We have many users that connect to the company network over VPN. They will logon to their laptop using RSA Securid Agent and then connect to company VPN sometime later.
They notice that sometimes when connected via VPN their Offline Days get updated and sometimes the update doesn't happen. Is there some documentation that explains how the download of Offline Days occurs in these circumstances. What are the things that could cause it to work some days and not on other days ?
Thanks to you and Jay for your helpful responses.
Our Users are able to force a download of offline days by doing a screen lock/unlock with Passcode as you suggest. As such this is not a critical issue - however some of the Users are very technical and are querying why the Offline download doesn't work every time and want to understand the process a bit better.
So to that end, a few follow-up questions for you:
1. To confirm, the proof ticket gets generated whenever you authenticate (offline or online) and is valid for 24 hours. (so this is effectively confirming that the User has successfully authenticated on that Agent within the last 24 hours.)
2. If User logs off and back on within 24 hours does a new proof ticket get generated or does that only happen if there is no valid one in place ?
3. Is there anyway our technical Users can check if there is a valid proof ticket in place on their laptop ?
4. I was previously told (I think) that the proof ticket is dependent on IP address. So if a User disconnects from the network and then reconnects later, but gets allocated a different IP address would their proof ticket still be valid (assuming still within 24 hours) ?
Finally, when you mention AAWin 7.4.2.122 is that the version available for download or has there been a hotfix since then ?
Thanks,
Adrian
1) yes
2) a proof is generated every time a passcode is used successfully. if one already exists it gets removed and the newest one added
3) not really anything to see...but you can enable agent tracing and the two DAservice*.logs will show events surrounding proof tickets. search for string 'proof'
4) proofs are for the [userid and token serial number], and unrelated to IP address
I believe there are 2 proofs, one for downloading offline days, which you might see in the dasvc logs, called p4r or proof for redeeming (or something like that) and another called poa for Proof of authentication which was used to upload offline authentication logs. So the p4r was an online auth proof while a poa was an offline proof, I think. But later versions of the agent, I believe around 7.3.3[114] but certainly later allowed a proof from on offline auth to be used for a download of offline days once online - in case your VPN connection did not require a PassCode, so you could use your poa to download fresh offline days.
Also, about midnight GMT, the start of a new offline day, if your PC was still online you could redeem the same 24 hour proof to top off your offline days, with one more day.
The AAWIN-2384 bug was a problem with not deleting the expired proof from the proof table when a new one was generated, which was fixed in Agent version 7.3.3[103], but we still saw invalid proofs in the logs because of second bug, AAWIN-2421 wasn't ultimately fixed until 7.3.3[114]. So what I'm saying is you want the latest build to be sure to get all these squirrelly fixes.
As Ed pointed out, the two big things are TCP port 5580 needs to be open through the VPN and you want the latest build of the agent, version 7.4.2.122 or higher, but version 7.3.3[123] (available since last June 8th) and higher was pretty good too. There have been at least 2 dozen different problems with offline days over the past couple years, one of the worst might have been AAWIN-2421 - Windows Agent v. 7.3.3[103] sees invalid proof every 1-2 seconds in Authentication Activity real time monitor and reports.
When there are thousands of Windows agents in a deployment, this can make it difficult to see other problems, and on a VM with standard 100G drive can cause the database to get crowded which could fill a disk if you do not manage your archive files well.
As far as troubleshooting if you have not updated to the latest agent version, when your users notice that offline days are not recharging after they have connected through a VPN, they could try doing something to trigger an offline download, in this order;
1. In the RSA Control Center, do a Test Authentication with their token and UserID.
2. Lock and unlock the Screen with a Passcode (not quick PIN or Password unlock).
3. In RSA Control Center, try refresh offline days.
4. If RSA Control Center refresh offline days does not work, try clearing offline days.
5. If after clearing offline days you notice they still do not refresh, try steps 1 or 2 again
6. If you still have agent offline day download problems, you should update to the latest Agent version. It does not make sense to gather agent logs if you are not running AAWin version 7.4.2.122 or later, it would not be a productive use of your time
Whenever a token is used on a system, online or offline, a 24 hour proof ticket is generated, and if the system does go online eventually (VPN for example) and can reach an RSA server on port 5580/tcp, it submits the proof of authentication and that will or should trigger offline day download. If the proof expires, then no download. There are a few internal components working to make this happen correctly. The best bet is use the latest windows agent (which today Dec 19 2018 is 7.4.2.122) and also be running the latest version of RSA Authentication Manager server. If you enable trace logging in RSA Control Center the log files with DA in the name are all about what is happening on port 5580 which would cover windows password integration and offline day processing.
-basics to check
time and date on the windows machine is accurate
time and date on the RSA Auth Manager server is accurate
if software token, the time and date on the device running the token is accurate
port 5580/tcp is allowed to RSA server
-Auth Manager server is at least 8.3.0.x [not required but improvements to offline processing are continually updated]
-Agent build is 7.4.2.122 or higher [not required but improvements to offline processing are continually updated]