000028222 - RADIUS shared secret limitations in RSA Authentication Manager

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support on Aug 4, 2018
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000028222
Applies ToRSA Product Set: SecurID

RSA Product/Service Type: Authentication Manager
  • Users failed to authenticate with an error in authentication activity report, either from an historical report  authentication activity report in the Security Console (ReportingReports) or from the real time authentication activity repoirt (Reporting > Real Time Activity Monitor > Authentication Activity Monitor)

Authentication method failed, passcode format error

  • The RADIUS log (available from the Operations Console under Administration > Download Troubleshooting Files) shows: 

Unable to find user <user name> with matching password

  • Name resolution is confirmed for both forward and reverse lookup. 
CauseRADIUS client devices have some limitations for shared secrets.
ResolutionDo not use special characters like dollar sign ($) for RADIUS shared secrets.

RSA Authentication Manager supports shared secrets of up to 127 alphanumeric characters, including spaces and the following special characters:
~ ! @ # $ % ^ & *( ) _ + | \ = - ' { } [ ] : " ' ; < > ? / . , 

However, not all network access devices support shared secrets of up to 127 alphanumeric characters or the above special characters.

Implement shared secrets that are fully supported by RADIUS devices in your network.

Note that some special characters that are within a secret act as Linux escape characters.  For example, an exclamation point can be the first or last character in a secret, but never embedded in it.
NotesPlease refer to an external RADIUS Overview document from Juniper Networks that includes details on RADIUS shared secrets.