AnsweredAssumed Answered

What case "Agent IP" and "Client IP" become Authentication Manger own IP address when authenticate with RADIUS client?

Question asked by Ryota Nakaoka Employee on Nov 12, 2020
Latest reply on Nov 15, 2020 by Ryota Nakaoka

Question:
What case "Agent IP" and "Client IP" become Authentication Manger own IP address when authenticate with RADIUS client?

 

Background:
A customer recorded that "Agent IP" and "Client IP" were Authentication Manger own IP address in Authentication log.
The end-user, when this case was occurred, had any error nothing like authentication failuer. So, the customer would like to know what case this is occurred.
The customer use RADIUS client,CISCO ASA , to authenticate with AM.

 

The log is that:

Log LevelDate and TimeAction IDActivity KeyDescriptionAction Result KeyResult KeyResultUser IDUser First NameUser Last NameUser Security DomainUser Identity SourceAgent TypeAgent NameAgent IPAgent Security DomainAuthentication MethodPolicy ExpressionArgument 1Argument 2Argument 3Argument 4Argument 5Argument 6Argument 7Argument 8Token Serial NumberArgument 10Instance NameClient IPv4Client IPv6Server Node IPMore ArgumentsActor GUIDSession ID
ERROR2020/xx/xx 09:44:30.00013002Principal authenticationUser “xx07343” attempted to authenticate using authenticator “OnDemand”. The user belongs to security domain “SystemDomain”FailureAUTHN_METHOD_FAILEDAuthentication method failedxx07343xxxx@test.localxxSystemDomainInternal Database7am-pri.test.local192.168.11.11SystemDomainOnDemand AUTHN_LOGIN_EVENT63    22360c2a0b31bd855954a6f55a032ab5xxxx@test.local am-pri.test.local192.168.11.11 192.168.11.11 b2751e520b31bd8571c5b198f736a14cc1128e5e0b31bd8516fe58c2ecf55b47-lrGOTdQNoSLH
ERROR2020/xx/xx 11:27:29.00013002Principal authenticationUser “xx80026” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”FailureAUTHN_METHOD_FAILED_SYNTAX_ERRORAuthentication method failed, passcode format errorxx980026xx980026xxSystemDomainInternal Database7am-pri.test.local192.168.11.11SystemDomainSecurID_Native AUTHN_LOGIN_EVENT63       am-pri.test.local192.168.11.11 192.168.11.11 0f4c7f8c0b31bd851f676e7988876ccd8e73e07f0b31bd8567e69c18f8ec7902-Ne2STZNsnNdl
ERROR2020/xx/xx 13:50:51.00013002Principal authenticationUser “xx91536” attempted to authenticate using authenticator “SecurID_Native”. The user belongs to security domain “SystemDomain”FailureAUTHN_METHOD_FAILED_SYNTAX_ERRORAuthentication method failed, passcode format errorxx991536xx991536xxSystemDomainInternal Database7am-pri.test.local192.168.11.11SystemDomainSecurID_Native AUTHN_LOGIN_EVENT63       am-pri.test.local192.168.11.11 192.168.11.11 0efd5a390b31bd855792980523443b21e33da23c0b31bd856fc75f2bb1df97b4-+sKMcC8Fs9rk
ERROR2020/xx/xx 08:06:13.00013002Principal authenticationUser “xx07322” attempted to authenticate using authenticator “OnDemand”. The user belongs to security domain “SystemDomain”FailureAUTHN_METHOD_FAILEDAuthentication method failedxx07322xxxx@test.localxxxxSystemDomainInternal Database7am-pri.test.local192.168.11.11SystemDomainOnDemand AUTHN_LOGIN_EVENT63    9e65a5320b31bd853607a68f36c02375xxxx@test.local am-pri.test.local192.168.11.11 192.168.11.11 9de1b0b10b31bd8512c067105bf20672056e6f2e0b31bd85568b22899c6450ba-884RKO5K/JPX
ERROR2020/xx/xx 15:25:11.00013002Principal authenticationUser “xx04154” attempted to authenticate using authenticator “OnDemand”. The user belongs to security domain “SystemDomain”FailureAUTHN_METHOD_FAILEDAuthentication method failedxx04154xxxx@test.localxxxxSystemDomainInternal Database7am-pri.test.local192.168.11.11SystemDomainOnDemand AUTHN_LOGIN_EVENT63    928a7e610b31bd857f37aaf8cd3a1b88xxxx@test.local am-pri.test.local192.168.11.11 192.168.11.11 e163c8aa0b31bd857a16f80012521da64c43f8540b31bd857b2eeaf92c39b86a-GyDfHjKL7veO

 

 

 

 

Then, this was recorded in radius log on that time.

/opt/rsa/am/server/logs/RADIUS/YYYYMMDD.log
xx/xx/2020 15:25:11 Unable to find user xx04154 with matching password
xx/xx/2020 15:25:11 Sent reject response

 

I understand that this error will be occurred when a user mistake to enter Passcode or invalid Secret key on RADIUS Client which is CISCO ASA in this case. But the user did not have any error. In addition,  I think that  "Agent IP" and "Client IP" ar does not become Authentication Manger own IP even though those case are occurred.

 

Ref:
000028896 - Troubleshooting RSA Authentication ... | RSA Link
https://community.rsa.com/docs/DOC-46250

 

Outcomes