Two factor authentication fails on NetScaler Gateway with error "user credentials are invalid" while logging on to the NetScaler Gateway.

When checking the aaad.debug log it is observed that there is an attempt to authenticate with the RADIUS server however the user trying to log on is rejected (process_rad_reject RADIUS attribute 18) then process RADIUS sends a reject (send_reject_with_code Rejecting with error code 4001).

• The RADIUS server is rejecting the data being sent from the NetScaler.
• You can verify this through the nstrace captured from the NetScaler as well as from the nstcpdump performed.
• After ensuring that the NetScaler is sending out the traffic correctly and settings on the NetScaler are set correctly, examine why the RADIUS server is rejecting connections from the NetScaler.
• Either the RADIUS client is not added correctly for the NSIP of Netscaler or the shared secret configured on Netscaler and backend RADIUS server is not matching.

Problem Cause

The RADIUS server is rejecting the data being sent from the NetScaler.