RSA Product Set: SecurID Access
When attempting to initiate RADIUS authentication, the Administration Console's User Event Monitor displays error:
LDAP password authentication failed - Logon failure: unknown username or invalid password
The identity router's (IDR) /var/log/radiusj/radius-audit.log also indicates an error similar to:
2017-06-08/20:25:08.404/UTC [RadiusAuditEntryProcessor] INFO RADIUSAUDIT -
DATETIME=Thu Jun 08 20:25:08 UTC 2017
DESCRIPTION=RADIUS – Unsuccessful LDAP authentication- Please Check User Event monitor for details.
CLIENT_ID=RADIUS: Cisco ASA
The username/password are known to be correct and the identity source has been tested successfully.
The RADIUS shared secret configured in the RADIUS client and in the Administration Console are not the same value.
Re-enter the RADIUS secret at the RADIUS client and/or in the SecurID Access Administration Console as described in Add a RADIUS Client for the Cloud Authentication Service
This scenario could also occur due to using a long shared secret or one with special characters.
While the IDR-based SecurID Access RADIUS server supports a shared secret length of up to 512 characters and most special characters, RADIUS client devices may have different limitations.
Select shared secrets that are fully supported by the RADIUS devices in your network.
See the Administration Console's on-screen help for the IDR RADIUS Server shared secret requirements.