You might experience configuration issues when setting up SecurID between Unified Access Gateway version 2111 and later and RSA Authentication Manager. You can use various procedures for diagnosing and fixing configuration issues.

Starting with Unified Access Gateway version 2111, support for RSA SecurID Authentication with RSA Authentication Manager (AM) Server uses the latest REST API. Earlier Unified Access Gateway versions used a configuration method based on an sdconf.rec file.

Common Issues

Firewall Block or Routing Issues

To communicate with the user's RSA AM Server, Unified Access Gateway uses the RSA SecurID client which connects on TCP port 5555. If there is a firewall in between that blocks this TCP port, or the RSA AM Server is not reachable, SecurID authentication fails. For more information, see KB 88002.

RSA API on RSA Authentication Manager is not enabled

By default, the Enable Authentication API setting is not enabled in the RSA SecurID Authentication API section of RSA AM Server. For more information, see KB 88003.

RSA AM Certificate issues with UAG 2111 and later

When configuring RSA SecurID on Unified Access Gateway, the SSL certificate on the RSA AM Server might not be trusted if it is a self-signed certificate, or a certificate not issued by a trusted Certificate Authority. In such scenarios, it is necessary to obtain the public certificate or issuer certificate from the RSA AM Server and upload it to Unified Access Gateway to allow this trust. For more information, see KB 88004.

FAIL reason-code: VERIFY_ERROR logged in UAG authbroker.log

When Unified Access Gateway performs an RSA SecurID authentication attempt against RSA AM Server with the credentials entered by the user, the outcome is logged in the /opt/vmware/gateway/logs/authbroker.log file included with the logs .zip set.

To grant access for the user, Unified Access Gateway must receive CREDENTIAL_VERIFIED response from RSA AM. However, there can be several scenarios when the response code returned is VERIFY_ERROR. For more information, see KB 88005.