This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Cisco ASA authenticates to the RSA Authentication Manager 8.x primary but not to the replica

Article Number

000029226

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
 

Issue

The Authentication Manager instance's real time authentication activity monitor reports Activity Key "Node secret verification" where the reason is "Node secret mismatch: cleared on agent but not on server" when an authentication is sent to the Authentication Manager replica instance from Cisco ASA.  For example,

Image descriptionImage description

Cause

There is a known problem with regards to the node secret and the Cisco ASA when using native SecurID authentication to an RSA Authentication Manager deployment.

Resolution

Follow the steps below to resolve the issue:

From the Authentication Manager interface

  1. Clear the node secret from the agent host record of the Cisco ASA device in the Security Console (Access > Authentication Agents > Manage Existing).
  2. Click the context arrow next to the Authentication Agent's name and select Manage Node Secret.
  3. Check Clear the node secret and click Save.
 Image descriptionImage description
 

From the Cisco ASA

Clear any node secret file (n-n-n-n.SDI, where n-n-n-n is the IP address of the server) from the Cisco ASA flash drive (i. e., memory cache).  Refer to Cisco documentation on how to remove files from the flash drive.
 

Recreating the node secret and testing authentication

At this point, neither the Authentication Manager deployment nor the Cisco ASA have a node secret.  The next successful authentication will reset the node secret on both devices.
  1. From the Authentication Manager's primary instance, select Reporting > Real Time Activity Monitors > Authentication Activity Monitor.
  2. On the pop up window, click Start Monitor.
  3. From the Cisco ASA, perform at test authentication to the Authentication Manager's primary instance. This authentication will generate a new node secret to replace the one deleted above.
    • The Authentication Manager will store a copy of the node secret in the authentication agent's record in the Security Console and send another copy of the node secret to the Cisco ASA device to store.  
    • The Cisco ASA stores the node secret based on the IP address of the Authentication Manager instance. For example, if the Authentication Manager primary has an IP address of 192.168.100.100, the node secret file on the Cisco ASA would be named 192-168-100-100.SDI.
  4. Make a copy of the node secret SDI file on the Cisco ASA and name it with the IP address of the Authentication Manager replica instance.  
  • Note that the octet's of the IP address are divided with dashes, not full stops.  
  • If the Authentication Manager's replica IP address is 192.168.200.200, the filename in the Cisco ASA device for the replica node secret would be 192-168-200-200.SDI.
  1. As the Authentication Manager primary instance replicates its records to the replica, the node secrets on the Cisco ASA now match the Authentication Manager deployment.
  2. Now perform a test authentication to the replica to ensure it is working as expected before using in production.  Keep an eye on the Authentication Activity Monitor to confirm authentications are working properly to the replica.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 03:30 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.