SecurID Authentication Fails After First Try

[roadrunner]

SecurID Authentication Fails After First Try
SecurID authentication is set up, but after one successful authentication attempt, all future attempts fails. You might see the error message [LOG_ERR] ACEAGENT: The message entry does not exist for message ID: 100x when this occurs.

The ACE AGENT inside of VPN-1/FireWall1 embeds a hash of its IP Address in the authentication request packet before passing it to the ACE Server. The ACE Server will run a hash on the expected Source IP of the ACE AGENT and compare it to the received hash. The ACE Server uses the defined Primary Host Agent IP to derive this hash. If the two hashes do not match, the authentication request will be denied.

This method is problematic when an ACE AGENT is multihomed. The ACE AGENT may derive a hash from one of its other IP addresses. When this behavior occurs, it will be necessary to create a sdopts.rec file in the /var/ace directory. The sdopts.rec file will force the ACE AGENT to use a specific IP address to derive its hash.

To resolve the issue do the following:


create the sdopts.rec file in the /var/ace directory
Using VI, edit the sdopts.rec file and insert the line: CLIENT_IP=IP address of the ACE AGENT
restart FW-1 using cpstop;cpstart
Note it has been reported this will also correct issues using SecurID on Secure Platform.

-- PhoneBoy - 06 Feb 2004


FAQForm
FAQs.Class: AuthenticationFAQs, TroubleshootingFAQs
FAQs.OS: OsSecurePlatform
FAQs.Version: