000024591 - RADIUS Authentication - A Handy Troubleshooting Guide

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024591
Applies ToRSA ACE/Server
RSA Authentication Manager
Microsoft Windows
UNIX (AIX, HP-UX, Solaris)
IssueRADIUS Authentication - A Handy Troubleshooting Guide
How to configure RSA ACE/Server to accept RADIUS Authentication Requests
Error: "Access Denied, Agent Host not Found"
Error: "Access Denied, Syntax Error"
Error: "Access Denied, PASSCODE Incorrect"
ResolutionFirst, verify the RADIUS is enabled and which port number it is running on in the ACE/Server configuration.
- On Windows ACE/Servers, navigate to Start Menu --> Programs --> RSA ACE Server --> Configuration Tools --> Configuration Management. Once this dialog comes up, make sure the RADIUS Enabled checkbox is checked. If it is not, click the "Edit" button to select it. To the right of that, check which Port the RADIUS Service is set to (this will normally be 1812 or 1645). Then, confirm this same number is defined for RADIUS in C:\%Windows System Root%\System32\drivers\etc\services.
- On UNIX ACE/Servers, run the ACEPROG/sdinfo command. Look for the "RADIUS:" line - this should say "enabled'. If it does not, run 'ACE_PROG/sdsetup -config'. Go through all of the prompts until you get to "Do you want to enable RADIUS?'; make sure to select 'y' at this point. Also, set the port for RADIUS (1645 is the default). Confirm this is the same number defined in /etc/services for RADIUS. Then, follow through the rest of the prompts.
Once this is done, make sure to start/restart the RADIUS Daemon. On Windows, open up Windows Services and start/restart the "RSA ACE/Server Radius Daemon". On UNIX, cd to the ACE_PROG directory and run './sdradius stop' followed by './sdradius start'.
Next, confirm that your ACE/Server is listening on the correct port. On Windows, run "netstat -an | find "1645" - you should see something like the following:
    UDP                     *:*
NOTE: Change 1645 to whichever port you wish to run RADIUS on
On UNIX, run "netstat -an | grep 1645". You should see the following:
    *.1645                       IDLE
NOTE: Again, change 1645 to whichever port you wish to use
If this does not work, then verify that the RADIUS service is running, and verify that the correct port number is defined in your services file (see above).
Now that we have confirmed that the RADIUS service is up and running, we are now ready to test RADIUS authentication. Open up the RSA ACE/Server Database Administration Program, and go to Report --> Log Monitor --> Activity Monitor to get a real-time look at the logs. Then, attempt to authenticate from your RADIUS client device. If everything is set up correctly, you should see a "Passcode Accepted" message. If you receive an error message, check below for possible solutions:

"Access Denied,  Agent Host Found"
Verify that the Primary ACE/Server, all Replicas, and the RADIUS device are all defined in the ACE/Server as Agent Hosts. If any of them are not, add them through the Database Administration Program --> Agent Host --> Add Agent Host.

"Access Denied, Node Verification Failure"
The Node Secret on either the Primary or one of the Replicas is out of sync. Right above this error message, there should be a reference to one of your ACE/Servers - you will need to reset the node secret on that ACE/Server, then you will have to restart the Radius Daemon to reread the node secret (from the control panel in Windows, or with these commands in UNIX:
sdradius stop
sdradius start

"Access Denied, Syntax Error" or "Access Denied, Passcode Incorrect"
This indicates a discrepancy with the RADIUS Shared Secret. Open up the RSA ACE/Server Database Administration and navigate to Agent Host --> Edit Agent Host. Next, open up the entry for the RADIUS Client you are trying to authenticate to. Click on the "Assign/Change Encryption Key". Verify that this matches exactly the "Shared Secret" in the configuration on your RADIUS Client. You may want to test with a simple Shared Secret, such as "1234", just to see if this is the issue, as some RADIUS Devices do not support special characters. NOTE: You may also receive "Access Denied, Passcode Incorrect" if either your Primary ACE/Server or any Replicas have more than one Network Interface. If this is the case, you will need to set the Client IP Override option on that server.
Legacy Article IDa23977