000013439 - RADIUS authentication does not work after IP address change on Primary server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013439
Applies ToAuthentication Manager 7.1
Microsoft Windows 2003 Server
Microsoft Windows 2008 server
IssueRADIUS authentication does not work after IP address change on Primary server
Radius sdconf.rec location
sdconf.rec

RADIUS will not authenticate users


"Unable to connect to RSA RADIUS Server to load Replication data or modify IP or Replication settings"
"Failed to initialize communications for SecurID authentication (result = 23)"
"read access to URI '/radiusClients/' denied due to failed logon attempt"
"write access to URI '/CCM/publish/' denied due to failed logon attempt"
"Warning -- Authentication request received from unknown RAS Client"
Cause

If the documentation is followed for changing the IP address of a Primary 7.1 Authentication Manager Server, RADIUS will likely no longer authenticate users.


Steel Belted RADIUS communicates to the 7.1 server via a 6.1 Agent. The 6.1 Agent is put in place during the 7.1 installation - this is not a separate customer installation. The 6.1 Agent references the sdconf.rec and sdstatus.12 files in the system32 directory to find the IP address of the Primary. In the documentation for changing the IP address of the Primary, the step to generate a new sdconf.rec and place it in the system32 directory is not present. Accordingly, the RADIUS server will be unable to communicate with the Primary.


Until the sdconf.rec is updated, authentication via RADIUS will fail. Testing with NTRadping will not receive a response from the RADIUS server. Attempting to edit the RADIUS server or the RADIUS Agent in the Security Console will result in a "Unable to connect to RSA RADIUS Server to load Replication data or modify IP or Replication settings" error message.


Note: The log messages referenced above come from the <date>.log  (ex. 20090731.log) in the following directory (default installation locations):


Windows: C:\Program Files\RSA Security\RSA Authentication Manager\radius\service


Unix and Appliance V3: /usr/local/RSASecurity/RSAAuthenticationManager/radius

Resolution

Resolving this issue is relatively simple.


1. Open the Security Console.


2. Under Access->Authentication Agents, click on Generate Configuration File.


3. Click on "Generate Config File" and then "Download Now". The file can be downloaded to the Desktop (or other desired location) and unzipped to a temporary directory.


4. Stop the RADIUS service Use the Operations Console to start or stop RADIUS servers. For instructions, see the Operations Console Help topic ?View RADIUS Servers.?


5. Copy the sdconf.rec and sdstatus.12 files present in the system32 directory to a backup folder. Replace the old sdconf.rec file with the newly generated one and delete the sdstatus.12 file.


*On windows 2008 64 bit, the directory radius uses for these files is /Windows/SysWOW64, not windows/system32


6. Restart the RADIUS service

NotesA typical location on a UNIX system is  /usr/local/RSASecurity/RSAAuthenticationManager/Radius   
This can also happen if an outdated sdconf.rec file exists in c:\windows\system32   separate from the one in C:\Program Files\RSA Security\RSA Authentication Manager\radius\service
Legacy Article IDa43999

Attachments

    Outcomes