Unable to use RSA for SDI Authentication Behind a NAT

This is one of those obscure errors that I’m sure most people won’t come across, but I encountered it recently and didn’t find much while searching for it, so hopefully this helps someone!

The gist of the error is: I couldn’t get an Authentication Agent to talk to the RSA Security server in order to authenticate. In this case the Authentication Agent was an Cisco ASA that is used for the AnyConnect VPN, which connected to the RSA Security Server using SDI. I could try to explain the setup with words, but a simple diagram with make it much easier:

Since the firewall was new, I at first thought there was an issue with the traffic, but that was all flowing fine, so there had to be something up with the configuration. From what I knew about how to set it up, you needed to do the following:

  1. On the ASA create the AAA server. If an SDI file exists already for the server, delete it
  2. Create the Authentication Agent in the RSA Security Server console. All this needs really is the IP. If the host was already there then clear the key
  3. Attempt an authentication, this will create the new SDI file

It should be as simple as that! However, something was going wrong. This, of course, was caused by the NAT. The RSA server needs to know what the actual IP of the server is, as well as the NAT. When setting up the Authentication Agent in step 2 above, there is an option for an alternative IP. This is where you need to enter that. However, which IP you put where is very important! The actual IP of the Authentication Agent needs to be entered as the IP Address of the host, and the NAT IP needs to be added as an alternative IP. So in the example above, 192.168.3.10 would be the IP of the host, and 192.168.2.10 would be the alternative. Here’s what the settings should look like:

Leave a Reply

Your email address will not be published. Required fields are marked *