You will never get a node secret set up, until the first user who logs in, successfully authenticates. Need to solve the reason you are getting auth method failed [which means RSA saw the correct number of characters for the type of authenticators that userid owns, but could not figure out pin or tokencode from it]
On new setups it is an encryption/decryption problem, usually. Agent encrypts with some IP address it owns, and RSA server decrypts with the top most entry on the agent setup screen. These have to match.
You can force the Cisco side to encrypt the communication using an IP address you specify (this should be the IP that is actually hitting the RSA server, and is configured on the agent page top most IP address line)
1) first, have that userid and token log in somewhere else, [like self-service console], just to prove the token works and no problems with it or the userid.
2) make a plain text file named sdopts.rec
3) in that file have one line
CLIENT_IP=1.2.3.4
where 1.2.3.4 is the address you want to encrypt with, change to match your setup,
[it should be the IP address that actually hits the RSA server from the previous attempts]
4) On the ISE you need to load this file
sdopts.rec:
To add or update the sdopts.rec file:
1. Browse to Administration > Identity Management > External Identity Sources > RSA SecurID.
2. Edit the RSA SecurID Identity Source, and open the RSA Instance Files tab.
3. Click the Update Options file link.
4. Browse to the sdopts.rec file and click OK.
5. Click Save to save your changes.
6. Reboot the ISE appliance
5) Now, the Cisco should be encrypting with the address in the sdopts.rec, and if the RSA server agent entry has the same address also, it should now correctly decrypt and authenticate, and then a node secret will get set up.
