RADIUS Troubleshooting

​

Prerequisites

• Approximate time of the failed authentication.
• Username used by the client.
• NAS device that sent the request.
• Expected group or realm policy.
• Whether this is first setup, a regression, or a single-user issue.

​

First Checks

1. Open Live View.
2. Set the timeframe to cover the test or incident.
3. Turn on Failures only if there are many logs.
4. Filter by user, folder, device, or status type.
5. Open the matching user or NAS device from the log row.
6. Change one setting at a time, retest, and confirm the next log entry.

​

User Is Rejected

• The user exists in the expected workspace.
• The username in the log matches the stored username exactly.
• The user is active or enabled.
• The user belongs to the expected groups.
• The realm is matching when the username includes a suffix.
• Required check attributes are present.
• Reply attributes are valid for the NAS device.
• The NAS is sending the request from the registered device configuration.
• The authentication protocol matches the device configuration: PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP continuation, or MAC-based access.

​

Bad Password

• The password stored on the user is the current password.
• The client is not caching an old credential.
• The username includes the intended realm suffix.
• The NAS is not rewriting the username before sending the request.

​

Missing Attributes

• The user has at least one group with the required attributes.
• Realm groups are applied when the username uses a realm.
• The attribute is in the correct section: check attributes for authentication-time checks, reply attributes for successful replies.
• The selected operator is valid for that attribute.
• The value matches the input type and expected format.
• Presence mode is not preventing the attribute from being sent.
• The attribute exists in Supported Dictionaries. Unsupported or misspelled attributes are rejected before save.
• Quota attributes are on groups, not individual users.

​

Suspended Or Disabled User

• The user status in the user form.
• Whether the user was manually suspended from the dashboard.
• Whether operators expected suspended users to receive a normal success reply. Suspended users are normally blocked before ordinary reply attributes are returned.
• Whether an active session should be disconnected after suspension.

​

No Logs Appear

• The Live View timeframe.
• Whether filters are hiding results.
• Whether the NAS device was created in the expected workspace.
• Whether the NAS can reach the RadSec or RADIUS service values shown on its device page.
• Whether device certificates or shared secrets are installed correctly.
• Whether the NAS is configured to send accounting or authentication traffic to the expected destination.

​

Device Cannot Authenticate

• Device name or NAS identifier.
• Device type.
• RadSec FQDN, IP addresses, and port shown on the device page.
• NAS certificate, client CA certificate, and private key.
• Local firewall rules between the NAS and the RADIUS service.
• Device clock and certificate validity assumptions.
• Whether the device is reusing another NAS certificate. Each NAS should use its own certificate downloads.
• Whether traffic is reaching the service by checking Live View and the NAS dashboard.
• Whether the NAS-Identifier in logs maps to the registered NAS. RadSec traffic is bound to the certificate identity and normalized by the edge.

​

CoA Or PoD Does Not Work

• CoA and PoD replies are enabled on the NAS record.
• NAS IP address is correct.
• NAS inbound port is correct. The UI defaults to 3799.
• CoA and PoD secret matches the device.
• The NAS firewall allows the message source address shown on the device page.
• The user has an active session before you try to disconnect it.
• Accounting sends Acct-Session-Id and, where possible, Start, Stop, and Interim-Update packets.
• The NAS supports Disconnect-Request for the access technology in use.
• The NAS supports CoA-Request before you expect an in-place authorization change.

​

Realm Policy Is Not Applied

• The username includes the realm suffix, such as tim@example.com.
• The realm exists without a leading @.
• The realm value contains only letters, numbers, dots, and hyphens.
• The realm has groups assigned.
• The NAS is not stripping or rewriting the suffix.
• The user detail page shows the expected realm link.

​

Group Changes Do Not Affect A User

• The user is a direct member of the group, or the user matches a realm that assigns the group.
• You edited the intended group.
• The attribute was saved in the correct check or reply section.
• The presence mode applies to the user’s current state.
• You are reviewing a new authentication attempt after the policy change.

​

Escalation Details

• Workspace name.
• Username.
• NAS device name or identifier.
• Approximate timestamp and timezone.
• Log ID if visible.
• Response status or reply message.
• Expected group and realm policy.
• Recent changes to users, groups, realms, NAS settings, or certificates.