SecurID^® Discussions

CharuParmar · ‎2018-07-18

Steps followed :

When I access a OAM protected resource , it displays a login page .

I enter the same username tested above .

Entered the tokencode - I get the above mentioned error .

I even tried with PIN followed by tokencode - I get the below mentioned error .

Error seen -

"Principal authentication

User “ABC” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”
Authentication method failed"

I have tested the hardware token to be working fine , on the ssc console .( had to resynchronize the token from the self service console ).

( I have tried "test" from the self-service console,

I entered username and PIN followed by tokencode. I got the below success message .

"Your test authentication is successful." )

Please suggest what do I need to check to resolve this issue.

EdwardDavis · ‎2018-07-18

What is OAM specifically ? Oracle ?

Anyway, in general, at any generic agent that does securid auth, it does the first auth using an encryption scheme at the agent with any IP it may have in it's stack to the RSA server, and the RSA server decrypts with the IP address you set up on the Security Console for that agent. If these are not the same, then auth method failed will be the result until you fix the IP mismatch. The thing is, if the agent has more than IP, you don't know if it has picked the right one....so you can override this and specify what to use.

The easy way to do this is create a plain text file on the agent, called sdopts.rec, and in that file have one line in it:

CLIENT_IP=a.b.c.d

where a.b.c.d would represent the actual IP address you think the agent should be using [and the IP that is configured on the RSA server for that agent]. When an sdopts.rec file exists, all agents will look inside it for instructions and if it has CLIENT_IP the agent will forget what IP it was trying to use, and use the IP in that file. Place the sdconf.rec file in the 'working directory' for the agent (the same directory that has the sdconf.rec file).

CharuParmar · ‎2018-07-19

Tried creating sdopts.rec with the agent's IP , placed in the same dir as sdconf.rec

CLIENT_IP=a.b.c.d

Still same error on the authentication Monitor .

Just to add that , on the authentication monitor , the Agent and the Client IPv4 match and are correct . ( means the hostname and IP match with what is entered in the Authentication Agents )

( Tried the time match between the agent and the RSA server , that also is fine ) .

please suggest further , what else can be checked. Thanks .

_EricaChalfin · ‎2018-07-19

Charu Parmar‌,

At this point I'd recommend contacting customer support and opening a case in order to resolve the issues you are facing with getting successful authentications.

Regards,

Erica

CharuParmar · ‎2018-08-09

Issue is resolved. It came out as IP address issue only. On a different linux box which has only one IP it worked.

Few check points that can be followed :-

Check the "OAM linux box IP address" that is coming on the authentication monitor . It should be the same in the OAM linux box /etc/hosts and from /sbin/ifconfig )

JayGuillette · ‎2018-08-09

Here's an explanation of why.

https://community.rsa.com/docs/DOC-79828

SecurID® Discussions

Seeing "Authentication method failed"

Agents

SecurID^® Discussions