User name included in RADIUS response packet in RSA ACE/Server; 'Passcode Accepted' message followed 'Access Denied' and 'auth lock' errors
3 years ago
Originally Published: 2002-05-09
Article Number
000050771
Applies To
RSA ACE/Server 5.0.1 (no longer supported as of 8-15-2004)
Sun Solaris 2.8
Microsoft Windows 2000
UNIX (AIX, HP-UX, Solaris)
All supported platforms
All UNIX platforms
RADIUS
3rd-party access server, Jtec frame switch module, FSM-16
Issue
User name included in RADIUS response packet in RSA ACE/Server; "Passcode Accepted" message followed "Access Denied" and "auth lock" errors
Response delay time is set to 1 second but RADIUS authentications still fail
Error: "ACCESS DENIED, auth lock error"; users locked out for 10 minutes after the error
Dial-up through access server doesn't work after upgrade to ACE/Server 5.0.x
Error: "auth lock error" in the ACE/Server logs
In the ACE/Server logs, "Passcode Accepted" message is immediately followed by "Access Denied" and auth lock errors
RADIUS authentications were working before upgrade
RADIUS authentications fail
Other RADIUS devices are working fine
A packet sniffer shows that successful response packet from ACE/Server includes attribute 1, User NAME in response packet
ACE/Server LOG show:
04/24/2002 01:33:42U jsilk/Jtec_server 000072629150
04/24/2002 11:33:42L Passcode accepted cyclone
04/24/2002 11:33:42L Johan Silkenas

04/24/2002 01:33:46U jsilk/Jtec_server 000072629150
04/24/2002 11:33:46L ACCESS DENIED, passcode incorrect cyclone
04/24/2002 11:33:46L Johan Silkenas
04/24/2002 01:33:46U ------/Jtec_server 000072629150
04/24/2002 11:33:46L ACCESS DENIED, auth lock error cyclone
04/24/2002 11:33:46L -----

04/24/2002 01:33:50U jsilk/Jtec_server 000072629150
04/24/2002 11:33:50L ACCESS DENIED, passcode incorrect cyclone
04/24/2002 11:33:50L Johan Silkenas
04/24/2002 01:33:50U ------/Jtec_server 000072629150
04/24/2002 11:33:50L ACCESS DENIED, auth lock error cyclone
04/24/2002 11:33:50L -----

04/24/2002 01:33:54U jsilk/Jtec_server 000072629150
04/24/2002 11:33:54L ACCESS DENIED, passcode incorrect cyclone
04/24/2002 11:33:54L Johan Silkenas
04/24/2002 01:33:54U ------/Jtec-server 000072629150
04/24/2002 11:33:54L ACCESS DENIED, auth lock error cyclone
04/24/2002 11:33:54L -----
Cause
ACE/Server 5.0.x RADIUS configuration has by default "Send user name in response packet" ticked under Profiles tab in RADIUS configuration utility (rwconfig). Some Access Server receiving this extra attribute (1, User NAME) in the response packet does not understand, and tries to send authentication through to ACE/Server 5 RADIUS server again.
Resolution
Stop ACE/Server RADIUS daemon and run the "rwconfig" program to change the configuration to exclude the User Name in the response packet. See ACE/Server 5.0 Administration Manual Appendix B, Configuring the RADIUS Server. Save changes and restart the RADIUS daemon.
 
Workaround
Upgrade from ACE/Server 3.3.1 - 4.1 to ACE/Server 5.0.x

Related Articles

Trending Articles

Don't see what you're looking for?