Solution:
Ensure that RADIUS is supported on your ACE server.
Program Files
RSA Ace Server -> Configuration Management
On the Configuration Information -> Enable Features : ensure that RADIUS Server Enabled is checked.
When you start the RSA Server under Control Panel, verify that the RSA ACE/Server RADIUS Daemon is started. Check with Administrative Tools -> Services.
Program Files
RSA Ace Server -> Database Administration
Adding a New Agent Host (this would be the 833 server):
Agent Host option
Add Agent Host
Name: Enter the host name of the Perle
Network Address: will be automatically resolved through DNS or Host table entry
Agent Type: Communication Server
Enable Open To All Locally Known Users if you wish all configured users to be able to authenticate. Otherwise use the User Activations button to select individual users.
Select the Assign/Change Encryption Key button and enter the Secret Key that was configured in the Perle's RADIUS configuration.
Select the Assign Acting Servers button and select the Master/Slave servers from the list that will authenticate this Agent Host.
For the 833AS/IS you must add a new Profile to permit administration of the Perle.
Profile Option
Add Profile
Name: Enter a name for the Profile
Under the Available Attributes select the Service-Type option and Add Attribute.
Select the Value of Administrative-User
Assign the administrative Profile to a user.
User Option
Edit User and select the user ID
Select the Assign Profile button
Select the Profile that was created above for the administration
You can create custom Profiles for other attributes (see Perle 833 User Guide) that can be assigned to normal users.
When dialing in using RADIUS a terminal window is not used (unlike SecurID security).
The PASSWORD used in the PPP connection will be the user's PIN and the PASSCODE from the token separated by a comma.
example: 8913,475698
If you are creating a new User then you will have to manually generate a PIN as there will be no User communication to create one during the PPP connection. Refer to your RSA SecurID manual on creating PIN codes.
Trouble Shooting
The RSA/Server Activity log will record events, this should always be referenced when trouble shooting.
Node Verification Failed
The Secret Key configured in the Perle and Configured in the ACE/Server are mismatched.
> Verify the key configuration.
The ACE/Server has registered a SecurID key and has not cleared it.
> In the Agent Host entry enable the Node Secret Created option to clear the Secret. Then Stop and Restart the RSA/Server RADIUS Server service.
> If this does not clear the problem then there is most likely a Registry entry for the Secret that requires to be cleared:
HKey Local Machine -> Software -> SDTI -> ACECLIENT
Agent Host Not Found
The SecurID server that is the Acting Master/Slave server is not added to the Agent Host configuration/
> Add the server indicated in the Activity Log to the Agent Host table.
Authentication fails and no messages logged in the ACE/Server Activity Log
The RSA/Server RADIUS Daemon is not started.
> Verify that the service is started, and that your Services file lists a RADIUS service running on UDP port 1645.
> Ensure that there are no other RADIUS servers running on the host, such as Windows Internet Authentication Services.
No Password was entered in the PPP dialer.
> Use your PIN,PASSCODE as the password for the dialup session.
CHAP is enabled in the Perle RADIUS security configuration.
ACE/Server RADIUS does not support CHAP.
> Reconfigure the Perle to use PAP only.
Note: as there is no terminal interaction with the ACE/Server when RADIUS authentication is used, the PIN must be preconfigured for the client and connections may fail if the authentication occurs at the same moment the Passcode expires.