RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x
The Windows Network Policy Server (NPS) reports "The Remote RADIUS server did not process the authentication request", and RSA Authentication Manager authentication activity monitor captures error 'Lookup authentication agent by IP address 0.0.0.0'.
In a RADIUS environment, NPS (Network Policy Server) can function as a RADIUS client to communicate with other RADIUS servers. When NPS is configured as a RADIUS client, it's essentially acting as a proxy, forwarding authentication requests to a remote RADIUS server. This allows NPS to handle authentication for devices or services that don't directly communicate with the main RADIUS server.
Tuesday Apr 22 22:04:45 2025 : Error: rlm_perl: Exception when calling rsa_securid_mfa_call: Exception in rsa_securid_mfa_first_step_process_initialize when calling UserApi->initialize: malformed UTF-8 character in JSON string, at character offset 430 (before "\x{92}~N\x{ab}\\u000...") at /opt/rsa/am/radius/raddb/mods-config/perl/rsaMFA/Object/Initialize.pm line 96.
Tuesday Apr 22 22:04:45 2025 : Auth: (2855) Login incorrect: [atsomp] (from client cagexauth.inferno.com port 0)
The radius log has the following error
rlm_perl: Exiting rsa_securid_mfa_call. ***********************************************************************************
rlm_perl: SecurID RADIUS Connector authentication response:: 0
(0) perl: &request:Tunnel-Client-Endpoint:0 = $RAD_REQUEST{'Tunnel-Client-Endpoint:0'} -> '166.199.112.113'
(0) perl: &request:Called-Station-Id = $RAD_REQUEST{'Called-Station-Id'} -> '162.239.28.185'
(0) perl: &request:ASA-TunnelGroupName = $RAD_REQUEST{'ASA-TunnelGroupName'} -> 'AIT-RemoteAccess-Connection'
(0) perl: &request:ASA-ClientType = $RAD_REQUEST{'ASA-ClientType'} -> 'AnyConnect-Client-IPSec-VPN-IKEv2'
(0) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> '<<< secret >>>'
(0) perl: &request:NAS-Port = $RAD_REQUEST{'NAS-Port'} -> '390795264'
(0) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> '0.0.0.0'
(0) perl: &request:NAS-Port-Type = $RAD_REQUEST{'NAS-Port-Type'} -> 'Ascend'
(0) perl: &request:Calling-Station-Id = $RAD_REQUEST{'Calling-Station-Id'} -> '166.199.112.113'
(0) perl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'mdm-tlv=device-platform=win'
(0) perl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'mdm-tlv=computer-name=AIT-L-163'
(0) perl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'mdm-tlv=device-mac=d4-f3-2d-b9-29-40'
(0) perl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'mdm-tlv=device-platform-version=10.0.19045 '
(0) perl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'mdm-tlv=device-public-mac=d4-f3-2d-b9-29-40'
(0) perl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'mdm-tlv=device-type=Dell Inc. Latitude 5550'
(0) perl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'mdm-tlv=device-uid-global=A4F9BD99ED1F6932C1DCC607C2080AEDDE862A43'
(0) perl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'mdm-tlv=device-uid=9D1C5F508A55E2CAEEBA04F4F5C0EE8EC0D6D73037F86FFC3DDC0D677CC5B6C8'
(0) perl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'audit-session-id=0a0505fb174b10006765e038'
(0) perl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'ip:source-ip=166.199.112.113'
(0) perl: &request:Cisco-AVPair += $RAD_REQUEST{'Cisco-AVPair'} -> 'coa-push=true'
(0) perl: &request:Event-Timestamp = $RAD_REQUEST{'Event-Timestamp'} -> '1734729782'
(0) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'bharath.madhiraju'
(0) perl: &request:Packet-Src-IP-Address = $RAD_REQUEST{'Packet-Src-IP-Address'} -> '10.5.5.251'
(0) perl: &reply:Response-Packet-Type = $RAD_REPLY{'Response-Packet-Type'} -> 'Access-Reject'
(0) perl: &control:Response-Packet-Type = $RAD_CHECK{'Response-Packet-Type'} -> 'Access-Reject'
(0) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'Perl'
(0) [perl] = reject
(0) } # Auth-Type Perl = reject
(0) Failed to authenticate the user
- Use the rsaadmin account to log on to the appliance operating system.
- Change directories to /opt/rsa/am/utils.
- Run the following command line utility (CLU) to change a configuration value from 'Packet-Src-IP-Address' to 'NAS-IP-Address':
./rsautil store -o <admin> -a update_config auth_manager.radius.rest_service.clientid.attribute.name 'NAS-IP-Address' GLOBAL 503
rsaadmin@rkcm:/opt/rsa/am/utils> ./rsautil store -o ocadmin -a update_config auth_manager.radius.rest_service.clientid.attribute.name 'NAS-IP-Address' GLOBAL 503
Please enter OC Administrator password: *********
psql:/tmp/9c14830e-ddf2-4f18-b2ca-90b8dffcf42f7782059035570951923.sql:167: NOTICE: Changed the value of configuration parameter 'auth_manager.radius.rest_service.clientid.attribute.name' from 'Packet-Src-IP-Address' to 'NAS-IP-Address' for the instance 'GLOBAL'.
update_config
---------------
(1 row)
rsaadmin@rkcm:/opt/rsa/am/utils>- Change directories to /opt/rsa/am/server.
- Run the following to restart all services:
./rsaserv restart all
Related Articles
RSA Authentication Manager 8.4 Patch 14 Readme Number of Views RSA Authentication Manager 8.4 Patch 11 Readme Number of Views RSA Authentication Manager 8.4 Patch 14 Security Update 1 Readme Number of Views How to decrypt RADIUS traffic using Wireshark with RSA Authentication Manager Number of Views Enable RADIUS debug/verbose logs with all versions of RSA Authentication Manager 8.x Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
