RSA SecurID Syntax Error

Unanswered Question

Hi, I have a Cisco RADIUS to RSA (Steel Belted) RADIUS question.

I have just added a new Dial-In service to our existing RSA /RADIUS SecurID v6.1 server. The dial-in service is hosted by a service provider and once a PPP session is established a RADIUS request is sent via the service provider's cisco device to our server for authentication. The PPP session works fine, however there is a conflict on the radius authentication request as it is rejecting the request (the account and token are known to be good). Our authentication server consists of RSA SecurID v6.1 with built in Steel Belted RADIUS.

Here are the settings on the service provider's cisco device to forward radius requests to the RSA server :

aaa group server radius radgroup

server-private auth-port 1812 acct-port 1813 key password

server-private auth-port 1812 acct-port 1813 key password

When a user dials-in the radius request reaches the RSA/RADIUS server ok, however the RSA SecurID server is rejecting the request saying “ACCESS DENIED - syntax error”. Here is the RADIUS request as seen by the RADIUS server :

01/03/2008 14:04:52 -----------------------------------------------------------

01/03/2008 14:04:52 Authentication Request

01/03/2008 14:04:52 Received From: ip= port=21707

01/03/2008 14:04:52 Packet : Code = 0x1 ID = 0x4c

01/03/2008 14:04:52 Client Name = <ANY> Dictionary Name = Cisco.dct

01/03/2008 14:04:52 Vector =

01/03/2008 14:04:52 000: 87d37405 631f53ca b6267d0b ad84b0e8 |..t.c.S..&}.....|

01/03/2008 14:04:52 Parsed Packet =

01/03/2008 14:04:52 Framed-Protocol : Integer Value = 1

01/03/2008 14:04:52 User-Name : String Value = x927153

01/03/2008 14:04:52 User-Password : Value =

01/03/2008 14:04:52 000: d119f0c0 16015aca 58793018 db9fbfae |......Z.Xy0.....|

01/03/2008 14:04:52 NAS-Port-Type : Integer Value = 5

01/03/2008 14:04:52 NAS-Port : Integer Value = 772347

01/03/2008 14:04:52 Calling-Station-Id : String Value = 01252300035

01/03/2008 14:04:52 Called-Station-Id : String Value = 08081400026

01/03/2008 14:04:52 Service-Type : Integer Value = 2

01/03/2008 14:04:52 NAS-IP-Address : IPAddress =

01/03/2008 14:04:52 -----------------------------------------------------------

Has anyone seen this issue before?

I think it is quite a common problem as searching the Internet there seems to be similar messages out there regarding RSA servers, and I think the solution is probably a subtle RADIUS setting on the Cisco device or a RADIUS setting on the RSA server.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisco24x7 Fri, 01/04/2008 - 08:25
User Badges:
  • Silver, 250 points or more


Are you using Juniper (aka Steelbelt) Radius

or are you using RSA SecurID with Native

Radius built-in?

Make sure you setup the agent host correctly

on the steelbelt radius correctly. Can you

setup authentication from this device via

Radius to your steelbelt radius server. If

everything works, you should see something like this:

[[email protected] root]# telnet


Connected to (

Escape character is '^]'.



User Access Verification

Username: test4


Enter your new PIN, containing 4 to 8 digits,


to cancel the New PIN procedure:

Please re-enter new PIN:

Wait for the code on your card to change, then log in with the new PIN



Richard Burts Sat, 01/05/2008 - 11:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I had an experience a while back that was similar to what you are describing. The problem turned out to be in the communication between the Radius implementation and the RSA ACE. If I remember correctly clearing the node secret was an important part of resolving this issue.

I would suggest that you look carefully at the configuration and the syncronization between Radius and ACE.




This Discussion