Identity and Policy Control
Reply
Visitor
L3204
Posts: 9
Registered: ‎09-17-2010
0

SBR will not communicate with RSA

[ Edited ]

I have a SBR that accepts auth requests from the juniper sa4500 ssl device and from there the sbr pushes the request to RSA for acceptance. In short the chain is: SSL>username and securid token> SBR> Passes session info> RSA> approves the request> SBR > Approves ip lease> SSL establishes session with IP. 

 

Recently we upgraded our RSA to service pack 2 and then the chain broke. The sbr continues to want 4 files: server.key, server.cer, sdconf.rec, and radius.cer. RSA prior to SP2 used all four of these and worked fine. Now with SP2 it only uses the sdconf.rec file. The sbr does not want to sign up with the RSA without the other files. The sbr doesn't send any traffic to the rsa device during any of the auth attempts.

 

Any ideas?

 

And yes I have tickets open with Juniper and RSA about this and both companies have no idea. So I am turning to the collective community in hopes you guys can pull this one out for me.

 

Thanks in Advance.

Juniper Employee
Rabbit
Posts: 33
Registered: ‎01-27-2010
0

Re: SBR will not communicate with RSA

Assuming that you have setup SBR as an Agent Host with the RSA server, you should only need to clear the "node secret created" box in the Agent Host properties and then grab a fresh copy of your sdconf.rec file.

 

In SBR, stop the service, delete the sdconf.rec and sdstatus.12 file from your \Windows\System32 directory and then place your new sdconf.rec file in there.

 

Start the service and then test an auth, I would expect SBR to begin forwarding the requests again and, the node secret should be created after this auth.

 

 

Regards,

Rich

Visitor
L3204
Posts: 9
Registered: ‎09-17-2010
0

Re: SBR will not communicate with RSA

I have tried that already. both systems are running on linux as well (doesnt matter).  Both are registered as agents with each other.

Visitor
L3204
Posts: 9
Registered: ‎09-17-2010
0

Re: SBR will not communicate with RSA

For anyone that is curious, or running into this, here is how I was able to resolve this. I give mad props to an RSA engineer and a SBR engineer on this one without them I would have been lost still.

 

Solution:

If you can get a hold of the Ace Test client from RSA/SBR, It can drop into the /var/ace directory on the SBR server if its stand alone. From there clear out  the sdconf.rec and the sdstatus.12 and the securid files in the install directory on the SBR. remove it as an agent from RSA. Remove as an agent from SBR. Readd as an agent on RSA and the same on SBR. instead of running through normal setup on sbr where you go through the interactive setup to add X files on the SBR just run a test on the SBR using the ACE test client. This will generate a sdconf.rec and securid file. Copy those to the sbr directory and bam You are good to go.

 

RSA removed 3 of the files i was looking for with their SP2 patch. That in turn kinda broke the SBR setup process. You can get around it with the ace test client to generate the files that you need.

 

Hope this helps anyone else that comes across a similar setup. From what i am told the ace client is internal to either SBR or RSA and you can only get it through them.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.