000023691 - Authenticate Radius with Check List Attribute

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023691
Applies ToSecurID Appliance 2.0
Microsoft Windows 2003 Server
RSA Authentication Manager 6.1
Astaro Firewall VPN
Radius Check List Attribute Checklist
NTRadPing NTRadPing.exe
IssueAuthenticate Radius with Check List Attribute
Passcode Accepted in Activity Monitor Logs but Access-Reject in Radius

If you want to add a Check List Attribute to your RSA Radius Profile, you must also ensure that the attribute in the Check List is sent by the Radius Client, or else even a good PIN and Token will give Passcode accepted in the Auth Manager Activity Log Monitor, yet the Radius client will show Access-Reject  To configure Radius Profile:

1. Add PC with NTRadPing as an Agent Host type=Radius

2. Created Profile ASTARO in Auth Manager and in Manage Radius

3. Add PC as a Radius Client, chooseStandard Radius as the make/model (unless you with to load the Astaro or some other 3rd party dictionary, in which case, choose the make/model for that vendor).

4. In the Radius Profile ASTARO, Choose NAS-Identifier as the Check List attribute, with string=l2tp (or whatever Radius Client documentation says to enter)

5. Publish the Primary Radius Server

6. Back in RSA host mode, I added the ASTARO Profile to your login

7. Edit C:\Program Files\RSA Security\RSA Radius\Service\vendor.ini and added the send-class-attribute = no to prevent the Steel Belted Radius attribute,  Class=SBR2CL\0xbc\0xb1\0xf90x95\0xe4\0xec\0xcd\0xa8\  from being sent

vendor-product       = Cisco IOS 11.1 or later

dictionary           = Cisco

ignore-ports         = no

port-number-usage    = per-port-type

help-id              = 2034

send-class-attribute = no


8. Finally, in the RSA Control Panel, Stop and Start the Radius Service.

9. Test with NTRadPing, in the lower left, [ADD] NAS-Identifier from the Drop Down menu (it's not alphabetical) and set the string value in the right side drop down box to l2tp or whatever you check for in #4 above.  Click [ADD] so that NAS-Identifier shows in the left side box. [Send] to test
Legacy Article IDa35022