000037309 - RADIUS client is unable to authenticate against replica instance in the RSA Authentication Manager 8.x

Document created by RSA Customer Support Employee on Apr 10, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000037309
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 or later
IssueUsers experience authentication failure against replica instance with error in radius debug log:
 
Missing or invalid product setting for client xxxx
 

The RADIUS debug log on the replica shows the following messages:


03/27/2019 21:08:00 -----------------------------------------------------------
03/27/2019 21:08:00 ../radauthd.c radAuthHandleRequest() 3057 Entering
03/27/2019 21:08:00 Looking up shared secret
03/27/2019 21:08:00 Looking for RAS client x x x x in DB
03/27/2019 21:08:00 Matched x.x.x.x to RAS client <RAS client name>
03/27/2019 21:08:00 Parsing request
03/27/2019 21:08:00 Initializing cache entry
03/27/2019 21:08:00 Doing inventory check on request
03/27/2019 21:08:00 Getting info on requesting client
03/27/2019 21:08:00 NAS-IP-Address in request: xxx.xxx.xxx.xxx
03/27/2019 21:08:00 Missing or invalid product setting for client FQDN.DOMAIN
03/27/2019 21:08:00 -----------------------------------------------------------
03/27/2019 21:08:00 Authentication Request
03/27/2019 21:08:00 Received From: ip=xxx.xxx.xxx.xxx port=xxxx
03/27/2019 21:08:00 Packet : Code = 0x1 ID = 0x63
03/27/2019 21:08:00 Client Name = FQDN.DOMAIN Dictionary Name = dictiona.dcm
03/27/2019 21:08:00 Vector =
03/27/2019 21:08:00 0000:  0d47dc0a 8fdcf096 4ede391e f9ff7a2a |.G......N.9....Z*|
03/27/2019 21:08:00 Parsed Packet =
03/27/2019 21:08:00 User-Name : String value =<user name>
03/27/2019 21:08:00 User-Password : Value =<password>
03/27/2019 21:08:00 000: 93b1fb06 17880af6 29d5e701 770eec09 |........)...w...|
03/27/2019 21:08:00 NAS-IP Address : IP-Address = <IP address>
03/27/2019 21:08:00 NAS-Port : Integer Value = 13
03/27/2019 21:08:00 NAS-Port-Type : Integer-Value = 5
03/27/2019 21:08:00 Cisco-AVPAIR : String value - coa-push=true
03/27/2019 21:08:00 -----------------------------------------------------------
03/27/2019 21:08:00 Client entry missing or invalid. Rejecting
03/27/2019 21:08:00 ----------------------------------------------------------- 
03/27/2019 21:08:00 Authentication response (reject)
03/27/2019 21:08:00 Packet : Code = 0x3 ID = 0x63
03/27/2019 21:08:00 Vector =
03/27/2019 21:08:00 000: bcc17cd4 87917d99 f9a2b4c8 c23fd5f8 |..|...}......?.|
03/27/2019 21:08:00 -----------------------------------------------------------  
03/27/2019 21:08:00 -----------------------------------------------------------  
03/27/2019 21:08:00 Authentication response (reject)
03/27/2019 21:08:00 Sent to: ip=x.x.x.x port=xxx
03/27/2019 21:08:00
03/27/2019 21:08:00 Raw Packet :
03/27/2019 21:08:00 000: 03630014 bcc17cd4 87917d99 f9a2b4c8 |.c....|...}.....|
03/27/2019 21:08:00 010: c23fd5f8
03/27/2019 21:08:00
03/27/2019 21:08:00 -----------------------------------------------------------   
03/27/2019 21:08:00 Packet containing 20 bytes successfully sejnt
03/27/2019 21:08:00 Sent reject response
03/27/2019 21:08:00 ../radauthd.c radAuthHandleRequest () 3082 Exiting



While the RADIUS debug log on the primary shows:

03/27/2019 21:09:15 Doing inventory check on request
03/27/2019 21:09:15 Getting info on requesting client
03/27/2019 21:09:15 NAS-IP-Address in request: xxx.xxx.xxx.xxx
03/27/2019 21:09:15 -----------------------------------------------------------
03/27/2019 21:09:15 Authentication Request
03/27/2019 21:09:15 Received From: ip=xxx.xxx.xxx.xxx port=xxxx
03/27/2019 21:09:15 Packet : Code = 0x1 ID = 0xea
03/27/2019 21:09:15 Client Name = FQDN.DOMAIN Dictionary Name = xxxxxxxx.dct
03/27/2019 21:09:15 Vector =


Note: xxxxxxx.dct is a RADIUS dictionary file that has been added to the primary RADIUS server.

CauseVendor-specific RADIUS dictionary files are not replicated between the primary and replica RADIUS servers.
ResolutionCopy the vendor-specific .dct file along with the vendor.ini and dictiona.dcm files from the primary to the replica(s) and restart the RADIUS service on the replica servers.  The default location for these files is /opt/rsa/am/radius.

Attachments

    Outcomes