on Jun 16, 2016Article Content
| Article Number | 000026007 |
| Applies To | RSA ACE/Server 5.1 (no longer supported as of 7-14-2006) Microsoft Windows 2000 Cisco 2651 router or any Cisco IOS device Error: "Authentication Failed" in the RADIUS debug file Local ACE/Agent and RADIUS test client authentication works correctly |
| Issue | Errors: ?User not in database? and "User not on Agent Host" in ACE/Server activity log when trying to authenticate via RADIUS via the Cisco VPN client RFC 2865 RADIUS Attribute Type 1 (username) being sent by the Cisco Router is actually the name of the group; in other words, the username that shows up in the activity log is the name of the group you configured on the ACE/Server instead of the name of the user and ?Attribute 1 length? in the RADIUS Debug log is the same character length as the group name that the user belongs to |
| Cause | 'aaa authorization network groupauthen group radius' in the Cisco Router config |
| Resolution | Consider the following scenario: Cisco VPN client -> (a.b.c.d external IP) Cisco 2651 router (e.f.g.h internal IP) RADIUS -> (e.f.g.2 A/S 5.1 on Windows 2000) - Ensure the RADIUS daemon is started (Start Menu -> Control Panel -> Administrative Tools -> Services -> RSA ACE/Server RADIUS Daemon) - Ensure the ACE/Server is started (Start Menu -> Control Panel -> RSA ACE/Server) - Services file: entries for RADIUS are there (e.g. radius 1645/udp #Radius Authentication Protocol radacct 1646/udp #Radius Accounting Protocol) - In Database Administration, go to Profile and Add Profile to ensure there are Radius Attributes under ?Available Attributes? (left hand side) so as to verify that Radius is installed - Go to Start Menu -> Programs -> RSA ACE/Server -> Configuration Tools and open the Configuration Management screen to ensure "RADIUS Server enabled"' is checked under "Enabled Features" - Check "Agent Host Config" and "User Config". Under "Agent Host Config", ensure that under "Assign/Change Encryption key" that the key used is the same shared key as the one on the 2651 router in the IOS config statement 'radius-server key "<radius_secret>"' - Any users that were created need to be part of a certain group - Turn on RADIUS Debug via \ace\prog\rwconfig, stop & start RSA RADIUS and ACE/Server to let it take effect - From a command prompt, type the following commands to verify that RADIUS is turned on: netstat -an | find "1645", then netstat -an | find "1646" - Turn on Activity Monitor - Ensure there are no hostname resolution issues with the ACE/Server and the Agent Host for the Cisco router - On the Cisco Router, remove the IOS config statement 'aaa authorization network groupauthen group radius'. Make sure the following IOS config statement is in place: aaa authorization network groupauthor local |
| Legacy Article ID | a17598 |