000036490 - Unable to create RADIUS profiles via the RSA Authentication Manager Security Console

Document created by RSA Customer Support Employee on Jul 27, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036490
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1.1.15.0 or later
IssueThe following warning message appears in the Security Console when following the procedure to add a RADIUS profile:


You need accurately configure a RADIUS server before you can view or edit any RADIUS clients or Profiles.



User-added image



When configured for verbose logging, the Authentication Manager imsTrace.log file located in /opt/rsa/am/server/logs reports the following:


<returnList>
</returnList>

Whereas, it is expected that the following is reported in the /opt/rsa/am/server/logs/imsTrace.log:


<returnList>
<attribute id = 'Service-Type' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'Login' value = '1'>
</namedAttribute>
<namedAttribute name = 'Framed' value = '2'>
</namedAttribute>
<namedAttribute name = 'Callback-Login' value = '3'>
</namedAttribute>
<namedAttribute name = 'Callback-Framed' value = '4'>
</namedAttribute>
<namedAttribute name = 'Outbound' value = '5'>
</namedAttribute>
<namedAttribute name = 'Administrative' value = '6'>
</namedAttribute>
<namedAttribute name = 'NAS-Prompt' value = '7'>
</namedAttribute>
<namedAttribute name = 'Authenticate-Only' value = '8'>
</namedAttribute>
<namedAttribute name = 'Callback-NAS-Prompt' value = '9'>
</namedAttribute>
<namedAttribute name = 'Call-Check' value = '10'>
</namedAttribute>
<namedAttribute name = 'Callback-Administrative' value = '11'>
</namedAttribute>
<namedAttribute name = 'MoIP' value = '95'>
</namedAttribute>
<namedAttribute name = 'Application-Fax' value = '96'>
</namedAttribute>
<namedAttribute name = 'DATA' value = '97'>
</namedAttribute>
<namedAttribute name = 'FoIP' value = '98'>
</namedAttribute>
<namedAttribute name = 'VoIP' value = '99'>
</namedAttribute>
<namedAttribute name = 'Annex-Authorize-Only' value = '103809025'>
</namedAttribute>
</attribute>
<attribute id = 'Framed-Protocol' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'PPP' value = '1'>
</namedAttribute>
<namedAttribute name = 'SLIP' value = '2'>
</namedAttribute>
<namedAttribute name = 'PPTP' value = '3'>
</namedAttribute>
<namedAttribute name = 'ARAP' value = '3'>
</namedAttribute>
<namedAttribute name = 'Gandalf-proprietary...' value = '4'>
</namedAttribute>
<namedAttribute name = 'Xylogics-proprietary-IPX/SLIP' value = '5'>
</namedAttribute>
<namedAttribute name = 'X.75-Synchronous' value = '6'>
</namedAttribute>
<namedAttribute name = 'Ascend-ARA' value = '255'>
</namedAttribute>
<namedAttribute name = 'MPP' value = '256'>
</namedAttribute>
<namedAttribute name = 'EURAW' value = '257'>
</namedAttribute>
<namedAttribute name = 'EUUI' value = '258'>
</namedAttribute>
<namedAttribute name = 'X25' value = '259'>
</namedAttribute>
<namedAttribute name = 'COMB' value = '260'>
</namedAttribute>
<namedAttribute name = 'FR' value = '261'>
</namedAttribute>
<namedAttribute name = 'MP' value = '262'>
</namedAttribute>
<namedAttribute name = 'FR-CIR' value = '263'>
</namedAttribute>
<namedAttribute name = 'ATM-1483' value = '264'>
</namedAttribute>
<namedAttribute name = 'ATM-FR-CIR' value = '265'>
</namedAttribute>
<namedAttribute name = 'X25-PPP' value = '17825795'>
</namedAttribute>
<namedAttribute name = 'IP-LAPB' value = '17825796'>
</namedAttribute>
<namedAttribute name = 'IP-HDLC' value = '17825798'>
</namedAttribute>
<namedAttribute name = 'MPR-LAPB' value = '17825799'>
</namedAttribute>
<namedAttribute name = 'MPR-HDLC' value = '17825800'>
</namedAttribute>
<namedAttribute name = 'FRAME-RELAY' value = '17825801'>
</namedAttribute>
<namedAttribute name = 'X31-BCHAN' value = '17825802'>
</namedAttribute>
<namedAttribute name = 'X75-PPP' value = '17825803'>
</namedAttribute>
<namedAttribute name = 'X75BTX-PPP' value = '17825804'>
</namedAttribute>
<namedAttribute name = 'X25-NOSIG' value = '17825805'>
</namedAttribute>
