- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Connection failed Cloud Authentication Service and Authentication Manager
Hello team,
I am trying in my lab to connect the Cloud Authentication Service to the Authentication Manager and i have an error.
I configured the Identity Routers on Cloud Authentication Service in the following way:
I checked the logs:
My question is: do I need to add an Authentication Agents on the Authentication Manager?
I configured these Agents on the AM:
where could the problem be?
Thanks a lot.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, you need to add an authentication agent for the IDR on the authentication manager appliance.
Have you connected the cloud authentication service to the authentication manager? From the CAS interface, go to Platform > Authentication Manager add the sdconf file along with the authentication agent name which you configured on the authentication manager and test connection from there.
Moreover, check your NTP server, i can see that the NTP server configured on your IDR is not in sync,
Im curious to know how did you configured eth0 and eth1 with the same IP address, as this should shoot an error while configuring the IDR IP settings.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hertz,
From the very few tests I made, it is not a good pratice to configure both interfaces in the smae L3 network (eth0 and eth1).
I even didn't know this was possible.
Take a look on that side maybe... 😊
Kind Regards,
David
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi David,
i read that "RSA recommends that each interface be located on a separate subnet for security reasons".
So I think it is possible to have the two interfaces on the same subnet, but from a security point of view it is not recommended.
If I try to ping from the IDR the IP of the AM replies to me, the same thing if I try to ping with the name.(am.mylab.local)
p.s. from the point of view of the Authentication Manager, in order to manage requests from the Cloud, do you need to add a new Authentication Agents?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, you need to add an authentication agent for the IDR on the authentication manager appliance.
Have you connected the cloud authentication service to the authentication manager? From the CAS interface, go to Platform > Authentication Manager add the sdconf file along with the authentication agent name which you configured on the authentication manager and test connection from there.
Moreover, check your NTP server, i can see that the NTP server configured on your IDR is not in sync,
Im curious to know how did you configured eth0 and eth1 with the same IP address, as this should shoot an error while configuring the IDR IP settings.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thank you very much for your reply and the help you are giving me.
1) The authentication agent for the IDR, that I need to configure on the Authenitcation Manager, does it have to be configured in a particular way? as Type how should it be defined? there is an example to be able to take inspiration?
I have only configured these at the moment:
2) Correct. I tried to connect "the cloud authentication service to the authentication manager". I followed the procedure from Platform> Authentication Manager and added the sdconf file but it fails with the following error:
I also rebuilt the IDR machine from scratch and added two addresses on the two network cards:
I checked the logs and i have these errors:
2021-05-05/07:27:40.804/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - Connection object: ServerConnection [ serviceType=CONFIG, serviceURL=http://192.168.5.201:5500/Services/ConfigService, conn=null]
2021-05-05/07:27:40.808/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - isDNSScanEnabled:false
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - {Realmconfig.updateVersionInfoFromSdconf} Sdconf length = 2568
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - {AgentConfigHandler.initializeConfig} using server-configured connect timeout: 10
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - {AgentConfigHandler.initializeConfig} using server-configured read timeout: 30
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - {AuthSessionFactory} Invoking MessageKey Service to negotiate key
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - MaxRetry: 0 Total Servers: 1
2021-05-05/07:27:40.809/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - MaxRetry: 0 Total Servers: 1
2021-05-05/07:27:40.810/UTC [Thread-1151] INFO com.rsa.authagent.authapi.v8.logger.b[?] - staring key negotiation. Connection: ServerConnection [ serviceType=MSGKEY, serviceURL=http://192.168.5.201:5500/Services/MessageKeyService, conn=null]
2021-05-05/07:27:40.815/UTC [Thread-1151] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - Error in processing Authn request: connect exception processing key negotiation request: com.rsa.authmgr.commonagent.k: Key negotiation exchange failed. Server response was CRED_MISMATCH
2021-05-05/07:27:40.815/UTC [Thread-1151] ERROR com.rsa.authagent.authapi.v8.logger.b[?] - Error in initial AuthnReq/Rsp for serverTime.Error in processing Authn request: connect exception processing key negotiation request: com.rsa.authmgr.commonagent.k: Key negotiation exchange failed. Server response was CRED_MISMATCH
2021-05-05/07:27:40.815/UTC [Thread-1151] ERROR com.rsa.nga.sidproxy.AuthSessionFactoryManager[241] - unable to connect to the AM server
com.rsa.authagent.authapi.AuthAgentException: com.rsa.authagent.authapi.AuthAgentException: Error in initial AuthnReq/Rsp for serverTime.Error in processing Authn request: connect exception processing key negotiation request: com.rsa.authmgr.commonagent.k: Key negotiation exchange failed. Server response was CRED_MISMATCH
at com.rsa.authagent.authapi.AuthSessionFactory.a(AuthSessionFactory.java)
at com.rsa.authagent.authapi.AuthSessionFactory.getInstance(AuthSessionFactory.java)
at com.rsa.nga.sidproxy.AuthSessionFactoryManager$1.run(AuthSessionFactoryManager.java:239)
at java.lang.Thread.run(Thread.java:748)
i think this is the problem but i don't understand what can cause it.
p.s. when I entered the same ip in the IDR configuration for the two eths it did not return any error.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
i give you an update: i created the agent on the AM and reimport the sdconf file and now all works fine.
Thanks a lot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Amazing! Glad to hear that its working fine now,
