RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1 or later
Component: RADIUS Server

When RADIUS authentication requests are sent to a replica instance of Authentication Manager 8.x, users experience authentication failures. The issue does not occur when authenticating against the primary instance.

Observable symptoms include:

• RADIUS authentication requests sent to the replica are rejected
• Authentication succeeds on the primary but fails on the replica

Replica RADIUS debug log — key error lines:

03/27/2019 21:08:00 -----------------------------------------------------------
03/27/2019 21:08:00 ../radauthd.c radAuthHandleRequest() 3057 Entering
03/27/2019 21:08:00 Looking up shared secret
03/27/2019 21:08:00 Looking for RAS client x x x x in DB
03/27/2019 21:08:00 Matched x.x.x.x to RAS client <RAS client name>
03/27/2019 21:08:00 Parsing request
03/27/2019 21:08:00 Initializing cache entry
03/27/2019 21:08:00 Doing inventory check on request
03/27/2019 21:08:00 Getting info on requesting client
03/27/2019 21:08:00 NAS-IP-Address in request: xxx.xxx.xxx.xxx
03/27/2019 21:08:00 Missing or invalid product setting for client FQDN.DOMAIN
03/27/2019 21:08:00 -----------------------------------------------------------
03/27/2019 21:08:00 Authentication Request
03/27/2019 21:08:00 Received From: ip=xxx.xxx.xxx.xxx port=xxxx
03/27/2019 21:08:00 Packet : Code = 0x1 ID = 0x63
03/27/2019 21:08:00 Client Name = FQDN.DOMAIN Dictionary Name = dictiona.dcm
03/27/2019 21:08:00 Vector =
03/27/2019 21:08:00 0000:  0d47dc0a 8fdcf096 4ede391e f9ff7a2a |.G......N.9....Z*|
03/27/2019 21:08:00 Parsed Packet = 
03/27/2019 21:08:00 User-Name : String value =<user name>
03/27/2019 21:08:00 User-Password : Value =<password>
03/27/2019 21:08:00 000: 93b1fb06 17880af6 29d5e701 770eec09 |........)...w...|
03/27/2019 21:08:00 NAS-IP Address : IP-Address = <IP address>
03/27/2019 21:08:00 NAS-Port : Integer Value = 13
03/27/2019 21:08:00 NAS-Port-Type : Integer-Value = 5
03/27/2019 21:08:00 Cisco-AVPAIR : String value - coa-push=true
03/27/2019 21:08:00 ----------------------------------------------------------- 
03/27/2019 21:08:00 Client entry missing or invalid. Rejecting
03/27/2019 21:08:00 -----------------------------------------------------------  
03/27/2019 21:08:00 Authentication response (reject)
03/27/2019 21:08:00 Packet : Code = 0x3 ID = 0x63
03/27/2019 21:08:00 Vector =
03/27/2019 21:08:00 000: bcc17cd4 87917d99 f9a2b4c8 c23fd5f8 |..|...}......?.|
03/27/2019 21:08:00 -----------------------------------------------------------   
03/27/2019 21:08:00 -----------------------------------------------------------   
03/27/2019 21:08:00 Authentication response (reject)
03/27/2019 21:08:00 Sent to: ip=x.x.x.x port=xxx
03/27/2019 21:08:00 
03/27/2019 21:08:00 Raw Packet :
03/27/2019 21:08:00 000: 03630014 bcc17cd4 87917d99 f9a2b4c8 |.c....|...}.....|
03/27/2019 21:08:00 010: c23fd5f8
03/27/2019 21:08:00 
03/27/2019 21:08:00 -----------------------------------------------------------    
03/27/2019 21:08:00 Packet containing 20 bytes successfully sejnt
03/27/2019 21:08:00 Sent reject response
03/27/2019 21:08:00 ../radauthd.c radAuthHandleRequest () 3082 Exiting

Primary RADIUS debug log — for comparison, the primary processes the same request successfully and references a vendor-specific dictionary file: 

03/27/2019 21:09:15 Doing inventory check on request
03/27/2019 21:09:15 Getting info on requesting client
03/27/2019 21:09:15 NAS-IP-Address in request: xxx.xxx.xxx.xxx
03/27/2019 21:09:15 -----------------------------------------------------------
03/27/2019 21:09:15 Authentication Request
03/27/2019 21:09:15 Received From: ip=xxx.xxx.xxx.xxx port=xxxx
03/27/2019 21:09:15 Packet : Code = 0x1 ID = 0xea
03/27/2019 21:09:15 Client Name = FQDN.DOMAIN Dictionary Name = xxxxxxxx.dct
03/27/2019 21:09:15 Vector =

Note: If a vendor-specific RADIUS dictionary file (.dct) has been added to the primary RADIUS server, it must also be present on all replica servers. The absence of this file on the replica is the most common cause of this error. 

Vendor-specific RADIUS dictionary files are not automatically replicated from the primary to replica RADIUS servers — this is by design.

When a vendor-specific dictionary file (.dct) is manually added to the primary RADIUS server, the associated vendor.ini and dictiona.dcm files are also updated. However, these changes are not propagated to replica servers. As a result, when a RADIUS client sends an authentication request to the replica, the replica cannot locate the required product settings for that client, causing it to reject the request with the error: "Missing or invalid product setting."

1. Log in to the primary Authentication Manager server via SSH or the console as rsaadmin. 
   
2. Copy the vendor-specific .dct file, vendor.ini, and dictiona.dcm from the primary to the replica. Replace <replica-ip> with the IP address of your replica server:
   

   scp /opt/rsa/am/radius/vendor.dct rsaadmin@<replica-ip>:/opt/rsa/am/radius/
   scp /opt/rsa/am/radius/vendor.ini rsaadmin@<replica-ip>:/opt/rsa/am/radius/
   scp /opt/rsa/am/radius/dictiona.dcm rsaadmin@<replica-ip>:/opt/rsa/am/radius/

3. Log in to the replica server via SSH or the console as rsaadmin.
4. Restart the RADIUS service on the replica: 
   

   cd /opt/rsa/am/server
   ./rsaserv restart radius

5. Verify: Re-run a RADIUS authentication request against the replica and confirm it succeeds.