|Applies To||Authentication Manager 7.1|
Microsoft Windows 2003 Server
Microsoft Windows 2008 server
|Issue||RADIUS authentication does not work after IP address change on Primary server|
Radius sdconf.rec location
RADIUS will not authenticate users
"Unable to connect to RSA RADIUS Server to load Replication data or modify IP or Replication settings"
"Failed to initialize communications for SecurID authentication (result = 23)"
"read access to URI '/radiusClients/' denied due to failed logon attempt"
"write access to URI '/CCM/publish/' denied due to failed logon attempt"
"Warning -- Authentication request received from unknown RAS Client"
If the documentation is followed for changing the IP address of a Primary 7.1 Authentication Manager Server, RADIUS will likely no longer authenticate users.
Steel Belted RADIUS communicates to the 7.1 server via a 6.1 Agent. The 6.1 Agent is put in place during the 7.1 installation - this is not a separate customer installation. The 6.1 Agent references the sdconf.rec and sdstatus.12 files in the system32 directory to find the IP address of the Primary. In the documentation for changing the IP address of the Primary, the step to generate a new sdconf.rec and place it in the system32 directory is not present. Accordingly, the RADIUS server will be unable to communicate with the Primary.
Until the sdconf.rec is updated, authentication via RADIUS will fail. Testing with NTRadping will not receive a response from the RADIUS server. Attempting to edit the RADIUS server or the RADIUS Agent in the Security Console will result in a "Unable to connect to RSA RADIUS Server to load Replication data or modify IP or Replication settings" error message.
Note: The log messages referenced above come from the <date>.log (ex. 20090731.log) in the following directory (default installation locations):
Windows: C:\Program Files\RSA Security\RSA Authentication Manager\radius\service
Unix and Appliance V3: /usr/local/RSASecurity/RSAAuthenticationManager/radius
Resolving this issue is relatively simple.
1. Open the Security Console.
2. Under Access->Authentication Agents, click on Generate Configuration File.
3. Click on "Generate Config File" and then "Download Now". The file can be downloaded to the Desktop (or other desired location) and unzipped to a temporary directory.
4. Stop the RADIUS service Use the Operations Console to start or stop RADIUS servers. For instructions, see the Operations Console Help topic ?View RADIUS Servers.?
5. Copy the sdconf.rec and sdstatus.12 files present in the system32 directory to a backup folder. Replace the old sdconf.rec file with the newly generated one and delete the sdstatus.12 file.
*On windows 2008 64 bit, the directory radius uses for these files is /Windows/SysWOW64, not windows/system32
6. Restart the RADIUS service
|Notes||A typical location on a UNIX system is /usr/local/RSASecurity/RSAAuthenticationManager/Radius |
This can also happen if an outdated sdconf.rec file exists in c:\windows\system32 separate from the one in C:\Program Files\RSA Security\RSA Authentication Manager\radius\service
|Legacy Article ID||a43999|