Article Number
000035239
Applies To
RSA Product Set: SecurID Access
Issue
When attempting to initiate RADIUS authentication, the Administration Console's User Event Monitor displays error:
LDAP password authentication failed - Logon failure: unknown username or invalid password
The identity router's (IDR) /var/log/radiusj/radius-audit.log also indicates an error similar to:
2017-06-08/20:25:08.404/UTC [RadiusAuditEntryProcessor] INFO RADIUSAUDIT[31] -
----------START_RADIUS_USER_LDAP_AUTHENTICATION----------
EVENTID=RADIUS_USER_LDAP_AUTHENTICATION
DATETIME=Thu Jun 08 20:25:08 UTC 2017
IN_RESPONSE_TO=3482eedb-936a-427b-a56a-48e9ac09d4dc
DESCRIPTION=RADIUS – Unsuccessful LDAP authentication- Please Check User Event monitor for details.
NAS-IP-ADDRESS=192.168.20.100
USER_NAME=jsmith
CLIENT_ID=RADIUS: Cisco ASA
RADIUS_RESPONSE_TYPE=Access-Reject
STATUS=FAIL
REQUEST_ID=3482eedb-936a-427b-a56a-48e9ac09d4dc
POLICY_ID=LowLevel_AllUsers
TENANT_ID=mycompany
----------END_RADIUS_USER_LDAP_AUTHENTICATION----------
The username/password are known to be correct and the identity source has been tested successfully.
Cause
The RADIUS shared secret configured in the RADIUS client and in the Administration Console are not the same value.
Resolution
Re-enter the RADIUS secret at the RADIUS client and/or in the SecurID Access Administration Console as described in
Add a RADIUS Client for the Cloud Authentication Service.
Notes
This scenario could also occur due to using a long shared secret or one with special characters.
While the IDR-based SecurID Access RADIUS server supports a shared secret length of up to 512 characters and most special characters, RADIUS client devices may have different limitations.
Select shared secrets that are fully supported by the RADIUS devices in your network.
See the Administration Console's on-screen help for the IDR RADIUS Server shared secret requirements.
