- Authentication from a specific agent is failing.
- On the agent side, Error 13002 may display for a Windows agent.
- In the authentication activity log, the result is Authentication method failed:
Description: User “<user ID>" attempted to authenticate using authenticator “SecurID_Native”.
The user belongs to security domain “<security domain>”
Result Key: Failure
Result Key: AUTHN_METHOD_FAILED
Result: Authentication method failed
This is a classic SecurID problem, compounded by RSA terminology that is less than intuitive. You have not yet successfully authenticated from this agent, which means the node secret - a
symmetric encryption key - used between the agent and the Authentication Manager server has not yet been created.
Before the node secret is created, the initial encryption algorithm uses the agent's IP address to complete the authentication request. The agent encrypts the authentication request with its' primary IP address, but with so many IP addresses assigned to ethernet and wireless interfaces this becomes a percentage thing. What you think is the agent's primary IP address might not be what the agent selects when running the RSA authentication agent software.
Customer Support seen many instances where a secondary IP address was used, either from a multihomed agent or from a second Network Interface Card (NIC), such as wireless or sometimes the management IP address for VPN type devices. The problem arises when the Authentication Manager server tries to decrypt the authentication request with what it believes is the pri
mary IP address for that agent, as defined in the agent host record in the Security Console under Access > Authentication Agents. It is this encryption and decryption with different IP addresses that causes every passcode to be incorrect.
The IP address override option forces the agent to encrypt with a specific IP address; thereby, not allowing the agent to choose its own primary IP for the initial RSA agent encryption.
As shown in the example below, the IP address entered for the IP Address Override on the agent in the RSA Control Center is 192.168.131.22 (at left). This matches the IP Address value for the authentication agent entry in the Security Console (at right).
Image description
Alternatively, create a text file named sdopts.rec that is saved on the agent to the same directory as the sdconf.rec file, with an entry like this:
CLIENT_IP=192.168.131.22
If authentications continue to fail,
- Get a list of all known IP addresses for the agent.
- Navigate to Access > Authentication Agents > Manage Existing.
- Enter an IP address from the list into the IP Address field (not the Alternate IP Address field) in the agent record and click Save.
- With the Authentication Activity Monitor open, test authentication from the agent. Repeat this process until authentication is successful.
Image description
The output below is from the/opt/rsa/am/server/logs/imsTrace.log where the Authentication Manager server log level is set to Verbose. The information comes from a user named John Doe (jdoe) using an agent that encrypted the authentication request using IP address 10.0.0.8, which does not match the IP in the agent record entry in the Security Console, so the method returned the error response shown in red:
2014-11-06 03:11:21,336, [AgentProtocolServer Core Thread #1], (MethodLoginHandler.java:80), trace.com.rsa.ims.authn.HandlerBase, DEBUG, server.domain.com,,,,Method returned response AuthenticationContextImpl[brokerState=in_progress,methodState=<null>,sessionCtx=<null>, methodAuthenticationState=failed,netAddress=/10.0.0.8,agent=<null>,zombieSession=false,authenticationState=<null>,requestHiddenParameters=<null>, principalId=<UserID>,usingTransientSession=true,desiredPolicyGuid=<null>,session=[SessionImpl id=21d8364be087a8c01ba5db0ecc58294b-NypsV/e4UfaC creationTime=1415243481202 principal=null],identitySourceGui2014-11-06 03:11:21,336, [AgentProtocolServer Core Thread #1], (MethodLoginHandler.java:80), trace.com.rsa.ims.authn.HandlerBase, DEBUG, server.domain.com,,,,Method returned response AuthenticationContextImpl[brokerState=in_progress,methodState=<null>,sessionCtx=<null>, methodAuthenticationState=failed,netAddress=/10.0.0.8,agend=<null>,principalGuid=<null>,authenticationPolicy=<null>,directRequest=true, sessionChoiceAction=0,newAuthInfo=<null>,emergencyAuthentication=false,responsePromptParameters=<null>,principal=Principal{key=cfd637f1649d658e1b971b145b355ef5, userID='jdoe', firstName='John', middleName='null', lastName='Doe', email='null', beginDate=null, inactiveDate=null, lastLogin= Wed Nov 05 18:36:02 UTC 2014, certDN='', description='null', password='*****', enabled=true, identitySource=000000000000000000001000d0011000, securityDomain=f635a137649d658e1c695fcc81207ce9, identitySourceKey='cfbb6e4b649d658e1b9716a998c953a4', rowVersion=294, lastUpdatedBy='admin', lastUpdatedOn=Thu Oct 30 19:24:45 UTC 2014, startDate=Fri Oct 17 16:22:00 UTC 2014, expirationDate=null, registrationFlag=true, impersonatableFlag=false, ] impersonatorFlag=false, failPasswordCount=0, failPasswordDate=null, changePasswordFlag=true, changePasswordDate=Fri Oct 17 16:23:32 UTC 2014, lockoutFlag=false, expireLockoutDate=null, attributes=null, authenticators=[ 0, 3 ], administrator=false, securityQuestionsAnswers=null, securityQuestionsRequiredAuthn=3, securityQuestionsRequiredReg=5, securityQuestionsLocaleLanguage=null, securityQuestionsLocaleCountry=null, securityQuestionsLocaleVariant=null, firstRBAuthenticationDate=null, lastUsedSecondaryAuth=-1},agentDetails=Agent [ID: 068e2d24649d658e1b0a1afe3147c7ba, name: <agent name>, address: 10.0.0.8, type: 7, security domain ID: f635a137649d658e1c695fcc81207ce9],userDetails=<null>,authnPolicyDetails=<null>,credentialValidation=false,message=<null>, transactionContext=<null>,step=<null>,sessionId=21d8364be087a8c01ba5db0ecc58294b-NypsV/e4UfaC,desiredAuthenticationMethodId=SecurID_Native, authenticator=com.rsa.ims.admin.Authenticator@1b3ea794,gradedAuthenticationRequest=false,emergencyAuthenticationRequest=false,responseHiddenParameters= [ObjectParameter[promptKey=SecurID_WpCodes,value=,masked=false,helpObject=<null>], ObjectParameter[promptKey=SecurID_AuthenticationMode,value=100, masked=false,helpObject=<null>]]]