This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
BryanDecker
Beginner
Beginner
‎2017-09-01 04:12 PM

AnyConnect VPN Authentication Failure

I am having some trouble with a new setup for Cisco ASA AnyConnect Authentication. We are running 9.6(3) on our ASA, with Authentication Manager v. 8.2.

 

We pulled our AD structure in for our user source, and they are currently in SystemDomain by default. When I try to use the SecurID soft token with my pin to generate a passcode for AnyConnect, the monitor reports:

 

 

User "username" attempted to authenticate using authenticator "SecurID_Native". The user belongs to security domain "SystemDomain".

 

This says to me I haven't tied those two items (the authenticator and the security domain) together somehow. What have I missed?

 

Here is the full output from the console:

----------

Date & Time: 2017-09-01 15:44:21.934
Log Level: ERROR
Activity Key: Principal authentication
Description: User “bdecker” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”
Action Result Key: Failure
Result Key: AUTHN_METHOD_FAILED
Result: Authentication method failed
User ID: username
User First Name: Bryan
User Last Name: Decker
User Security Domain: SystemDomain
User Identity Source Name: Non GC Active Directory
Agent Type: 7
Agent Name: 10.1.0.1
Agent IP: 10.1.0.1
Agent Security Domain: SystemDomain
Authentication Method: SecurID_Native
Policy Expression: N/A
Argument 1: AUTHN_LOGIN_EVENT
Argument 2: 5
Argument 3: 1
Argument 4: N/A
Argument 5: N/A
Argument 6: N/A
Argument 7: N/A
Argument 8: N/A
Argument 9: N/A
Argument 10: N/A
Instance Name: blooper.stc.corp
Client IPv4: 10.1.0.1
Client IPv6: N/A
Server Node IP: 10.21.0.13
Additional Information: N/A
Actor GUID: 5e47325d0d00150a3cabfc244caa677d
Session ID: b79a3e020d00150a33c0c55e3898d8eb-zrEx2kzqbYug
Agent GUID: a0e2bd7b0d00150a2d58be1fd560731f
0 Likes
Reply
9 Replies
NadaKhaled
New Contributor New Contributor
New Contributor
‎2017-09-05 01:33 PM

Hi Brian,

 

This error is pretty generic and doesn't mean  that there is something wrong with the location of the users and tokens in the security domain. Probably you have something wrong with your token, either it's out of sync or maybe the pin is not correct. Best thing to do is to test the authentication on the self-service portal. It has the same URL of the security console but ends with console-selfservice instead of console-ims. If this fails as well then you probably will need to open a support case to do a live troubleshooting,

 

Best Regards,

Nada Khaled

0 Likes
Reply
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2017-09-05 06:39 PM

Bryan Decker‌,

 

For future reference, the following is not an error message:

 

          User “bdecker” attempted to authenticate using authenticator “SecurID_Native.”

          The user belongs to security domain “SystemDomain.”  

 

That message in the Description field is just explains what was happening.  You tried to authenticate to the Authentication Manager server using the SecurID Native protocol and you exist in the SystemDomain security domain.  The reason why the authentication failed is shown in the Action Result Key and Result Key fields, that is AUTHN_METHOD_FAILED and Authentication method failed.

 

As Nada Khaled‌ mentioned, that error can display for several reasons.  Confirming the token is working through the Self-Service console is a good place to start.  If it works, we know the time offset between the token and the server is correct and we can look at other causes.  If it fails, you may want to try to Resynchronize a Token and test the ASA again.

 

 

If the ASA is new, please check the Cisco Systems Inc. - Technology Integrations implementation guide for the ASA to ensure your configuration is correct.  One thing that might cause the authentication method failed error is if the ASA has multiple IP addresses.  If you set up your authentication agent information in the Security Console for IP address 1.1.1.1 and the traffic is coming from the ASA on 1.1.1.2, authentication will fail.  On the ASA, confirm all of the IP addresses that belong to it.  Once you have the list, go back to the agent record in the Security Console (Access > Authentication Agent > Manage Existing) and go through the list of all of the IP addresses.  Make the change, save the agent update and test the ASA with the real time authentication activity monitor (Reporting > Real Time > Authentication Activity Monitor) open to see how the authentication request is handled by the server.

 

Regards,
Erica

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2017-09-05 09:52 PM

Since it says 'new' then I assume the node secret is not yet created.

I could not find this KB on Link, but KB 29015 - Why does an IP address override fix an Initial authentication failures with
no details: "Authentication Method Failed" 

explains why this has failed, and how you might fix it.

0 Likes
Reply
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
‎2017-09-06 09:47 AM

Bryan Decker‌,

 

The article Jay Guillette‌ noted was marked internal so not available on RSA Link.  I've  reviewed it and  made it public.  You can see it at https://community.rsa.com/docs/DOC-79828 .

 

Regards,

Erica

0 Likes
Reply
BryanDecker
Beginner
Beginner
In response to _EricaChalfin
‎2017-09-06 09:52 AM

Well, it isn't getting any better. 

The self-service portal also failed, giving essentially the same output in the event monitor. I tried to resynchronize the token and got this:

pastedImage_1.png

 

The ASA IP address is correct. For what it's worth, the output in the event monitor is entirely different when you have the wrong IP on the authentication agent. It reports back:

pastedImage_2.png

 

Rather than the event message I am getting.

 

So, i am going to work on Jay's suggestion now, and see how much progress I can make.

0 Likes
Reply
BryanDecker
Beginner
Beginner
In response to _EricaChalfin
‎2017-09-06 10:17 AM

And now I am having trouble generating a node secret. It's kicking back a length issue related to the realm default password policy, but with the "RSA Initial Password Policy" being the only one, and generating a 32 character password, I'm not sure why it's failing.

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to BryanDecker
‎2017-09-06 11:22 AM

Bryan,

Even though Cisco ASA guide says sdopts.rec not implemented, you can still use one, you just have to create it yourself and put it in the same place as where the node secret and status files would go, in Memory.

Your sdopts.rec should have 

   CLIENT_IP=10.1.0.1

0 Likes
Reply
BryanDecker
Beginner
Beginner
In response to JayGuillette
‎2017-09-12 03:27 PM

I really feel like i'm missing some key parts here. I'm going to go back, review the settings and documentation for initial setup and start over. Thanks everyone!

0 Likes
Reply
_EricaChalfin
Employee (Retired) Employee (Retired)
Employee (Retired)
In response to BryanDecker
‎2017-09-13 02:04 PM

Bryan Decker‌,

 

If you are still having an issue with the ASA, please https://community.rsa.com/docs/DOC-1294 and work with a support engineer.  They would be happy  to assist.

 

Regards,

Erica

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.