The firewall is talking to the ACS so we know that is working. All you can do now is troubleshoot this via tcpdumps and the logs on the ACS. The ACS does not like some attribute of course -- which one, is the question? The firewall is not going to tell you which attribute the ACS does not like so you must use the ACS logs and the online help to determine which attributes the ACS is looking for (and not looking for). All the configuration for the RADIUS warder is right there in the GUI.
There is a way to put the radiusw process (RADIUS warder) in debug mode:
First run 'pss radiusw' to see that the radius warder is running. Notice the arguments (/usr/libexec/radiusw -c [filename]).
To set it in debug mode you edit the file /secureos/etc/warder/authenticator.conf.
Find the section pertaining to the 'name' of your RADIUS authenticator you created in the GUI (mine was call RAD).
The line starts with 'authenticator(RAD /usr/libexec/radiusw...' in my setup.
There is a part of this section (it's one long line) that says 'args[-c /etc/sidewinder/authenticator/RAD.conf]'.
I did a 'man radiusw' to see how to set the debug flags for this warder. What it says there is to add '-l #', where # is 1, 2 or 3.
I edited this authenticator.conf file and added -l 3 (dash L space 3 space) before the -c /filename part and saved the file.
To get the system to read this change you HUP (hangup) daemond (the daemon daemon) by finding its PID like this:
kill -HUP [PID from pss]
Now if you do 'pss radiusw' you should see that the warder is now running in level 3 debug mode. Now the audits from the warder will be MUCH more detailed and that may help you figure out what the firewall is sending that the ACS does not like.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...