The firewall is talking to the ACS  so we know that is working.  All you can do now is troubleshoot this  via tcpdumps and the logs on the ACS.  The ACS does not like some  attribute of course -- which one, is the question?  The firewall is not  going to tell you which attribute the ACS does not like so you must use  the ACS logs and the online help to determine which attributes the ACS  is looking for (and not looking for).  All the configuration for the  RADIUS warder is right there in the GUI.

There is a way to put the radiusw process (RADIUS warder) in debug mode:

• First run 'pss radiusw' to see that the radius warder is running.  Notice the arguments (/usr/libexec/radiusw -c [filename]).
• To set it in debug mode you edit the file /secureos/etc/warder/authenticator.conf.
• Find the section pertaining to the 'name' of your RADIUS authenticator you created in the GUI (mine was call RAD).
• The line starts with 'authenticator(RAD /usr/libexec/radiusw...' in my setup.
• There is a part of this section (it's one long line) that says 'args[-c /etc/sidewinder/authenticator/RAD.conf]'.
• I  did a 'man radiusw' to see how to set the debug flags for this warder.   What it says there is to add '-l #', where # is 1, 2 or 3.
• I edited this authenticator.conf file and added -l 3 (dash L space 3 space) before the -c /filename part and saved the file.
• To get the system to read this change you HUP (hangup) daemond (the daemon daemon) by finding its PID like this:
  • pss daemond
  • kill -HUP [PID from pss]
• Now  if you do 'pss radiusw' you should see that the warder is now running  in level 3 debug mode.  Now the audits from the warder will be MUCH more  detailed and that may help you figure out what the firewall is sending  that the ACS does not like.