Trying to configure SID700 as Azure 365 MFA OATH Token but the seed I received is encoded in Base64 and Azure requires token seeds to be encoded in Base32. Can you provide the seed with that encoding?
... View more
RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.x Platform (Other): AMIS
Users cannot open their invitation URLs sent by the Administrators through the Help Desk Admin Portal (HDAP) The error below appeared in the auth.log file under /opt/rsa/primekit/logs/amis/ 2023-01-26T09:01:52,778+0100,com.rsa.ucm.auth,DEBUG,handleAuthenticateResult: resultCode=5 2023-01-26T09:01:52,778+0100,com.rsa.ucm.auth,DEBUG,handleAuthenticateResult: Preparing new_pin_reqired response resultCode=5 2023-01-26T09:01:52,786+0100,com.rsa.ucm.auth,DEBUG,handleAuthenticateResult: Result = <?xml version="1.0" encoding="UTF-8" standalone="no"?> <authenticationResult> <PinConfiguration isAlphanumeric="true" maxPinLength="8" minPinLength="4" userSelectable="MustChoosePin"/> <authenticated>false</authenticated> <code>5</code> <failed>false</failed> <message>NEW_PIN_REQUIRED</message> </authenticationResult
There is a misconfigured policy in the AMIS-bind-accounts security domain
Need to update the policies applied to the AMIS-bind-accounts security domain Steps to follow:
Login to the Primary Security Console Navigate to Administration > Security Domain > Manage Existing Edit AMIS-bind-accounts Under Policies, set SecurID Token Policy to AMIS Token No PIN Expire Keep the other policies set to default Save the changes
... View more
RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.6
RADIUS clients configured in Steel Belted RADIUS (Authentication Manager 6.1 through Authentication Manager 8.5) had the option to select the Make/Model of Cisco PIX Firewall. When a RADIUS client is migrated, the Make/Model comes over with its original configuration.
Cisco PIX Firewall does not exist as an option in FreeRADIUS (Authentication Manager 8.6 and newer).
In the Steel Belted RADIUS vendor.ini file the entry for Cisco PIX firewall calls the radius.dct file which is the standard RADIUS dictionary file. To fix the issue, the administrator can change the Make/Model entry to - Standard Radius -.
... View more
RSA Product Set: SecurID RSA Product/Service Type: Authentication Manager RSA Version/Condition: 8.6, 8.7
Servers in this deployment of Authentication Manager started at very early versions of this platform (including but not limited to 8.1, 8.2). Servers upgrades were done by following the proper upgrade path from 8.4 to 8.5 to 8.6 but without running the RSA Authentication Manager 8.6 Pre-Upgrade Check Tool. Now there are messages stating cannot determine status of RADIUS server after upgrade to Authentication Manager 8.6 or 8.7. After upgrading to Authentication Manager 8.6 and 8.7:
From the Operations Console navigate to Deployment Configuration > RADIUS Server. See an error message that RADIUS Server not found . From the Security Console, navigate to RADIUS > RADIUS Clients > Manage Existing and see a message that RADIUS server cannot be managed .
The following errors display in the logs:
Oct 29, 2022 1:34:37 PM com.rsa.authmgr.admin.tools.action.OrderedRadiusMigrationAction migrationLogError SEVERE: Failed to Synchronize RADIUS Clients and Profiles with AM. com.rsa.authmgr.radius.exception.RadiusSystemException: Unable to read RADIUS object -Could not create SSL Socket
at com.rsa.authmgr.internal.radius.sbr.xui.impl.XUIAccessImpl.read(XUIAccessImpl.java:377) at com.rsa.authmgr.admin.tools.action.premigrate.AMMigrateSyncRadiusDataAction.execute(AMMigrateSyncRadiusDataAction.java:178) at com.rsa.authmgr.admin.tools.AMMigrateRadiusDataCLU.execute(AMMigrateRadiusDataCLU.java:211) at com.rsa.authmgr.admin.tools.AMMigrateRadiusDataCLU.main(AMMigrateRadiusDataCLU.java:973)
Caused by: java.lang.RuntimeException: Could not create SSL Socket
at com.rsa.authmgr.internal.radius.sbr.xui.ssl.XUISSLSocketFactory.initSSLSocket(XUISSLSocketFactory.java:102) at com.rsa.authmgr.internal.radius.sbr.xui.ssl.XUISSLSocketFactory.createSocket(XUISSLSocketFactory.java:65) at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324) at com.rsa.authmgr.internal.radius.sbr.xui.impl.XUIAccessImpl.read(XUIAccessImpl.java:350)
... 3 more
With Authentication Manager 8.5 and below, RSA used a product called Steel Belted RADIUS. From 8.6 and higher we now use FreeRADIUS. That change means that before upgrading to 8.6 you must run the RSA Authentication Manager 8.6 Pre-Upgrade Check Tool. This RSA RADIUS pre-migration script locates any RADIUS issues that need to be corrected before upgrading from RSA Authentication Manager 8.5 to RSA Authentication Manager 8.6. You must run this script before upgrading to RSA Authentication Manager 8.6.