<namedAttribute name = 'X25-PPP-OPT' value = '17825806'>
</namedAttribute>
</attribute>
<attribute id = 'Framed-IP-Address' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'ipAddressPool'>
</attribute>
<attribute id = 'Framed-IP-Netmask' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'ipAddress'>
</attribute>
<attribute id = 'Framed-Routing' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'None' value = '0'>
</namedAttribute>
<namedAttribute name = 'Send-routing-packets' value = '1'>
</namedAttribute>
<namedAttribute name = 'Listen-for-routing-packets' value = '2'>
</namedAttribute>
<namedAttribute name = 'Send-and-listen' value = '3'>
</namedAttribute>
</attribute>
<attribute id = 'Filter-Id' multivalued = 'true' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Framed-MTU' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'Framed-Compression' multivalued = 'true' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'None' value = '0'>
</namedAttribute>
<namedAttribute name = 'VJ-TCP-IP-header-compression' value = '1'>
</namedAttribute>
<namedAttribute name = 'IPX-header-compression' value = '2'>
</namedAttribute>
<namedAttribute name = 'Stac-LZS-compressions' value = '3'>
</namedAttribute>
<namedAttribute name = 'CCP' value = '256'>
</namedAttribute>
</attribute>
<attribute id = 'Login-IP-Host' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'ipAddress'>
</attribute>
<attribute id = 'Login-Service' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'Telnet' value = '0'>
</namedAttribute>
<namedAttribute name = 'Rlogin' value = '1'>
</namedAttribute>
<namedAttribute name = 'TCP-Clear' value = '2'>
</namedAttribute>
<namedAttribute name = 'Portmaster' value = '3'>
</namedAttribute>
<namedAttribute name = 'LAT' value = '4'>
</namedAttribute>
<namedAttribute name = 'X25-PAD' value = '5'>
</namedAttribute>
<namedAttribute name = 'X25-T3POS' value = '6'>
</namedAttribute>
<namedAttribute name = 'TCP-Clear-Quite' value = '8'>
</namedAttribute>
<namedAttribute name = 'ClearTCP-Quiet' value = '256'>
</namedAttribute>
<namedAttribute name = 'Ping' value = '1000'>
</namedAttribute>
</attribute>
<attribute id = 'Login-TCP-Port' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'Reply-Message' multivalued = 'true' namedAttribute = 'false' orderable = 'true' type = 'string'>
</attribute>
<attribute id = 'Callback-Number' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Callback-Id' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Framed-Route' multivalued = 'true' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Framed-IPX-Network' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'ipxAddressPool'>
</attribute>
<attribute id = 'Class' multivalued = 'true' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Session-Timeout' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'Idle-Timeout' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'Termination-Action' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'Default' value = '0'>
</namedAttribute>
<namedAttribute name = 'RADIUS-Request' value = '1'>
</namedAttribute>
<namedAttribute name = 'Manage-Resources' value = '2'>
</namedAttribute>
</attribute>
<attribute id = 'Login-LAT-Service' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Login-LAT-Node' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Login-LAT-Group' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Framed-AppleTalk-Link' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'Framed-AppleTalk-Network' multivalued = 'true' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'Framed-AppleTalk-Zone' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Port-Limit' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'Login-LAT-Port' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Tunnel-Type' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'PPTP' value = '1'>
</namedAttribute>
<namedAttribute name = 'L2F' value = '2'>
</namedAttribute>
<namedAttribute name = 'L2TP' value = '3'>
</namedAttribute>
<namedAttribute name = 'ATMP' value = '4'>
</namedAttribute>
