000026007 - Errors: ?User not in database? and 'User not on Agent Host' in ACE/Server activity log when trying to authenticate via RADIUS via the Cisco VPN client

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000026007
Applies ToRSA ACE/Server 5.1 (no longer supported as of 7-14-2006)
Microsoft Windows 2000
Cisco 2651 router or any Cisco IOS device
Error: "Authentication Failed" in the RADIUS debug file
Local ACE/Agent and RADIUS test client authentication works correctly
IssueErrors: ?User not in database? and "User not on Agent Host" in ACE/Server activity log when trying to authenticate via RADIUS via the Cisco VPN client
RFC 2865 RADIUS Attribute Type 1 (username) being sent by the Cisco Router is actually the name of the group; in other words, the username that shows up in the activity log is the name of the group you configured on the ACE/Server instead of the name of the user and ?Attribute 1 length? in the RADIUS Debug log is the same character length as the group name that the user belongs to
Cause'aaa authorization network groupauthen group radius' in the Cisco Router config
ResolutionConsider the following scenario:

Cisco VPN client -> (a.b.c.d external IP) Cisco 2651 router (e.f.g.h internal IP) RADIUS -> (e.f.g.2 A/S 5.1 on Windows 2000)

- Ensure the RADIUS daemon is started (Start Menu -> Control Panel -> Administrative Tools -> Services -> RSA ACE/Server RADIUS Daemon)

- Ensure the ACE/Server is started (Start Menu -> Control Panel -> RSA ACE/Server)

- Services file:  entries for RADIUS are there (e.g. radius         1645/udp                           #Radius Authentication Protocol
radacct        1646/udp #Radius Accounting Protocol)

- In Database Administration, go to Profile and Add Profile to ensure there are Radius Attributes under ?Available Attributes? (left hand side) so as to verify that Radius is installed

- Go to Start Menu -> Programs -> RSA ACE/Server -> Configuration Tools and open the Configuration Management screen to ensure "RADIUS Server enabled"' is checked under "Enabled Features"

- Check "Agent Host Config" and "User Config". Under "Agent Host Config", ensure that under "Assign/Change Encryption key" that the key used is the same shared key as the one on the 2651 router in the IOS config statement 'radius-server key "<radius_secret>"'

- Any users that were created need to be part of a certain group

- Turn on RADIUS Debug via \ace\prog\rwconfig, stop & start RSA RADIUS and ACE/Server to let it take effect

- From a command prompt, type the following commands to verify that RADIUS is turned on:

        netstat -an | find "1645", then netstat -an | find "1646"

- Turn on Activity Monitor

- Ensure there are no hostname resolution issues with the ACE/Server and the Agent Host for the Cisco router

- On the Cisco Router, remove the IOS config statement 'aaa authorization network groupauthen group radius'. Make sure the following IOS config statement is in place:

        aaa authorization network groupauthor local
Legacy Article IDa17598