A gotcha discovered while changing the IP address of an RSA Authentication server.
To change the address of the server, you need to use the rsautil command from the command line:
rsautil update-instance-node --old-host Current_IP_Address --new-host New_IP_Address --instance primary
where:
• Current_IP_Address is the current IP address of the instance, for example,192.168.1.1.
• New_IP_Address is the new IP address of the instance, for example,192.168.200.245.
That's all well and good and is in the administrative guide. Of course, you'll need to reconfigure any devices that are pointing to the IP address of the server as well, such as an authentication agent on your Aventail or ASA.
However, you may see failed authentications and start noticing this in your logs:
Node secret mismatch. Cleared on agent but not on server.
In order to fix this, you'll have to get CLI access to your Aventail or ASA and delete the node secret files from the device. On an Aventail, these will be ststatus.12, securid ( delete them from /var/ace then restart the policy server using /etc/init.d/policyserver restart ). On the ASA it will be 192-168-111-123.sdi. Then connect to your RSA Security Console and manage the existing Authentication agents. You should then be able to select "Manage Node Secret" from the drop-down menu and clear the node secret. The secret will then be renegotiated on first use.
Cheers,
Sean
Monday, July 27, 2009
Subscribe to:
Post Comments (Atom)
Posts
Thank you! I have an ASA and the .sdi file to delete was in the root of the flash file system. Authentication worked perfectly after this file was deleted.
ReplyDelete