server running on Authentication Manager 8.0 and 8.1 and how to clear the node secret on a migrated RADIUS server and create a new one because RADIUS authentications are failing with node secret mismatch errors.
The node secret of an RSA RADIUS server is corrupted due to an unknown issue,
The node secret is deleted from /opt/rsa/am/radius, or
A migration from previous version was performed where there was a RADIUS configuration but no RADIUS migration was performed.
When doing RADIUS authentications, the error Node verification failed. Node secret mismatch. Server and agent using different node secrets shows in the Authentication Activity log monitor. In this message the Client IP and Agent IP values are the RADIUS server IP address and the Server Node IP is either primary or replica IP address.
The RADIUS server can be reconfigured by redeploying the instance. But it is not always convenient to do this, especially when using a hardware appliance which is located far away from the administrator. Even if it is a virtual environment, if it is the primary RADIUS server that has this problem, you have to promote the replica and redeploy the instance.
In Authentication Manager 8.x if the agent type is RADIUS Server, the Manage Node Secret option is hidden. There is no way to clear/recreate a node secret from Security Console like with a standard agent.
The workaround is to:
Change the agent type from RADIUS Server to Standard Agent, so as to display the Manage Node Secret menu.
Once the menu is visible, delete the node secret from the Security Console and appliance if it exists.
Then create a node secret in the Security Console and upload it to the Authentication Manager server and use the command agent_nsload to manually create the node secret.
Finally change the agent type back to RADIUS Server.
db=# SELECT id FROM rsa_rep.am_host WHERE primary_ip='<RADIUS_server's_IP_address>';
db=# UPDATE rsa_rep.am_agent set client_type=1 WHERE host_id = '<id_value reported above>';
Login to the Security Console on the primary.
Navigate to Access > Authentication Agents > Manage Existing.
Click on the context arrow next to the agent listed as the RADIUS Server and select Manage Node Secret.
Select Clear Node Secret and then click on Create Node Secret.
Create a password, and then download the zip file. Open the zip file to find the nodesecret.rec.
Use WinSCP or FileZilla to copy the securid file to the /opt/rsa/am/radius directory.
Using SSH, login to the primary Authentication Manager server as rsaadmin.
Navigate to /opt/rsa/am/radius and run following commands. Note that there is a space and a dot after the -d.
If the node secret is created successfully, perform an authentication test.
If authentication test is successful, follow step 1 to connect to the database again.
Run the following comment to reset the agent type back to a RADIUS server.
UPDATE rsa_rep.am_agent SET client_type=3 WHERE host_id = 'ID from step2';
Connecting to pgSQL
SSH to the primary Authentication Manager server and follow the steps below:
login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Thu Dec 22 13:16:50 2016 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/utils
rsaadmin@am81p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba .password
Please enter OC Administrator username: <enter Operations Console administrator name>
Please enter OC Administrator password: <enter Operations Console administrator password>
rsaadmin@am81p:/opt/rsa/am/utils> cd /opt/rsa/am/pgsql/bin
rsaadmin@am81p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba
Password for user rsa_dba: <right click to paste the com.rsa.db.dba.password captured above, note that it will not display on the screen>
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.