000018334 - Having problems with authentication over a Nortel Contivity Switch client

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000018334
Applies ToRSA ACE/Server 4.1 (no longer supported as of 2-1-2004)
Microsoft Windows 2000 Server
Microsoft Windows NT 4.0
RSA ACE/Server RADIUS
RSA ACE/Agent 1.1 for Windows 2000 (RRAS) (no longer supported as of 3-3-2003)
Nortel Contivity Switch 2000
Assign/Change Encryption Key is set in the ACE/Server database entry for the client.
Shared secret is set in the Nortel Contivity Switch.
IssueHaving problems with authentication over a Nortel Contivity Switch client
ACE/Server raddebug.log shows:  Unable to get NAS Secret %
Nortel Contivity Switch LOG shows:

11/15/2000 09:49:10 0 Security [01] Session: IPSEC[ppastur]:35 SECURID authenticate attempt...
11/15/2000 09:49:10 0 Security [01] Session: IPSEC[ppastur]:35 attempting authentication using RADIUS
11/15/2000 09:49:10 0 Security [11] RADIUS: verified server "xxx.xxx.xxx.xxx"
reply, result: -5, message: Invalid reply digest from server, possible shared secret mismatch.
11/15/2000 09:49:10 0 Security [12] RADIUS: "xxx.xxx.xxx.xxx" sent packet with invalid response authenticator for "test1".
Nothing in RSA ACE/Server logs
CauseACE/Server is not recognizing the address sending the packets as a valid client because when it resolves the IP address it does not match a Client or Agent Host entry in the database.  The IP address for the client that shows up in the debug is not necessarily the source IP address.  If the client has a NATed address the debug will still show the original IP, not the NATed/source address.
ResolutionName Resolution. The name of the Master ACE/Server and/or client machine is improperly defined in the DNS table or the local /etc/hosts file. Check C:\winnt\system32\drivers\etc\hosts, and define the hostname of the machine/client properly. Make sure the hostname can be resolved forwards and backwards (ip address and hostname resolution). Contact your network administrator to correct the DNS entry if resolution cannot be achieved locally. If this fails, try Proper name resolution and hostnames in RSA ACE/Server and ACE/Agent setup.

If you are using Network Address Translation, the NATed IP address needs to be added to the "secondary nodes" section of that client in the ACE/Server.  If you are unable to access the firewall administration program to verify the translated address, a network monitor can be used to determine the translated address.  Static address translation must be used.
Legacy Article ID6.0.3652595.2943163

Attachments

    Outcomes