Applies To:

Show Versions Show Versions

sol12164: Troubleshooting RSA SecurID authentication

Original Publication Date: 09/29/2010
Updated Date: 07/25/2016


If users experience system-wide issues authenticating against RSA SecurID, you can troubleshoot the issue in the following ways:

Confirming the AAA server definition

The Agent Host IP Address must match the IP address configured in the sdconf.rec file generated on the RSA server and loaded on the BIG-IP APM device. To view this setting from the Configuration utility, perform the following procedure:

  1. Log in to the Configuration utility.
  2. Expand Access Policy.
  3. Click AAA Servers.
  4. Click the name of your RSA SecurID server.

    The Agent Host IP address is shown in the Setting section.

Note: For more information about configuring the Agent Host IP address, refer to SOL12117: Overview of the Agent Host IP Address setting for Native RSA SecurID authentication.

Confirming the IP Address of the RSA SecurID server

To ensure that the IP address to which the BIG-IP APM system is sending the requests is the correct IP address for your RSA SecurID server, confirm that the sdconf.rec file that was generated on the RSA SecurID server is the same file that is found in the /config/aaa/ace/<RSA SecurID name> path.

To confirm that both the Agent Host IP address and the RSA SecurID IP address are correct, you can run a tcpdump session from the BIG-IP APM command line while attempting to authenticate. Many options are available regarding the specific syntax you can use for the tcpdump session. For example, the following tcpdump command will capture the traffic and write the traffic to a file named rsa1 in the /var/tmp directory of the BIG-IP APM system:

tcpdump -ni 0.0 -s0 host <ip address of RSA server> -w /var/tmp/rsa1

If no traffic is logged, the IP address to which the BIG-IP APM system is sending the authentication request is most likely incorrect. Also confirm that the source IP address matches the Agent Host IP address from which the RSA SecurID server expects to see traffic.

Ensuring that the network path is open between the BIG-IP APM system and RSA SecurID server

If you are seeing packets leaving the BIG-IP APM device in the tcpdump session (outlined in the Confirming the IP Address of the RSA SecurID server section), you need to confirm that the packets are reaching the RSA SecurID server. Ideally, you want to capture the traffic at the hop closest to the RSA SecurID server, or by using a network sniffer, if one is available.

Checking the time on systems

Make sure that the BIG-IP APM system and the RSA SecurID have close to the same time. Ideally they would use the same network time protocol (NTP) server, but that is not necessary as long as the time on both devices is the same. The NTP setting on the BIG-IP APM device is configured on the System > Configuration > Device > NTP page.

Viewing logs

The logs that are relevant to these troubleshooting steps are in the /var/log/apm file. A successful connection will log a message that appears similar to the following example:


Running the securidtest utility

From the BIG-IP APM command line, you can manually test a user account by using the following command syntax:

/usr/local/bin/securidtest -p "/config/aaa/ace/<RSA_SecurID_server_name" -s <source_IP_address> -u <userID> -w <password/token>

For example:

securidtest -p "/config/aaa/ace/myserver" -s -u medusasecurid -w 123456

The output may appear similar to the following example:

WARNING: cannot find securid node secret file under /config/aaa/ace/myrsa
Wait for the tokencode to change,
then enter the new tokencode:
Test done: total tests: 1, success=1, failure=0

In this example, the token code that was entered the first time was incorrect, but a successful connection was made after entering the new token code. This test can be helpful in establishing whether the RSA SecurID server and the BIG-IP APM device are communicating correctly, even if you do not have an active token code. If you get any response from the RSA SecurID server, you have confirmed that the network path is open and that the RSA SecurID server and BIG-IP APM system are able to exchange information.

Reviewing the RSA SecurID server

Most RSA SecurID servers provide some kind of log or monitoring facility that can show you authentication attempts. It may be helpful to either watch the log or monitor in real time as someone attempts to authenticate. If no logs are generated, the most likely indication is that the BIG-IP APM system and the RSA SecurID server are not talking to each other. If logs are generated, the logs should give you an idea of why the authentication is being rejected. The three things that closely inspect in the RSA SecurID configuration are the Agent Host IP address from which it is expecting traffic from, the clients that are allowed, and the assignment of tokens. For information about viewing those configurations, refer to your RSA SecurID vendor's documentation.

Generating and uploading the new sdconf.rec file

If changes have been made on the RSA SecurID server, it is important to generate and upload a new sdconf.rec file. For instructions, see the Setting up Access Policy Manager for RSA Native SecurID for authentication and authorization section of the BIG-IP APM Configuration Guide, and your RSA SecurID vendor's documentation.

Note: For information about how to locate F5 product guides, refer to SOL12453464: Finding product documentation on AskF5.

Supplemental Information

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)