RADIUS authentication is configured on NetScaler Gateway. RADIUS accepts the authentication and sends the correct message however NetScaler rejects the authentication.

The RADIUS log files show that the authentication is accepted.

The network trace shows that a message is sent from RADIUS server validating the authentication process, but an ICMP error is received at the end of the communication.

The aaad.debug log shows that the authentication process is rejected:

root@ns# cat aaad.debug
Wed Apr 8 09:02:04 2015
/home/build/rs_105/usr.src/netscaler/aaad/naaad.c[786]: process_kernel_socket call to authenticate
user :XXXXXXXXX, vsid :9640
Wed Apr 8 09:02:04 2015
/home/build/rs_105/usr.src/netscaler/aaad/naaad.c[2654]: start_cascade_auth starting cascade authentication
Wed Apr 8 09:02:04 2015
/home/build/rs_105/usr.src/netscaler/aaad/radius_drv.c[727]: continue_radius_auth attempting to auth XXXXXXXXX @ XX.25.XX.6
Wed Apr 8 09:02:04 2015
/home/build/rs_105/usr.src/netscaler/aaad/naaad.c[2864]: register_timer setting timer 123
Wed Apr 8 09:02:16 2015
/home/build/rs_105/usr.src/netscaler/aaad/naaad.c[499]: main timer 1 firing...
Wed Apr 8 09:02:20 2015
/home/build/rs_105/usr.src/netscaler/aaad/radius_drv.c[1895]: process_radius Got RADIUS event
Wed Apr 8 09:02:20 2015
/home/build/rs_105/usr.src/netscaler/aaad/naaad.c[2933]: unregister_timer releasing timer 123
Wed Apr 8 09:02:20 2015
/home/build/rs_105/usr.src/netscaler/aaad/radius_drv.c[1906]: process_radius Radius server returned code 0
Wed Apr 8 09:02:20 2015
/home/build/rs_105/usr.src/netscaler/aaad/naaad.c[2203]: send_reject_with_code Rejecting with error code 4001
Wed Apr 8 09:02:20 2015
/home/build/rs_105/usr.src/netscaler/aaad/naaad.c[2230]: send_reject_with_code Not trying cascade again
Wed Apr 8 09:02:20 2015
/home/build/rs_105/usr.src/netscaler/aaad/naaad.c[2232]: send_reject_with_code sending reject to kernel for : XXXXXXXXX
Wed Apr 8 09:02:46 2015
/home/build/rs_105/usr.src/netscaler/aaad/naaad.c[499]: main timer 1 firing...

To accommodate high RADIUS response time, increase the timeout on NetScaler using the following command:
set ns timeout -newConnIdleTimeOut 30
set ns timeout -nontcpZombie 90

In case you are using an external authentication service over RADIUS, then increase the timeout on firewall and NAT devices too.

Problem Cause

The response from the RADIUS server takes about 15-19 seconds, and the natpcb idle-timeout is reached resulting in closed socket.

Note: You should also investigate your network to see what is causing the delay of the response packets. The users might complain of slowness while authenticating.