Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server


I would be very appreciated if anyone can share their experience. Thanks in advance.


I am trying to configure the ACE SE 4.2 to authenticate using RSA SecurID Token Server.

Problems encountered:

Authentication failed. In the failed logged attempt the error "External Database not operational" was next to the login name.

In the auth.log, there was "External DB [SecurID.dll]: aceclnt.dll callback returned error [23]".


1. Please kindly advise how I should resolve this problem.

2. Also, is there any successful message once ACS get the sdconf.rec? Will the "Purge Node Secret" button be enabled?

Troubleshooting steps I have done:

Below is the steps I took to setup the external DB.

1. Verified sdconf.rec is not a garbage file using the Test authentication function in RSA client.

2. FTP sdconf.rec in the external database configuration. (Had used Wireshark and confirm file transfered successfully.)

2. Defined unknown user policy to check RSA SecurID Token Server to authenticate.


Thank you.


Re: Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

I have NO experience with ACS SE 4.2 and

RSA SecurID Token Server BUT I have

experiences with Cisco ACS 4.1 running on

Windows 2003 SP2 Enterprise Edition and

RSA SecurID Token Server.

All the troubleshoot you've done is correct.

In Windows 2003 running Cisco ACS, you can

install the test authentication RSA client

and that you can verify that the setup

is correct (by verifying that the sdconf.rec

is not corrupted).

One thing I can think of is that when you

setup the ACS SE box, under external

database, configure unknown user policy,

did you check it to tell how to define users

when they are not found in the ACS internal

database. Did you select RSA SecurID token


Other than that, from what I understand,

you've done everything correctly.

New Member

Re: Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server

Thank you for your reply.

And yes, I did checked to use RSA SecurID in unknown user policy.

In the ACS user guide (page12-56), it said that once sdconf.rec has been uploaded, then click to "Purge Node Secret". However, the button was never enabled.

Is there anything wrong with it or is it normal?

New Member

Re: Integration of Cisco ACS SE 4.2 and RSA SecurID Token Server


I don't know if it is working.

We had the same problem and we solved it.

The solution was to use the second nic interface and not thee first one (as adviced by the Cisco document).