Hi, I have a Cisco RADIUS to RSA (Steel Belted) RADIUS question.
I have just added a new Dial-In service to our existing RSA /RADIUS SecurID v6.1 server. The dial-in service is hosted by a service provider and once a PPP session is established a RADIUS request is sent via the service provider's cisco device to our server for authentication. The PPP session works fine, however there is a conflict on the radius authentication request as it is rejecting the request (the account and token are known to be good). Our authentication server consists of RSA SecurID v6.1 with built in Steel Belted RADIUS.
Here are the settings on the service provider's cisco device to forward radius requests to the RSA server :
When a user dials-in the radius request reaches the RSA/RADIUS server ok, however the RSA SecurID server is rejecting the request saying âACCESS DENIED - syntax errorâ. Here is the RADIUS request as seen by the RADIUS server :
I think it is quite a common problem as searching the Internet there seems to be similar messages out there regarding RSA servers, and I think the solution is probably a subtle RADIUS setting on the Cisco device or a RADIUS setting on the RSA server.
I had an experience a while back that was similar to what you are describing. The problem turned out to be in the communication between the Radius implementation and the RSA ACE. If I remember correctly clearing the node secret was an important part of resolving this issue.
I would suggest that you look carefully at the configuration and the syncronization between Radius and ACE.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...