000023691 - Authenticate Radius with Check List Attribute

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000023691
Applies ToSecurID Appliance 2.0
Microsoft Windows 2003 Server
RSA Authentication Manager 6.1
Astaro Firewall VPN
NAS-Identifier
Radius Check List Attribute Checklist
NTRadPing NTRadPing.exe
IssueAuthenticate Radius with Check List Attribute
Passcode Accepted in Activity Monitor Logs but Access-Reject in Radius
Resolution

If you want to add a Check List Attribute to your RSA Radius Profile, you must also ensure that the attribute in the Check List is sent by the Radius Client, or else even a good PIN and Token will give Passcode accepted in the Auth Manager Activity Log Monitor, yet the Radius client will show Access-Reject  To configure Radius Profile:

1. Add PC with NTRadPing as an Agent Host type=Radius

2. Created Profile ASTARO in Auth Manager and in Manage Radius

3. Add PC as a Radius Client, chooseStandard Radius as the make/model (unless you with to load the Astaro or some other 3rd party dictionary, in which case, choose the make/model for that vendor).

4. In the Radius Profile ASTARO, Choose NAS-Identifier as the Check List attribute, with string=l2tp (or whatever Radius Client documentation says to enter)

5. Publish the Primary Radius Server

6. Back in RSA host mode, I added the ASTARO Profile to your login

7. Edit C:\Program Files\RSA Security\RSA Radius\Service\vendor.ini and added the send-class-attribute = no to prevent the Steel Belted Radius attribute,  Class=SBR2CL\0xbc\0xb1\0xf90x95\0xe4\0xec\0xcd\0xa8\  from being sent

vendor-product       = Cisco IOS 11.1 or later

dictionary           = Cisco

ignore-ports         = no

port-number-usage    = per-port-type

help-id              = 2034

send-class-attribute = no

    

8. Finally, in the RSA Control Panel, Stop and Start the Radius Service.

9. Test with NTRadPing, in the lower left, [ADD] NAS-Identifier from the Drop Down menu (it's not alphabetical) and set the string value in the right side drop down box to l2tp or whatever you check for in #4 above.  Click [ADD] so that NAS-Identifier shows in the left side box. [Send] to test
Legacy Article IDa35022

Attachments

    Outcomes