<namedAttribute name = 'VTP' value = '5'>
</namedAttribute>
<namedAttribute name = 'AH' value = '6'>
</namedAttribute>
<namedAttribute name = 'IP-IP' value = '7'>
</namedAttribute>
<namedAttribute name = 'MIN-IP-IP' value = '8'>
</namedAttribute>
<namedAttribute name = 'ESP' value = '9'>
</namedAttribute>
<namedAttribute name = 'GRE' value = '10'>
</namedAttribute>
<namedAttribute name = 'DVS' value = '11'>
</namedAttribute>
<namedAttribute name = 'IP-IP-Tunneling' value = '12'>
</namedAttribute>
<namedAttribute name = 'VLAN' value = '13'>
</namedAttribute>
</attribute>
<attribute id = 'Tunnel-Medium-Type' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'IP' value = '1'>
</namedAttribute>
<namedAttribute name = 'X.25' value = '2'>
</namedAttribute>
<namedAttribute name = 'ATM' value = '3'>
</namedAttribute>
<namedAttribute name = 'Frame-Relay' value = '4'>
</namedAttribute>
<namedAttribute name = 'BBN-1822' value = '5'>
</namedAttribute>
<namedAttribute name = '802' value = '6'>
</namedAttribute>
<namedAttribute name = 'E.163' value = '7'>
</namedAttribute>
<namedAttribute name = 'E.164' value = '8'>
</namedAttribute>
<namedAttribute name = 'F.69' value = '9'>
</namedAttribute>
<namedAttribute name = 'X.121' value = '10'>
</namedAttribute>
<namedAttribute name = 'IPX' value = '11'>
</namedAttribute>
<namedAttribute name = 'Appletalk' value = '12'>
</namedAttribute>
<namedAttribute name = 'Decnet-IV' value = '13'>
</namedAttribute>
<namedAttribute name = 'Banyan-Vines' value = '14'>
</namedAttribute>
<namedAttribute name = 'E.164-NSAP-subaddress' value = '15'>
</namedAttribute>
</attribute>
<attribute id = 'Tunnel-Client-Endpoint' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Tunnel-Server-Endpoint' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Tunnel-Password' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'ARAP-Features' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'hexadecimal'>
</attribute>
<attribute id = 'ARAP-Zone-Access' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'Access-Default-Zone' value = '1'>
</namedAttribute>
<namedAttribute name = 'Use-Zone-Filter-Inclusively' value = '2'>
</namedAttribute>
<namedAttribute name = 'Use-Zone-Filter-Exclusively' value = '4'>
</namedAttribute>
</attribute>
<attribute id = 'Password-Retry' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'Prompt' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'No-Echo' value = '0'>
</namedAttribute>
<namedAttribute name = 'Echo' value = '1'>
</namedAttribute>
</attribute>
<attribute id = 'Tunnel-Private-Group-ID' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Tunnel-Assignment-ID' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Tunnel-Preference' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'ARAP-Challenge-Response' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'hexadecimal'>
</attribute>
<attribute id = 'Acct-Interim-Interval' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'Framed-Pool' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Tunnel-Client-Auth-ID' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Tunnel-Server-Auth-ID' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'MS-MPPE-Encryption-Policy' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'Encryption-Allowed' value = '1'>
</namedAttribute>
<namedAttribute name = 'Encryption-Required' value = '2'>
</namedAttribute>
</attribute>
<attribute id = 'MS-MPPE-Encryption-Type' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'hexadecimal'>
</attribute>
<attribute id = 'MS-CHAP-Domain' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'constant'>
</attribute>
<attribute id = 'MS-CHAP-MPPE-Keys' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'constant'>
</attribute>
<attribute id = 'MS-BAP-Usage' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'BAP-usage-not-allowed' value = '0'>
</namedAttribute>
<namedAttribute name = 'BAP-usage-allowed' value = '1'>
</namedAttribute>
<namedAttribute name = 'BAP-usage-required' value = '2'>
</namedAttribute>
</attribute>
