For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jacob_Klein's avatar
Jacob_Klein
Icon for Nimbostratus rankNimbostratus
Nov 15, 2017

SecurID Authentication Failing on APM 12.1.2

I am having issues with SecurID authentication on a POC APM deployment.

 

My first authentication attempt succeeds but any attempt after that fail with the following error.

 

[root@AKOHDCPOCLTM01:Active:In Sync] config /usr/local/bin/securidtest -p "/config/aaa/ace/Common/rsaama01pakr.bfusa.com" -s 10...* -u username -w ********* ERROR: authentication with 'username' failed in doAuth:SD_Check(): authentication failed, code: 1, state: SECURID_AUTH_STATE_ACCESS_DENIED Test done: total tests: 1, success=0, failure=1

 

Some fields changed for privacy

 

I can get a single authentication test to work by deleting the 'sdstatus.12' file. RSA is not able to tell me why that makes a difference.

 

Any thoughts on this?

 

BIG-IP Access Policy Manager (APM)
rsa
securid
security

1 Reply

  • MvdG's avatar
    MvdG
    Icon for Cirrus rankCirrus
    Nov 17, 2017

    Jacob,

     

    What is the RSA Authentication Report (logs) telling you?

     

    Do you have a Primary and Replica RSA server? When you delete the sdstatus.12 file, the BIG-IP is performing the first authentication to the Primary RSA server. Once authentication is successfull, the node secret is exchanged and the sdstatus.12 file is updated telling the BIG-IP there is a Replica in the network.

     

    This RSA setup is active/active meaning both RSA servers are accepting authentication request. The difference is, the Replica has a read-only database.

     

    Could it be there is a firewall between BIG-IP and RSA and the firewall is not configured to allow SecurID traffic to the Replica RSA server?

     

    Regards, Martijn.