Original Publication Date: 09/29/2010
Updated Date: 07/25/2016
If users experience system-wide issues authenticating against RSA SecurID, you can troubleshoot the issue in the following ways:
Confirming the AAA server definition
The Agent Host IP Address must match the IP address configured in the sdconf.rec file generated on the RSA server and loaded on the BIG-IP APM device. To view this setting from the Configuration utility, perform the following procedure:
The Agent Host IP address is shown in the Setting section.
Note: For more information about configuring the Agent Host IP address, refer to SOL12117: Overview of the Agent Host IP Address setting for Native RSA SecurID authentication.
Confirming the IP Address of the RSA SecurID server
To ensure that the IP address to which the BIG-IP APM system is sending the requests is the correct IP address for your RSA SecurID server, confirm that the sdconf.rec file that was generated on the RSA SecurID server is the same file that is found in the /config/aaa/ace/<RSA SecurID name> path.
To confirm that both the Agent Host IP address and the RSA SecurID IP address are correct, you can run a tcpdump session from the BIG-IP APM command line while attempting to authenticate. Many options are available regarding the specific syntax you can use for the tcpdump session. For example, the following tcpdump command will capture the traffic and write the traffic to a file named rsa1 in the /var/tmp directory of the BIG-IP APM system:
tcpdump -ni 0.0 -s0 host <ip address of RSA server> -w /var/tmp/rsa1
If no traffic is logged, the IP address to which the BIG-IP APM system is sending the authentication request is most likely incorrect. Also confirm that the source IP address matches the Agent Host IP address from which the RSA SecurID server expects to see traffic.
Ensuring that the network path is open between the BIG-IP APM system and RSA SecurID server
If you are seeing packets leaving the BIG-IP APM device in the tcpdump session (outlined in the Confirming the IP Address of the RSA SecurID server section), you need to confirm that the packets are reaching the RSA SecurID server. Ideally, you want to capture the traffic at the hop closest to the RSA SecurID server, or by using a network sniffer, if one is available.
Checking the time on systems
Make sure that the BIG-IP APM system and the RSA SecurID have close to the same time. Ideally they would use the same network time protocol (NTP) server, but that is not necessary as long as the time on both devices is the same. The NTP setting on the BIG-IP APM device is configured on the System > Configuration > Device > NTP page.
The logs that are relevant to these troubleshooting steps are in the /var/log/apm file. A successful connection will log a message that appears similar to the following example:
Running the securidtest utility
From the BIG-IP APM command line, you can manually test a user account by using the following command syntax:
/usr/local/bin/securidtest -p "/config/aaa/ace/<RSA_SecurID_server_name" -s <source_IP_address> -u <userID> -w <password/token>
securidtest -p "/config/aaa/ace/myserver" -s 172.30.8.138 -u medusasecurid -w 123456
The output may appear similar to the following example:
WARNING: cannot find securid node secret file under /config/aaa/ace/myrsa
Wait for the tokencode to change,
then enter the new tokencode:
Test done: total tests: 1, success=1, failure=0
In this example, the token code that was entered the first time was incorrect, but a successful connection was made after entering the new token code. This test can be helpful in establishing whether the RSA SecurID server and the BIG-IP APM device are communicating correctly, even if you do not have an active token code. If you get any response from the RSA SecurID server, you have confirmed that the network path is open and that the RSA SecurID server and BIG-IP APM system are able to exchange information.
Reviewing the RSA SecurID server
Most RSA SecurID servers provide some kind of log or monitoring facility that can show you authentication attempts. It may be helpful to either watch the log or monitor in real time as someone attempts to authenticate. If no logs are generated, the most likely indication is that the BIG-IP APM system and the RSA SecurID server are not talking to each other. If logs are generated, the logs should give you an idea of why the authentication is being rejected. The three things that closely inspect in the RSA SecurID configuration are the Agent Host IP address from which it is expecting traffic from, the clients that are allowed, and the assignment of tokens. For information about viewing those configurations, refer to your RSA SecurID vendor's documentation.
Generating and uploading the new sdconf.rec file
If changes have been made on the RSA SecurID server, it is important to generate and upload a new sdconf.rec file. For instructions, see the Setting up Access Policy Manager for RSA Native SecurID for authentication and authorization section of the BIG-IP APM Configuration Guide, and your RSA SecurID vendor's documentation.
Note: For information about how to locate F5 product guides, refer to SOL12453464: Finding product documentation on AskF5.