<attribute id = 'MS-Link-Utilization-Threshold' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'MS-Link-Drop-Time-Limit' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'int4'>
</attribute>
<attribute id = 'MS-MPPE-Send-Key' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'constant'>
</attribute>
<attribute id = 'MS-MPPE-Recv-Key' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'constant'>
</attribute>
<attribute id = 'MS-Filter' multivalued = 'true' namedAttribute = 'false' orderable = 'true' type = 'string'>
</attribute>
<attribute id = 'MS-CHAP2-Success' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'hexadecimal'>
</attribute>
<attribute id = 'MS-Primary-DNS-Server' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'ipAddress'>
</attribute>
<attribute id = 'MS-Secondary-DNS-Server' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'ipAddress'>
</attribute>
<attribute id = 'MS-Primary-NBNS-Server' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'ipAddress'>
</attribute>
<attribute id = 'MS-Secondary-NBNS-Server' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'ipAddress'>
</attribute>
<attribute id = 'MS-CHAP-MPPE-Types' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'Disable' value = '0'>
</namedAttribute>
<namedAttribute name = 'Auto' value = '1'>
</namedAttribute>
<namedAttribute name = '40-Bit' value = '2'>
</namedAttribute>
<namedAttribute name = '128-Bit' value = '3'>
</namedAttribute>
<namedAttribute name = 'Required' value = '4'>
</namedAttribute>
</attribute>
<attribute id = 'Funk-Full-User-Name' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Funk-Integrity-Policy-Name' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Funk-Integrity-Result' multivalued = 'false' namedAttribute = 'true' orderable = 'false' type = 'int4'>
<namedAttribute name = 'ALLOW' value = '0'>
</namedAttribute>
<namedAttribute name = 'NO_ACCESS' value = '1'>
</namedAttribute>
<namedAttribute name = 'ISOLATE' value = '2'>
</namedAttribute>
<namedAttribute name = 'NO_RECOMMENDATION' value = '3'>
</namedAttribute>
</attribute>
<attribute id = 'Funk-TNC-Payload' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Framed-Interface-Id' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'ipV6Interface'>
</attribute>
<attribute id = 'Framed-IPv6-Prefix' multivalued = 'true' namedAttribute = 'false' orderable = 'false' type = 'ipV6Prefix'>
</attribute>
<attribute id = 'Login-IPv6-Host' multivalued = 'true' namedAttribute = 'false' orderable = 'false' type = 'ipV6Address'>
</attribute>
<attribute id = 'Framed-IPv6-Route' multivalued = 'true' namedAttribute = 'false' orderable = 'false' type = 'stringnz'>
</attribute>
<attribute id = 'Framed-IPv6-Pool' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'stringnz'>
</attribute>
<attribute id = 'Digest-Response-Auth' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
<attribute id = 'Digest-Nextnonce' multivalued = 'false' namedAttribute = 'false' orderable = 'false' type = 'string'>
</attribute>
</returnList>


It was found that a custom RADIUS dictionary had been inappropriately configured when reviewing the RSA RADIUS log file located in /opt/rsa/am/radius.  For example,
 

...
...
...
06/25/2018 11:03:58 Configured server IP address: 10.204.1.55
06/25/2018 11:04:00 Invalid identifier on line number 2 of dictionary fortinet.dct
06/25/2018 11:04:00 Invalid identifier on line number 4 of dictionary fortinet.dct
06/25/2018 11:04:00 Invalid type on line 8 of dictionary fortinet.dct
06/25/2018 11:04:00 Invalid identifier on line number 16 of dictionary fortinet.dct

06/25/2018 11:04:05 Successfully created and closed saved-dcts.bin
...
...
...

CauseRSA Authentication Manager is unable to retrieve the RADIUS attributes from the RSA RADIUS server.
ResolutionDue to the nature of this technical issue, customers are advised to locate the Authentication Manager license serial number and open a case with RSA Customer Support.

NOTE: Please reference article 000036490 when you open the support ticket with RSA Customer Support.

Attachments

    Outcomes