In a network packet trace recorded on a NetScaler appliance, RADIUS IP address sends Access-Reject for authentication request, as shown in the following screen shot:

In the audit log of VACMAN Middleware 3.0, RADIUS access-reject is logged. The reason for the reject is qualified as Authentication Failed. The following is an excerpt from the audit log:

[2013/07/09|11:51:11][2998659984][DEBUG] > Existing Component record [RADIUS Client:default] returned from Component Cache

[2013/07/09|11:51:11][2998659984][MINOR] > No NAS-IP or NAS-Identifier attribute found.
[2013/07/09|11:51:11][2998659984][MAJOR] > Rejecting RADIUS request due to missing NAS Location

To resolve this issue, enable NAS IP address extraction for the RADIUS Authentication Server on the appliance, as shown in the following screen shot:

If we enable this option, NetScaler IP address is sent to RADIUS server as NAS IP in accordance with the RADIUS protocol.

Problem Cause

The packet is rejected because VACMAN Middleware 3.0 applies the RADIUS RFC more strictly than VACMAN Middleware 2.3. The RADIUS RFC specifies that one of the following attributes is mandatory in the access request:

• NAS-IP-Address

• NAS-Identifier attribute

Refer to VASCO for more information.

The identity key authentication appliance is compliant with RFC 2865, which states that a RADIUS Access Request must contain a NAS-IP-Address or NAS-Identifier attribute.

RADIUS client should contain a NAS-IP-Address or NAS-Identifier attribute.