This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Using an IP address override to fix an initial authentication failures with RSA Authentication Manager when the error Authentication Method Failed displays

Article Number

000029015

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 7.1, 8.x

Issue

  • Authentication from a specific agent is failing.  
  • On the agent side, Error 13002 may display for a Windows agent.  
  • ​In the authentication activity log, the result is Authentication method failed:
Description: User “<user ID>" attempted to authenticate using authenticator “SecurID_Native”.  
             The user belongs to security domain “<security domain>”
Result Key: Failure
Result Key: AUTHN_METHOD_FAILED
Result:     Authentication method failed

Cause

This is a classic SecurID problem, compounded by RSA terminology that is less than intuitive.  You have not yet successfully authenticated from this agent, which means the node secret  - a symmetric encryption key - used between the agent and the Authentication Manager server has not yet been created.

Before the node secret is created, the initial encryption algorithm uses the agent's IP address to complete the authentication request.  The agent encrypts the authentication request with its' primary IP address, but with so many IP addresses assigned to ethernet and wireless interfaces this becomes a percentage thing.  What you think is the agent's primary IP address might not be what the agent selects when running the RSA authentication agent software.

Customer Support seen many instances where a secondary IP address was used, either from a multihomed agent or from a second Network Interface Card (NIC), such as wireless or sometimes the management IP address for VPN type devices.  The problem arises when the Authentication Manager server tries to decrypt the authentication request with what it believes is the primary IP address for that agent, as defined in the agent host record in the Security Console  under Access > Authentication Agents.  It is this encryption and decryption with different IP addresses that causes every passcode to be incorrect.

The IP address override option forces the agent to encrypt with a specific IP address; thereby, not allowing the agent to choose its own primary IP for the initial RSA agent encryption.

Resolution

As shown in the example below, the IP address entered for the IP Address Override on the agent in the RSA Control Center is 192.168.131.22 (at left).  This matches the IP Address value for the authentication agent entry in the Security Console (at right).
 
​​Image descriptionImage description

Alternatively, create a text file named sdopts.rec that is saved on the agent to the same directory as the sdconf.rec file, with an entry like this: 
CLIENT_IP=192.168.131.22

Workaround

If authentications continue to fail,
  1. Get a list of all known IP addresses for the agent. 
  2. Navigate to Access > Authentication Agents > Manage Existing.
  3. Enter an IP address from the list into the IP Address field (not the Alternate IP Address field) in the agent record and click Save. 
  4. With the Authentication Activity Monitor open, test authentication from the agent.  Repeat this process until authentication is successful.
Image descriptionImage description 

Notes

The output below is from the/opt/rsa/am/server/logs/imsTrace.log where the Authentication Manager server log level is set to Verbose.  The information comes from a user named John Doe (jdoe) using an agent that encrypted the authentication request using IP address 10.0.0.8, which does not match the IP in the agent record entry in the Security Console, so the method returned the error response shown in red:
 
2014-11-06 03:11:21,336, [AgentProtocolServer Core Thread #1], (MethodLoginHandler.java:80), trace.com.rsa.ims.authn.HandlerBase,  DEBUG, server.domain.com,,,,Method returned response AuthenticationContextImpl[brokerState=in_progress,methodState=<null>,sessionCtx=<null>, methodAuthenticationState=failed,netAddress=/10.0.0.8,agent=<null>,zombieSession=false,authenticationState=<null>,requestHiddenParameters=<null>, principalId=<UserID>,usingTransientSession=true,desiredPolicyGuid=<null>,session=[SessionImpl id=21d8364be087a8c01ba5db0ecc58294b-NypsV/e4UfaC  creationTime=1415243481202 principal=null],identitySourceGui2014-11-06 03:11:21,336, [AgentProtocolServer Core Thread #1], (MethodLoginHandler.java:80), trace.com.rsa.ims.authn.HandlerBase, DEBUG, server.domain.com,,,,Method returned response AuthenticationContextImpl[brokerState=in_progress,methodState=<null>,sessionCtx=<null>, methodAuthenticationState=failed,netAddress=/10.0.0.8,agend=<null>,principalGuid=<null>,authenticationPolicy=<null>,directRequest=true, sessionChoiceAction=0,newAuthInfo=<null>,emergencyAuthentication=false,responsePromptParameters=<null>,principal=Principal{key=cfd637f1649d658e1b971b145b355ef5,  userID='jdoe', firstName='John', middleName='null', lastName='Doe', email='null', beginDate=null, inactiveDate=null, lastLogin= Wed Nov 05 18:36:02 UTC 2014, certDN='', description='null', password='*****', enabled=true, identitySource=000000000000000000001000d0011000,  securityDomain=f635a137649d658e1c695fcc81207ce9, identitySourceKey='cfbb6e4b649d658e1b9716a998c953a4', rowVersion=294, lastUpdatedBy='admin',  lastUpdatedOn=Thu Oct 30 19:24:45 UTC 2014, startDate=Fri Oct 17 16:22:00 UTC 2014, expirationDate=null, registrationFlag=true, impersonatableFlag=false, ] impersonatorFlag=false, failPasswordCount=0, failPasswordDate=null, changePasswordFlag=true, changePasswordDate=Fri Oct 17 16:23:32 UTC 2014, lockoutFlag=false,  expireLockoutDate=null, attributes=null, authenticators=[ 0, 3 ], administrator=false, securityQuestionsAnswers=null, securityQuestionsRequiredAuthn=3,  securityQuestionsRequiredReg=5, securityQuestionsLocaleLanguage=null, securityQuestionsLocaleCountry=null, securityQuestionsLocaleVariant=null,  firstRBAuthenticationDate=null, lastUsedSecondaryAuth=-1},agentDetails=Agent [ID: 068e2d24649d658e1b0a1afe3147c7ba, name: <agent name>, address: 10.0.0.8,  type: 7, security domain ID: f635a137649d658e1c695fcc81207ce9],userDetails=<null>,authnPolicyDetails=<null>,credentialValidation=false,message=<null>, transactionContext=<null>,step=<null>,sessionId=21d8364be087a8c01ba5db0ecc58294b-NypsV/e4UfaC,desiredAuthenticationMethodId=SecurID_Native, authenticator=com.rsa.ims.admin.Authenticator@1b3ea794,gradedAuthenticationRequest=false,emergencyAuthenticationRequest=false,responseHiddenParameters= [ObjectParameter[promptKey=SecurID_WpCodes,value=,masked=false,helpObject=<null>], ObjectParameter[promptKey=SecurID_AuthenticationMode,value=100, masked=false,helpObject=<null>]]]
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 08:25 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.