000035239 - Error LDAP password authentication failed - Logon failure: unknown username or invalid password when attempting RADIUS authentication with RSA SecurID Access

Document created by RSA Customer Support Employee on Jun 9, 2017Last modified by RSA Customer Support Employee on Jun 14, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035239
Applies ToRSA Product Set:  SecurID Access
IssueWhen attempting to initiate RADIUS authentication the Administration Console's User Event Monitor displays error:
 
LDAP password authentication failed - Logon failure: unknown username or invalid password

The IDR /var/log/radiusj/radius-audit.log also indicates an error similar to:
2017-06-08/20:25:08.404/UTC [RadiusAuditEntryProcessor] INFO  RADIUSAUDIT[31] -
----------START_RADIUS_USER_LDAP_AUTHENTICATION----------
EVENTID=RADIUS_USER_LDAP_AUTHENTICATION
DATETIME=Thu Jun 08 20:25:08 UTC 2017
IN_RESPONSE_TO=3482eedb-936a-427b-a56a-48e9ac09d4dc
DESCRIPTION=RADIUS – Unsuccessful LDAP authentication- Please Check User Event monitor for details.
NAS-IP-ADDRESS=192.168.20.100
USER_NAME=jsmith
CLIENT_ID=RADIUS: Cisco ASA
RADIUS_RESPONSE_TYPE=Access-Reject
STATUS=FAIL
REQUEST_ID=3482eedb-936a-427b-a56a-48e9ac09d4dc
POLICY_ID=LowLevel_AllUsers
TENANT_ID=mycompany
----------END_RADIUS_USER_LDAP_AUTHENTICATION----------

The username/password are known to be correct and the Identity Source has been tested successfully.
CauseThe RADIUS shared secret configured in the RADIUS client and in the Administration Console are not the same value.
ResolutionRe-enter the RADIUS secret at the RADIUS client and/or in the SecurID Access Administration Console as described in Add a RADIUS Client for the Cloud Authentication Service.
NotesThis scenario could also occur due to using a long shared secret or one with special characters.
While the IDR-based SecurID Access RADIUS server supports a shared secret length of up to 512 characters and most special characters, RADIUS client devices may have different limitations.
Select shared secrets that are fully supported by the RADIUS devices in your network.
See the Administration Console's on-screen help for the IDR RADIUS Server shared secret requirements.

Attachments

    Outcomes