How to Enable RADIUS Debug and Verbose Logs in RSA Authentication Manager 8.6 and Later
a month ago
Originally Published: 2023-10-06
Article Number
000068372
Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.6 and later
Component: RADIUS (Free RADIUS)

Issue

When troubleshooting RADIUS authentication failures or unexpected behavior in RSA Authentication Manager 8.6 and later, it may be necessary to enable RADIUS debug logging and verbose tracing to capture detailed diagnostic information.

RADIUS debug logs can help identify:

  • Authentication request and response details
  • RADIUS packet-level communication errors
  • Misconfigurations in RADIUS server settings
Resolution

CAUTION: Enabling RADIUS debug logging increases log verbosity and may impact server performance. Enable it only during active troubleshooting and disable it immediately when testing is complete.


NOTE: These steps must be repeated on each RADIUS server in your deployment.

  1. Log in to the Operations Console using the Operations Console administrator username and password.

  2. Navigate to Deployment Configuration > RADIUS Servers > Manage Existing.
    Once prompted, enter the Super Admin credentials for the Security Console.
  3. Click the dropdown arrow next to the primary Authentication Manager server and select Manage Server Files.
  4. Click the dropdown arrow next to the radiusd.conf file and select Edit.
  5. Change the debug_level value to 2, as shown: 
    debug_level=2
  6. Click Save & Restart RADIUS Server to apply the changes.
    NOTE: The server restart is required for the debug changes to take effect. 
  7. Verify: Confirm that RADIUS debug logging is active by checking the log file at /opt/rsa/am/radius/radius.log on the respective server. 
  8. When RADIUS troubleshooting is complete, disable debug logging by repeating Steps 1–6, setting debug_level back to 0, then clicking Save & Restart RADIUS Server. 
Notes

  • Log File Location: RADIUS log files for Authentication Manager 8.6 and later are stored at /opt/rsa/am/radius/radius.log on their respective servers.

  • Performance Impact: Debug logging at level 2 generates a high volume of log data and may affect RADIUS server performance. Always disable debug logging promptly after troubleshooting is complete.

  • Alternative Editing Method: While it is recommended to edit the radiusd.conf file through the Operations Console, the file can also be edited directly on the server at /opt/rsa/am/radius/radiusd.conf using a text editor. However, changes made directly to the file still require a RADIUS server restart to take effect.

  • Version Scope: These steps apply to RSA Authentication Manager 8.6 and later only, which uses Free RADIUS

For a step-by-step video guide, please view this YouTube tutorial: here

Don't see what you're looking for?