RADIUS server not found and/or RADIUS server cannot be managed after upgrade to Authentication Manager 8.6 or 8.7
Originally Published: 2022-11-11
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.6, 8.7
Issue
- Servers in this deployment of Authentication Manager started at very early versions of this platform (including but not limited to 8.1, 8.2).
- Servers upgrades were done by following the proper upgrade path from 8.4 to 8.5 to 8.6 but without running the RSA Authentication Manager 8.6 Pre-Upgrade Check Tool.
- Now there are messages stating cannot determine status of RADIUS server after upgrade to Authentication Manager 8.6 or 8.7.
- After upgrading to Authentication Manager 8.6 and 8.7:
- From the Operations Console navigate to Deployment Configuration > RADIUS Server. See an error message that RADIUS Server not found.
- From the Security Console, navigate to RADIUS > RADIUS Clients > Manage Existing and see a message that RADIUS server cannot be managed.
- The following errors display in the logs:
Oct 29, 2022 1:34:37 PM com.rsa.authmgr.admin.tools.action.OrderedRadiusMigrationAction migrationLogError
SEVERE: Failed to Synchronize RADIUS Clients and Profiles with AM.
com.rsa.authmgr.radius.exception.RadiusSystemException: Unable to read RADIUS object -Could not create SSL Socket
SEVERE: Failed to Synchronize RADIUS Clients and Profiles with AM.
com.rsa.authmgr.radius.exception.RadiusSystemException: Unable to read RADIUS object -Could not create SSL Socket
at com.rsa.authmgr.internal.radius.sbr.xui.impl.XUIAccessImpl.read(XUIAccessImpl.java:377)
at com.rsa.authmgr.admin.tools.action.premigrate.AMMigrateSyncRadiusDataAction.execute(AMMigrateSyncRadiusDataAction.java:178)
at com.rsa.authmgr.admin.tools.AMMigrateRadiusDataCLU.execute(AMMigrateRadiusDataCLU.java:211)
at com.rsa.authmgr.admin.tools.AMMigrateRadiusDataCLU.main(AMMigrateRadiusDataCLU.java:973)
at com.rsa.authmgr.admin.tools.action.premigrate.AMMigrateSyncRadiusDataAction.execute(AMMigrateSyncRadiusDataAction.java:178)
at com.rsa.authmgr.admin.tools.AMMigrateRadiusDataCLU.execute(AMMigrateRadiusDataCLU.java:211)
at com.rsa.authmgr.admin.tools.AMMigrateRadiusDataCLU.main(AMMigrateRadiusDataCLU.java:973)
Caused by: java.lang.RuntimeException: Could not create SSL Socket
at com.rsa.authmgr.internal.radius.sbr.xui.ssl.XUISSLSocketFactory.initSSLSocket(XUISSLSocketFactory.java:102)
at com.rsa.authmgr.internal.radius.sbr.xui.ssl.XUISSLSocketFactory.createSocket(XUISSLSocketFactory.java:65)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.rsa.authmgr.internal.radius.sbr.xui.impl.XUIAccessImpl.read(XUIAccessImpl.java:350)
at com.rsa.authmgr.internal.radius.sbr.xui.ssl.XUISSLSocketFactory.createSocket(XUISSLSocketFactory.java:65)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:706)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:386)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.rsa.authmgr.internal.radius.sbr.xui.impl.XUIAccessImpl.read(XUIAccessImpl.java:350)
... 3 more
Cause
With Authentication Manager 8.5 and below, RSA used a product called Steel Belted RADIUS. From 8.6 and higher we now use FreeRADIUS. That change means that before upgrading to 8.6 you must run the RSA Authentication Manager 8.6 Pre-Upgrade Check Tool. This RSA RADIUS pre-migration script locates any RADIUS issues that need to be corrected before upgrading from RSA Authentication Manager 8.5 to RSA Authentication Manager 8.6. You must run this script before upgrading to RSA Authentication Manager 8.6.
Check the Operations Console under Maintenance > Update and Rollback. Look at the Applied Updates table. While Engineering has not determined root cause, Support has found that when upgrading from much older versions of Authentication Manager through to 8.5, 8.6 and finally to 8.7, that there are database artifacts that effect the working of the upgraded system. If your system started at a much earlier version of Authentication Manager, see the Workaround section below.
RADIUS troubleshooting tips
- SSH to your Authentication Manager 8.5 primary and navigate to /opt/rsa/am/radius. Look for a file named mmddyyyy.log, where the file name is the date you saw the error (e. g., 20221029.log). Starting from the bottom and scrolling up, look at the file for any error messages.
- Make sure that port 7072/TCP is open bi-directionally between the primary and the replica.
- In the Security Console, click RADIUS > RADIUS Servers. Click Initiate Replication.
- Manually rebuild RADIUS:
- SSH to the primary server with the rsaadmin account.
- Manually configure RADIUS with command /opt/rsa/am/config/config.sh RadiusOCConfig.configure. You will be prompted to enter the rsaadmin password to complete this task.
- Stop and start RSA Authentication Manager services
login as: rsaadmin Using keyboard-interactive authentication. Password: Last login: Thu Nov 10 16:01:46 2022 from 192.168.2.102 RSA Authentication Manager Installation Directory: /opt/rsa/am rsaadmin@am8p:~> cd /opt/rsa/am/config rsaadmin@am8p:/opt/rsa/am/config> ./config.sh RadiusOCConfig.configure rsaadmin@am8p:/opt/rsa/am/config> cd ../server rsaadmin@am8p:/opt/rsa/am/server> ./rsaserv restart all
Resolution
- Copy /opt/rsa/am/utils/etc/radius_migration.properties from the primary to the replica server.
- Restart Authentication Manager services.
Workaround
If you are upgrading from a much earlier version of Authentication Manager, you may run into an issue with database artifacts that can cause RADIUS or other components to no longer be manageable. Consider the following process that gives you new servers that can cleanly be upgraded to Authentication Manager 8.6 and then 8.7:
- From the Operations Console, take a backup of the current Authentication Manager primary server (Maintenance > Backup and Restore > Backup Now). Copy the backup to a different server for storage.
- Create a new replica with Authentication Manager 8.5. For continuity, create the replica with the old primary's IP address and hostname (do this on a different subnet). This would mean any RSA Authentications Agent machines would not need new sdconf.rec files.
- Promote this server to be the new primary.
- Bring this online as the primary and import your backup.
- Install all new replicas running 8.5.
- Attach new replicas to new primary.
- Delete old primary and old replicas.
- Run the RSA Authentication Manager 8.6 Pre-Upgrade Check Tool. Before continuing, resolve any issues that are listed in the report.
- Upgrade to Authentication Manager 8.6 then 8.7.
- Install new web tiers, if using.
Notes
Related Articles
Applying patch or upgrade fails after hardening RSA Authentication Manager appliance Number of Views Authentication Manager 8.5 upgrade to 8.6 fails with error: Unactivated changes are present in the WebLogic Server config.xml Number of Views RSA Authentication Manager 8.1 primary instance fails to upgrade to 8.2 with error: Replication flush failed Number of Views RADIUS Server loading indefinitely after upgrade from Authentication Manager 8.5 Number of Views Database reindex required after applying Authentication Manager 8.7 SP1 and Authentication Manager 8.7 SP1 patch 1 due to … Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Deploying RSA Authenticator 6.2.2 for Windows Using DISM Downloading RSA Authentication Manager license files or RSA Software token seed records
Don't see what you're looking for?