Check the Operations Console under Maintenance > Update and Rollback. Look at the Applied Updates table. While Engineering has not determined root cause, Support has found that when upgrading from much older versions of Authentication Manager through to 8.5, 8.6 and finally to 8.7, that there are database artifacts that effect the working of the upgraded system. If your system started at a much earlier version of Authentication Manager, see the Workaround section below.
RADIUS troubleshooting tips
SSH to your Authentication Manager 8.5 primary and navigate to /opt/rsa/am/radius. Look for a file named mmddyyyy.log, where the file name is the date you saw the error (e. g., 20221029.log). Starting from the bottom and scrolling up, look at the file for any error messages. Make sure that port 7072/TCP is open bi-directionally between the primary and the replica. In the Security Console, click RADIUS > RADIUS Servers. Click Initiate Replication. Manually rebuild RADIUS:
SSH to the primary server with the rsaadmin account. Manually configure RADIUS with command /opt/rsa/am/config/config.sh RadiusOCConfig.configure. You will be prompted to enter the rsaadmin password to complete this task. Stop and start RSA Authentication Manager services
login as: rsaadmin
Using keyboard-interactive authentication.
Last login: Thu Nov 10 16:01:46 2022 from 192.168.2.102
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am8p:~> cd /opt/rsa/am/config
rsaadmin@am8p:/opt/rsa/am/config> ./config.sh RadiusOCConfig.configure
rsaadmin@am8p:/opt/rsa/am/config> cd ../server
rsaadmin@am8p:/opt/rsa/am/server> ./rsaserv restart all
A customer reported that the following solution resolved the issue:
Copy /opt/rsa/am/utils/etc/radius_migration.properties from the primary to the replica server. Restart Authentication Manager services.
If you are upgrading from a much earlier version of Authentication Manager, you may run into an issue with database artifacts that can cause RADIUS or other components to no longer be manageable. Consider the following process that gives you new servers that can cleanly be upgraded to Authentication Manager 8.6 and then 8.7:
From the Operations Console, take a backup of the current Authentication Manager primary server (Maintenance > Backup and Restore > Backup Now). Copy the backup to a different server for storage. Create a new replica with Authentication Manager 8.5. For continuity, create the replica with the old primary's IP address and hostname (do this on a different subnet). This would mean any RSA Authentications Agent machines would not need new sdconf.rec files. Promote this server to be the new primary. Bring this online as the primary and import your backup. Install all new replicas running 8.5. Attach new replicas to new primary. Delete old primary and old replicas. Run the RSA Authentication Manager 8.6 Pre-Upgrade Check Tool. Before continuing, resolve any issues that are listed in the report. Upgrade to Authentication Manager 8.6 then 8.7. Install new web tiers, if using.
... View more
We have been using the RSA authentication agent for some time on our network and logins have always been quick, taking only a second or so to complete. However, we recently changed our antivirus to Vipre Endpoint Security (former vendor was Sophos). Now the RSA portion of the login process takes up to 30 seconds or even longer.
I have already excluded the C:\Program Files\RSA directory structure from Vipre along with C:\ProgramData\RSA however logins still take upwards of 30 seconds.
I contacted Vipre and they told me to ask RSA what processes are involved in the authentication process so I can add them as exceptions to the Vipre scan engine.
As a proof of concept I have excluded the entire C:\Windows directory in the Vipre profile and logins are instantaneous again. Of course, I don't want to permanently exclude the entire Windows directory.
Does anyone know what binaries are touched / called during the login process?
... View more