Cisco Support Community
Community Member

ACS 5.4 with McAfee Firewall 8.3.0

Good Day

I've upgraded the ACS to 5.4 and having troubles with connecting via RADIUS (ports 1812,1813) with a McAfee Firewall v8.3.0.

There are RADIUS attributes that I'm missing.

Has anyone had this same issue?

Need some help




ACS 5.4 with McAfee Firewall 8.3.0

The  main reason is that firewall is blocking the these ports kindly add the  exception to McAfee it will resolve the issue provided you connectivity  is working perfectly do check the log files also.

Community Member

ACS 5.4 with McAfee Firewall 8.3.0

Thanks it turns out that it was the settings on the ACS, all is working now.



ACS 5.4 with McAfee Firewall 8.3.0

The firewall is talking to the ACS  so we know that is working.  All you can do now is troubleshoot this  via tcpdumps and the logs on the ACS.  The ACS does not like some  attribute of course -- which one, is the question?  The firewall is not  going to tell you which attribute the ACS does not like so you must use  the ACS logs and the online help to determine which attributes the ACS  is looking for (and not looking for).  All the configuration for the  RADIUS warder is right there in the GUI.

There is a way to put the radiusw process (RADIUS warder) in debug mode:

  • First run 'pss radiusw' to see that the radius warder is running.  Notice the arguments (/usr/libexec/radiusw -c [filename]).
  • To set it in debug mode you edit the file /secureos/etc/warder/authenticator.conf.
  • Find the section pertaining to the 'name' of your RADIUS authenticator you created in the GUI (mine was call RAD).
  • The line starts with 'authenticator(RAD /usr/libexec/radiusw...' in my setup.
  • There is a part of this section (it's one long line) that says 'args[-c /etc/sidewinder/authenticator/RAD.conf]'.
  • I  did a 'man radiusw' to see how to set the debug flags for this warder.   What it says there is to add '-l #', where # is 1, 2 or 3.
  • I edited this authenticator.conf file and added -l 3 (dash L space 3 space) before the -c /filename part and saved the file.
  • To get the system to read this change you HUP (hangup) daemond (the daemon daemon) by finding its PID like this:
    • pss daemond
    • kill -HUP [PID from pss]
  • Now  if you do 'pss radiusw' you should see that the warder is now running  in level 3 debug mode.  Now the audits from the warder will be MUCH more  detailed and that may help you figure out what the firewall is sending  that the ACS does not like.
CreatePlease to create content