Security for a day

Ran in to this little problem after rebuilding a Cisco ASA.

Got everything working except for RSA authentication.

DNS forward and reverse entries were in place (if you don’t have a PTR record, the ACE server would not automatically resolve the FQDN) and the agent on the RSA windows ACE server was set up and set to all local user authenticate and everything seemed correct.

You need a successful authentication for the shared key to be pass to ASA, so tried to authenticate to ASA with a token and it failed.

On the RSA windows ACE server:

Securid Helpdesk Administrator – Report – Log Monitor – activity monitor set it to monitor the ASA.

node verification failed message was display at each authentication attempt.

We figured that the shared key wasn’t getting to the ASA but couldn’t find any obvious place to find it.

Then we dug out this gem:

(This is taken directly from the Ciscowiki)

I read about the .sdi file on the flash of an ASA. So what happens is on the first authentication, the RSA hands down an sdi file to the ASA and this becomes the shared key between the 2 devices.  Since the ASA had an existing key, .sdi file, the way to fix it was to simply delete the file(s).

ASA(config)# dir
Directory of disk0:/

6 drwx 8192 09:18:46 May 31 2008 crypto_archive
91 -rwx 14635008 03:08:24 Aug 12 2008 asa803-k8.bin
92 -rwx 6851212 03:10:56 Aug 12 2008 asdm-603.bin
2 drwx 8192 03:14:44 Aug 12 2008 log
93 -rwx 2153344 11:33:12 Aug 12 2008 anyconnect-win-2.2.0136-k9.pkg
99 -rwx 512 19:01:08 Aug 13 2008 10-100-1-20.sdi

ASA(config)# delete disk0:10-100-1-20.sdi

-Chop-

Removed the .sdi file and on the first authentication everything worked as expected.

Thanks anonymous Cisco-guy and THE Bundy!