Hi,
I'm upgrading from 7.1 SP4 to 8.1 and then 8.2.
VPN clients use RADIUS from an ASA 5515 which uses a Cisco ACS to authenticate to AM using the SDI protocol. I am reusing the same IP address on the new AM8 server.
I understand that the Agent will be migrated and I shouldn't have to update the sdconf file since the IP isn't changing.
Will I have to delete the Node Secret from the ACS, and if so, will a new SDI file be created on first authentication?
Thank you
I searched RSA Link for this KB, but its Internal for some 'wrong' reason. It goes a long way to explaining some of the most frustrating situations with creating a node secret on a new Agent
Thank you Jay.
So under which circumstances would the Node Secret need to be deleted? Is it just when a the IP address on AM changes (and a new sdconf file is deployed), or it gets wiped out on one side or the other?
Adding a replica doesn't necessitate it since the SDI protocol handles this right?
Thanks again.
Not too often once it is created. If you re-install the Agent software, and not update, you would remove the node secret on the agent and you'd have to clear it on the authentication Agent host entry on the AM server.
But you would not need to clear if even if you changed the IP address on the AM server - though you might need to give the agent a new copy of the sdconf.rec file - or in Cisco ASA cases you would have to change the IP address of the destination AM server. But the Node secret would still be good. Same if you dump / backup the AM server database, and restore it to another AM server, if that new server had the same IP everything would work, but even if it had a different IP, you only have to download a new sdconf.rec file, you do not need to clear the node secret.
I think years ago the urban legend started that "I cleared the node secret and authentication started working" without any context.
Great information guys. Thank you.
If the node secret on the Cisco matches the node secret that was migrated, you won't need to do anything. If the migration somehow loses the node secret (shouldn't) or otherwise something changes, then you need to delete the sdi file on the Cisco and also clear the node secret on the RSA server agent host entry, and the next successful auth will set up a new node secret on both sides.
But based on your description, both the Cisco and the RSA server will have the same old node secret that was originally established, so you are likely to not need to do anything with node secrets.
No, because the migrated database will still have it for that Cisco ACS. The node secret is a symmetric key, so it have to be the same on both sides, and in this case it will be.
If you accidently delete the node secret on one side, you will have to clear it on the other side (server or agent) and then re-create it by successfully authenticating.