LiquidLAN Services Products About us Contact us Links to Security Related News Articles on the Net

Configuring Netilla to work with Ace/Server authentication

Scope

This technote was written with reference to RSA Ace/Server V3.3 and NSP V4.01. It has been produced to provide a work around for a limitation found when trying to configure the Netilla Security Platform to have two realms talking to one RSA Ace/Server.

During our testing we discovered a small limitation in functionality resulting from the way Securid Authentication is defined within a realm. Since all the information relating to RSA Ace/Server is held within the Realm definition, when you try and define a second realm, you are expected to re-enter the RSA Ace/Server configuration information, but there is no way to reference the information previously loaded.

The problem that this causes is that the second realm definition doesn't have a "Node Secret".  This is a problem since the Ace/Server and NSP will have already exchanged node secrets the first time the first Securid Realm definition successfully authenticates, the second Realm will never talk to the Ace/Server as it won't be establish a the node secret.

 

Solution

The work around to the problem is simple.

Once the initial realm is configured and a user has successfully authenticated, configure the second realm, re-copy the sdconf.rec file from the Ace/Server. This file overwrites the original from the first realm.

Next, without changing any of the settings in the original realm, edit the client/agent host configuration relating to the NSP box on the Ace/Server and uncheck the "Node Secret Sent" option.  At this point authentication to the original NSP Realm will fail because it will be using a Node Secret when the Ace/Server is not expecting. Once a user has successfully logged on to the new NSP Securid Realm, the Ace/Server will re-pass the Node Secret; setting the second realm to "Node Secret Sent". Since the original realm had the Node Secret flag set, it will automatically start using the new node secret and both realms should now work.

NOTE this will not work for later versions of RSA Ace/Server

 

 
services products about us contact us in the news