This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
PaulMathews
New Contributor
New Contributor
‎2016-09-06 07:09 AM

RSA Reporting - Output query

Hi,

 

I have a report for senior management that details all access attempts - they have asked if the below can be explained.

 

Why is the first entry a success, but then followed by many failures, then another success?

 

Many thanks.

01/08/2016 22:28

ddh

Success

Authentication method success

 

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

Alias: ""

AUTHN_METHOD_FAILED

Authentication attempted

ERROR

01/08/2016 22:28

ddh

Failure

Authentication method failed

ERROR

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

 

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

Alias: ""

AUTHN_METHOD_FAILED

Authentication attempted

ERROR

01/08/2016 22:28

ddh

Failure

Authentication method failed

ERROR

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

 

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

Alias: ""

AUTHN_METHOD_FAILED

Authentication attempted

ERROR

01/08/2016 22:28

ddh

Success

Attempt successful

 

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

ERROR

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

 

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

Alias: ""

AUTHN_METHOD_FAILED

Authentication attempted

ERROR

01/08/2016 22:28

ddh

Failure

Authentication method failed

ERROR

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

 

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

Alias: ""

AUTHN_METHOD_FAILED

Authentication attempted

ERROR

01/08/2016 22:28

ddh

Failure

Authentication method failed

ERROR

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

 

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

Alias: ""

AUTHN_METHOD_FAILED

Authentication attempted

ERROR

01/08/2016 22:28

ddh

Failure

Authentication method failed

ERROR

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

 

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

Alias: ""

AUTHN_METHOD_FAILED

Authentication attempted

ERROR

01/08/2016 22:28

ddh

Failure

Authentication method failed

ERROR

 

 

 

01/08/2016 22:28

ddh

Failure

Authentication method failed

 

 

 

 

01/08/2016 22:28

ddh

Success

Attempt successful

 

 

 

 

01/08/2016 22:28

ddh

Failure

Principal locked out

 

 

 

 

01/08/2016 22:28

ddh

Failure

Principal locked out

 

 

 

 

01/08/2016 22:28

ddh

Failure

Principal locked out

 

 

 

 

01/08/2016 22:29

ddh

Failure

Principal locked out

 

 

 

 

01/08/2016 22:30

ddh

Failure

Principal locked out

 

 

 

 

01/08/2016 22:31

ddh

Failure

Principal locked out

 

 

 

 

01/08/2016 22:55

ddh

Failure

Authentication method failed

Alias: ""

AUTHN_METHOD_FAILED

Authentication attempted

ERROR

01/08/2016 22:55

ddh

Failure

Authentication method failed

ERROR

 

 

 

01/08/2016 22:55

ddh

Failure

Authentication method failed

 

 

 

 

01/08/2016 22:57

ddh

Success

Authentication succeeded in next tokencode mode

 

 

 

 

Labels (1)
0 Likes
Reply
2 Replies
HusseinElBaz
Employee
Employee
‎2016-09-06 07:23 AM

Hello Paul,

 

We need to check further that matter before knowing the exact problem that you are facing. It might be a lot of things that causing that problem.

 

1) The agent is sending duplicate replies to the server

2) The server is sending duplicate replies

3) Network problem that cause the packets to be duplicated

4) The user is typing the passcode more than once on the agent

 

To confirm which of the above is the problem we to take a packet capture on the agent and on the authentication manager server to confirm where is the problem coming from exactly.

 

 

And also we need to get a full detailed authentication activity monitor to see the exact error or failure that the server is sending to the agent, to confirm whether the behavior from the server is correct or not.

 

So kindly check and advise us back if there is any assistance needed from our side.

 

Best Regards,

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2016-09-06 10:53 AM

As Hussein pointed out, the TCPdump network packet capture will show more detail of what is going on.  So could a log that showed the seconds as well as the minutes and hour, so that you could see if these failures were every 5 or every 10 seconds, as opposed to random.  Also, the full log would show which AM server accepted the packet, and if a single agent was sending these or if some load balance agent was sending duplicate authentications.  If the same Passcode was sent more than once, you should see PassCode re-use.

To get a network packet capture....

SSH to the Virtual Appliance with the operating system account rsaadmin.

                sudo su -

<same password again>                                               This makes you root

#             cd /usr/sbin

./tcpdump -i eth0 -s 1514 -Z root  port 5500 -w /tmp/auth.pcap                                 This writes output to a file in /tmp and filters on port 5500 which is authentication – modify to 389 for LDAP, etc…

 

chmod 777 /tmp/auth.pcap                 This grants full permissions to everyone, makes it easy to copy file off with WinSCP

 

 

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.