Jump to content


Netscaler upgrade to 10.5 RSA RADIS authentication fails

Started by Joseph Daly , 26 January 2016 - 02:57 PM
2 replies to this topic

Joseph Daly Members

Joseph Daly
  • 33 posts

Posted 26 January 2016 - 02:57 PM

I have two netscalers running in an HA pair. Initially they were both running 9.3 (I know so old, doing a lot of cleanup here) I upgraded the passive node to 10.5. This morning I failed the 10.5 node over to become primary and began testing. When attempting to log into the access gateway using my username password and RSA key I was getting an invalid credentials error message.


I took a look in our RSA console and saw that there was an error being logged each time I attempted to log on "Authenticationmethod failed passcode format error". This message typically refers to an incorrect shared secret for the RSA client and server however I confirmed that the same shared secret was present. I did this by looking at the running config of both the active and passive nodes they both had the same encrypted RADKEY listed.


I also confirmed in the RSA console that the netscalers SNIP was listed and can see the error originating from the SNIP of the netscaler.


I have since failed back over to the netscaler running on version 9.3 until I can figure out why RSA is not passing the correct PIN.


From my understanding since these two were in a HA pair that the primary node and secondary node were in SYNC prior to the upgrade. This would mean that the RSA server and shared secret should be the same on each of the netscalers. This is what I don't understand is that failing back to the 9.3 version allows RSA auth to succeed and proceed to the published app screen.


Any help is appreciated.

Citrix Administrators Members

Citrix Administrators
  • 45 posts

Posted 20 April 2017 - 11:51 PM

Did you ever find a solution?  I have existing NS that works correctly with my RSA Authenticator.  I then built a newer NS and it's failing with the exact symptom you have.  I had hoped there was an answer here after Google brought me to this page.  Can't believe no one suggested a resolution after a little over a year.  Meanwhile, I'm going to continue figuring this out.  If I find a solution, I'll be sure to post it here for the benefit of others that may land here as well.

Citrix Administrators Members

Citrix Administrators
  • 45 posts

Posted 21 April 2017 - 07:48 PM

OK, it was a mismatched shared secret key.  That should be obvious but the issue was that it worked in a test environment then when moved to production and updated IP address, it was now using a different RSA Agent that was expecting the old shared secret key.  After re-entering shared secret key on both NS and RSA, and clicking on the test button, it all came out fine. Beware of human errors.