Microsoft Windows 2000
Cisco 2651 router or any Cisco IOS device
Error: "Authentication Failed" in the RADIUS debug file
Local ACE/Agent and RADIUS test client authentication works correctly
Errors: ?User not in database? and "User not on Agent Host" in ACE/Server activity log when trying to authenticate via RADIUS via the Cisco VPN client
RFC 2865 RADIUS Attribute Type 1 (username) being sent by the Cisco Router is actually the name of the group; in other words, the username that shows up in the activity log is the name of the group you configured on the ACE/Server instead of the name of the user and ?Attribute 1 length? in the RADIUS Debug log is the same character length as the group name that the user belongs to
Consider the following scenario:
Cisco VPN client -> (a.b.c.d external IP) Cisco 2651 router (e.f.g.h internal IP) RADIUS -> (e.f.g.2 A/S 5.1 on Windows 2000).
1- Ensure the RADIUS daemon is started (Start Menu -> Control Panel -> Administrative Tools -> Services -> RSA ACE/Server RADIUS Daemon).
2- Ensure the ACE/Server is started (Start Menu -> Control Panel -> RSA ACE/Server)
3- Services file: entries for RADIUS are there:
radius 1645/udp #Radius Authentication Protocol
radacct 1646/udp #Radius Accounting Protocol)
4- In Database Administration, go to Profile and Add Profile to ensure there are Radius Attributes under ?Available Attributes? (left hand side) so as to verify that Radius is installed.
5- Go to Start Menu -> Programs -> RSA ACE/Server -> Configuration Tools and open the Configuration Management screen to ensure "RADIUS Server enabled"' is checked under "Enabled Features".
6- Check "Agent Host Config" and "User Config". Under "Agent Host Config", ensure that under "Assign/Change Encryption key" that the key used is the same shared key as the one on the 2651 router in the IOS config statement 'radius-server key "<radius_secret>"'
7-Any users that were created need to be part of a certain group.
8- Turn on RADIUS Debug via \ace\prog\rwconfig, stop & start RSA RADIUS and ACE/Server to let it take effect.
9-From a command prompt, type the following commands to verify that RADIUS is turned on:
netstat -an | find "1645", then netstat -an | find "1646"10-Turn on Activity Monitor
11-Ensure there are no hostname resolution issues with the ACE/Server and the Agent Host for the Cisco router
12- On the Cisco Router, remove the IOS config statement 'aaa authorization network groupauthen group radius'. Make sure the following IOS config statement is in place:
aaa authorization network groupauthor local
Related Articles
Error: Unable to perform pre-login process when trying to login to RSA Authentication Manager 8.x Web Tier Self Service Co… Number of Views Passcode format error when trying to set a PIN thru a Cisco ASA Number of Views Radius Client Authentication failed For PIN+Token profile (New PIN Mode) with Cisco Anyconnect VPN Number of Views Error Facts are not available when trying to authenticate using the RSA Authentication Agent 2.0 for AD FS Number of Views Error: 'Web-tier host certificate creation failed' when trying to create a web tier package Number of Views
Trending Articles
Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Governance & Lifecycle 8.0.0 Administrators Guide RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
