|Applies To||RSA ACE/Server 4.1 (no longer supported as of 2-1-2004)|
Microsoft Windows 2000 Server
Microsoft Windows NT 4.0
RSA ACE/Server RADIUS
RSA ACE/Agent 1.1 for Windows 2000 (RRAS) (no longer supported as of 3-3-2003)
Nortel Contivity Switch 2000
Assign/Change Encryption Key is set in the ACE/Server database entry for the client.
Shared secret is set in the Nortel Contivity Switch.
|Issue||Having problems with authentication over a Nortel Contivity Switch client|
ACE/Server raddebug.log shows: Unable to get NAS Secret %
Nortel Contivity Switch LOG shows:
11/15/2000 09:49:10 0 Security  Session: IPSEC[ppastur]:35 SECURID authenticate attempt...
11/15/2000 09:49:10 0 Security  Session: IPSEC[ppastur]:35 attempting authentication using RADIUS
11/15/2000 09:49:10 0 Security  RADIUS: verified server "xxx.xxx.xxx.xxx"
reply, result: -5, message: Invalid reply digest from server, possible shared secret mismatch.
11/15/2000 09:49:10 0 Security  RADIUS: "xxx.xxx.xxx.xxx" sent packet with invalid response authenticator for "test1".
Nothing in RSA ACE/Server logs
|Cause||ACE/Server is not recognizing the address sending the packets as a valid client because when it resolves the IP address it does not match a Client or Agent Host entry in the database. The IP address for the client that shows up in the debug is not necessarily the source IP address. If the client has a NATed address the debug will still show the original IP, not the NATed/source address.|
|Resolution||Name Resolution. The name of the Master ACE/Server and/or client machine is improperly defined in the DNS table or the local /etc/hosts file. Check C:\winnt\system32\drivers\etc\hosts, and define the hostname of the machine/client properly. Make sure the hostname can be resolved forwards and backwards (ip address and hostname resolution). Contact your network administrator to correct the DNS entry if resolution cannot be achieved locally. If this fails, try Proper name resolution and hostnames in RSA ACE/Server and ACE/Agent setup.|
If you are using Network Address Translation, the NATed IP address needs to be added to the "secondary nodes" section of that client in the ACE/Server. If you are unable to access the firewall administration program to verify the translated address, a network monitor can be used to determine the translated address. Static address translation must be used.
|Legacy Article ID||6.0.3652595.2943163|