issue authenticating with rsa

desrochj1 · ‎07-08-2011

Hello,

I did a new setup with an asa 5510 doing vpns (remote ip sec)

it works well if i authenticate with a local user or NT domain. (active directory).

it doesnt work when i switch to RSA (sdi protocol).

i did the built-in test feature and got a " ERROR Authentication Rejected : unspecified "

i am able to ping and traceroute my rsa server from that ASA

i did check the logs from RSA server and it seems that no authentication is done from this ASA.

the server is currently working and is authenticating to other ASAs.

server port is standard (5500) timeout 10 and retries 3.

when trying to authenticate.... real time log viewer shows :

3 Jul 08 2011 14:35:39 713167 Group = ********, Username = **********, IP = ****.****.****.****, Remote peer has failed user authentication - check configured username and password

6 Jul 08 2011 14:35:39 113013 AAA unable to complete the request Error : reason = No error : user = **********

got an idea ???

Jennifer Halim · ‎07-11-2011

Please kindly run "debug sdi 255" and "debug aaa authentication" when testing it with the built-in test feature.

That will give us more information to investigate further. Thanks.

desrochj1 · ‎07-12-2011

here's the debug :

mynewasa# In sdi_ioctl

sdi mkreq: 0x1c

sip_lookup: sip with id 28 not found

alloc_sip 0x********

new request 0x1c --> 0 (0x********)

New SIP state: SDI_NEW (loc 1358)

add_req 0x******** session 0x1c id 10

init_ace_server: handle 4214******, server_id 193, server_addr *.*.*.*, sess_id 28

New SIP state: SDI_WAIT_INIT_RESP (loc 999)

In sdi_callback: handle 4214******, error code 1, sdi_status 0, sess_id 28, state: 1

New SIP state: SDI_WAIT_LOCK_RESP (loc 1012)

turnaround_time - idx: 0, time: 1

In sdi_callback: handle 4214******, error code 1, sdi_status 0, sess_id 28, state: 2

New SIP state: SDI_WAIT_SVR_RESP (loc 1040)

turnaround_time - idx: 0, time: 20

In sdi_callback: handle 4214******, error code 1, sdi_status 1, sess_id 28, state: 5

New SIP state: SDI_DELETE (loc 1077)

remove_req 0x******** session 0x1c id 10

free_sip 0x********

sdi: send queue empty

Jennifer Halim · ‎07-15-2011

Strange, you might want to open a TAC case to further investigate the issue.

The debug seems to look pretty normal to me.

abiatarsa · ‎01-11-2016

Hi, I'm having the same issue. How did you solve it? Thanks!

lubomir.ondrisek · ‎08-30-2016

Hello,

assume this configuration:

aaa-server RSA_SDI protocol sdi
reactivation-mode depletion deadtime 10
aaa-server RSA_SDI (inside) host <IP of rsa server>
retry-interval 3

tunnel-group External_Users type remote-access
tunnel-group External_Users general-attributes
address-pool External_VPN_Pool
authentication-server-group RSA_SDI
default-group-policy GroupPolicy_External_Users

tunnel-group External_Users webvpn-attributes
proxy-auth sdi
group-alias External_Users enable

and in RSA Security Console under Access ---> Authentication Agent ---> Add New

you have added new unrestricted agent.

If you are getting error messages mention above, check in RSA Security Console

Reporting --> Real-time activity Monitors ---> Authentication activity Monitor

and click on Start Monitor

If you see in the window

Activity Key: Principal authentication

Description: User “Username” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “Domain Name”