Microsoft Windows 2000
Cisco 2651 router or any Cisco IOS device
Error: "Authentication Failed" in the RADIUS debug file
Local ACE/Agent and RADIUS test client authentication works correctly
Errors: ?User not in database? and "User not on Agent Host" in ACE/Server activity log when trying to authenticate via RADIUS via the Cisco VPN client
RFC 2865 RADIUS Attribute Type 1 (username) being sent by the Cisco Router is actually the name of the group; in other words, the username that shows up in the activity log is the name of the group you configured on the ACE/Server instead of the name of the user and ?Attribute 1 length? in the RADIUS Debug log is the same character length as the group name that the user belongs to
Consider the following scenario:
Cisco VPN client -> (a.b.c.d external IP) Cisco 2651 router (e.f.g.h internal IP) RADIUS -> (e.f.g.2 A/S 5.1 on Windows 2000).
1- Ensure the RADIUS daemon is started (Start Menu -> Control Panel -> Administrative Tools -> Services -> RSA ACE/Server RADIUS Daemon).
2- Ensure the ACE/Server is started (Start Menu -> Control Panel -> RSA ACE/Server)
3- Services file: entries for RADIUS are there:
radius 1645/udp #Radius Authentication Protocol
radacct 1646/udp #Radius Accounting Protocol)
4- In Database Administration, go to Profile and Add Profile to ensure there are Radius Attributes under ?Available Attributes? (left hand side) so as to verify that Radius is installed.
5- Go to Start Menu -> Programs -> RSA ACE/Server -> Configuration Tools and open the Configuration Management screen to ensure "RADIUS Server enabled"' is checked under "Enabled Features".
6- Check "Agent Host Config" and "User Config". Under "Agent Host Config", ensure that under "Assign/Change Encryption key" that the key used is the same shared key as the one on the 2651 router in the IOS config statement 'radius-server key "<radius_secret>"'
7-Any users that were created need to be part of a certain group.
8- Turn on RADIUS Debug via \ace\prog\rwconfig, stop & start RSA RADIUS and ACE/Server to let it take effect.
9-From a command prompt, type the following commands to verify that RADIUS is turned on:
netstat -an | find "1645", then netstat -an | find "1646"10-Turn on Activity Monitor
11-Ensure there are no hostname resolution issues with the ACE/Server and the Agent Host for the Cisco router
12- On the Cisco Router, remove the IOS config statement 'aaa authorization network groupauthen group radius'. Make sure the following IOS config statement is in place:
aaa authorization network groupauthor local
Related Articles
Error: Unable to perform pre-login process when trying to login to RSA Authentication Manager 8.x Web Tier Self Service Co… Number of Views Error Facts are not available when trying to authenticate using the RSA Authentication Agent 2.0 for AD FS Number of Views Passcode format error when trying to set a PIN thru a Cisco ASA Number of Views Error 'cannot set user id: Resource temporarily unavailable' while trying to login or su as user oracle in RSA Identity Go… Number of Views Server certificate validation error when trying to authenticate using the RSA Authentication Agent 2.0 for AD FS Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.9 Release Notes (January 2026) An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
