This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Silent discard of authentication requests in RSA Authentication Manager 8.0 and 8.1; Authentication fails without log entry

Article Number

000011986

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.0.x, 8.1.0
 

Issue

With RADIUS authentication requests, the Real Time Authentication Monitor may show no entry for several reasons, so check the RADIUS Client statistics to look for rejects in Authentication Manager 7.1, 8.0 and 8.1.

Authentication requests are silently discarded, or dropped, with nothing displayed in the Real Time Authentication Monitor or Authentication Activity Report.

Running tcpdump, Wireshark or sniffer network packet capture shows authentication requests set from the agent on 5500 UDP,  but there are no replies coming back out of the Authentication Manager server. 

See article 000016395 - Using tcpdump to troubleshoot authentication issues with RSA Authentication Manager 8.x  for instructions using the tcp dump command.

Following the steps in the article, run the command ./tcpdump -i eth0 -s 1514 -Z root  port 5500.  

In addition, proof of a silent discards will be seen in the /opt/rsa/am/server/logs/imsTrace.log   

If logging is set to verbose, (see 000018205 - How to turn on/off verbose offline authentication logging), the source IP address of the unknown agent will be listed as an error.  For example,
 

2014-03-07 09:55:21,121, [[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'], (AgentAccessSQL.java:130), 
trace.com.rsa.authmgr.internal.admin.common.dal.sql.DataObjectAccessSql, 
ERROR, PACEC81.credito.bcp.com.pe,,,,Unable to lookup class 
com.rsa.authmgr.internal.admin.agentmgt.dal.Agentwith ip address: 192.168.1.5

Cause

A silent discard is a dropped authentication request without a corresponding entry in the Real Time Authentication Monitor or Authentication Activity Report. 

In Authentication Manager 8.0 and the base version of 8.1, auth requests from unknown authentication agents were silently discarded.  

Silent discards can also occur when the Authentication Manager 8.x server does a reverse name lookup (for example, nslookup <IP_address>) of the agent's IP address and a name that is different from the configured agent name (including no name) is returned from DNS or /etc/hosts.  This should be fixed in Authentication Manager 8.0 patch 8.
 

Resolution

If no authentication agent exists, one can be created in the Security Console (Access > Authentication Agents > Add New).

If the agent exists but you still get silent discards, verify that:
  1. The IP address is correct.
  2. The agent is not disabled
  3. The gent name is spelled correctly.  Compare with reverse DNS lookup of the IP address.  If nslookup <IP_address> returns a name different then what is listed for the agent, either fix name resolution or change the name in the Security Console.
  4. You may need to delete and re-create the agent.
  5. If this is a RADIUS client, you may need to regenerate the node secret for the RADIUS server entry, or the RADIUS client's associated agent.  RADIUS silent discards can be seen in RADIUS client statistics.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 08:08 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.