I've been going through newsgroups, TID's, docs, and Google over the past
few days in an effort to enable RADIUS authentication to eDirectory on
Novell Security Manager (NSM).

So far, I've created a Dial Access Service object, modified the Login
Policy object to know about it, etc. per the docs I've read. I am able to
successfully login via RADIUS for HTTP proxy authentication from the
Astaro (NSM) box.

However, when I try to login via the L2TP VPN I have configured, the same
credentials result in an -803 error on the console. The L2TP VPN is
working properly if I authenticate against the local user database in
Astaro, so I know it's at least set up right.

I have the feeling this may be down to configuration of a Dial Access
Profile object, and here's where I get lost. Any help would be
appreciated here.

For reference, I've included snippets of the RADIUS debug log that show a
successful login via the HTTP proxy, and the failed login via VPN:

HTTP Proxy (Successful):
========================
[2005-05-11 10:46:02 AM] 15) [(ip) <private-ip-address>:32811], Received
55 Bytes (Access-Request (1))
[2005-05-11 10:46:02 AM] [(total=15) (p=12) (d=0) (r=2) (acc=0)
(rej=0)]
[2005-05-11 10:46:02 AM] <4> Done GetNextMessage [(ip) <private-ip-
address>:32811]: time:593941572
[2005-05-11 10:46:02 AM] -------- START : (Access-Request (1)) [(ip)
<private-ip-address>:32811]: time:774173450---
[2005-05-11 10:46:02 AM] CACHE: CacheDomainListExist(Tulsa-
DAS.<container>.<org>), using cache
[2005-05-11 10:46:02 AM] AuthRequestHandler(), Calling RequestHandler.
[2005-05-11 10:46:02 AM] CACHE: CacheReadSecretForNASAddress(Tulsa-
DAS.<container>.<org>), using cache
[2005-05-11 10:46:02 AM] CACHE: CacheGetEnableCNLogin(Tulsa-
DAS.<container>.<org>), using cache
[2005-05-11 10:46:02 AM] (->)CacheGetDNForName:NWDSReadObjectInfo
(tmoore), succeeded, time:18
[2005-05-11 10:46:02 AM] userName: tmoore
[2005-05-11 10:46:02 AM] userDN: TMoore.<container>.<org>
[2005-05-11 10:46:02 AM] (->)NDSVerifyAttr:NWDSRead
(TMoore.<container>.<org>,RADIUS:Dial Access Group) succeeded, time:14
[2005-05-11 10:46:02 AM] User "TMoore.<container>.<org>", does not
have "RADIUS:Dial Access Group" defined, trying parent "<container>.<org>"
[2005-05-11 10:46:02 AM] (->)NWDSCompare:(<container>.<org>) succeeded,
time:8
[2005-05-11 10:46:02 AM] User "TMoore.<container>.<org>"is not member of
Dial Access System, checking rights to object "Tulsa-DAS.<container>.<org>"
[2005-05-11 10:46:02 AM] (->)NWDSRead(TMoore.<container>.<org>,RADIUS
Enable Attr) failed, no such attribute (-603), time:12
[2005-05-11 10:46:02 AM] (->)User "TMoore.<container>.<org>", Looking in
(<container>.<org>) for (RADIUS:Enable Dial Access)
[2005-05-11 10:46:02 AM] (->)NWDSRead(<container>.<org>,RADIUS Enable
Attr) succeeded, time:20
[2005-05-11 10:46:02 AM] User Name: tmoore, User DN:
TMoore.<container>.<org>, Domain: , Service Tag:
[2005-05-11 10:46:02 AM] (->)NADMAuthRequest()
[2005-05-11 10:46:02 AM] (->)NADMAuthRequest(TMoore.<container>.<org>)
succeeded, time:672
[2005-05-11 10:46:02 AM] (->)Authenticate (0 policy, NDS pswd) (for
TMoore.<container>.<org>), succeeded
[2005-05-11 10:46:02 AM] (->)NDSReadData:NWDSRead
(TMoore.<container>.<org>,RADIUS:Concurrent Limit) failed, no such
attribute (-603), time:16
[2005-05-11 10:46:02 AM] CACHE: CacheGetConcurrentLimit(Tulsa-
DAS.<container>.<org>), using cache
[2005-05-11 10:46:02 AM] User:TMoore.<container>.<org>, Current Login:0,
Login Limit:-1, succeeded
[2005-05-11 10:46:02 AM] (->)Authentication SUCCEEDED
[2005-05-11 10:46:02 AM] ->Sending Access-Accept (2) [(ip) <private-ip-
address>(32811)] count=20
[2005-05-11 10:46:02 AM] ->Inserting into RespQ , code(2) id(80).
[2005-05-11 10:46:02 AM] Deleting
file "sys:etc\radius\log\20050504.log", failed
[2005-05-11 10:46:02 AM] -------- END : (Access-Request (1)) [(ip)
<private-ip-address>:32811]: time:774174324---
[2005-05-11 10:46:02 AM] 16) [(ip) <private-ip-address>:32811], Received
52 Bytes (Access-Request (1))
[2005-05-11 10:46:02 AM] [(total=16) (p=13) (d=0) (r=2) (acc=0)
(rej=0)]
[2005-05-11 10:46:02 AM] <5> Done GetNextMessage [(ip) <private-ip-
address>:32811]: time:593913618
[2005-05-11 10:46:02 AM] -------- START : (Access-Request (1)) [(ip)
<private-ip-address>:32811]: time:774174326---
[2005-05-11 10:46:02 AM] CACHE: CacheDomainListExist(Tulsa-
DAS.<container>.<org>), using cache
[2005-05-11 10:46:02 AM] AuthRequestHandler(), Calling RequestHandler.
[2005-05-11 10:46:02 AM] CACHE: CacheReadSecretForNASAddress(Tulsa-
DAS.<container>.<org>), using cache
[2005-05-11 10:46:02 AM] CACHE: CacheGetEnableCNLogin(Tulsa-
DAS.<container>.<org>), using cache
[2005-05-11 10:46:02 AM] (->)CacheGetDNForName:NWDSReadObjectInfo
(tmoore), succeeded, time:18
[2005-05-11 10:46:02 AM] userName: tmoore
[2005-05-11 10:46:02 AM] userDN: TMoore.<container>.<org>
[2005-05-11 10:46:02 AM] (->)NDSVerifyAttr:NWDSRead
(TMoore.<container>.<org>,RADIUS:Dial Access Group) succeeded, time:13
[2005-05-11 10:46:02 AM] User "TMoore.<container>.<org>", does not
have "RADIUS:Dial Access Group" defined, trying parent "<container>.<org>"
[2005-05-11 10:46:02 AM] (->)NWDSCompare:(<container>.<org>) succeeded,
time:9
[2005-05-11 10:46:02 AM] User "TMoore.<container>.<org>"is not member of
Dial Access System, checking rights to object "Tulsa-DAS.<container>.<org>"
[2005-05-11 10:46:02 AM] (->)NWDSRead(TMoore.<container>.<org>,RADIUS
Enable Attr) failed, no such attribute (-603), time:12
[2005-05-11 10:46:02 AM] (->)User "TMoore.<container>.<org>", Looking in
(<container>.<org>) for (RADIUS:Enable Dial Access)
[2005-05-11 10:46:02 AM] (->)NWDSRead(<container>.<org>,RADIUS Enable
Attr) succeeded, time:21
[2005-05-11 10:46:02 AM] User Name: tmoore, User DN:
TMoore.<container>.<org>, Domain: , Service Tag:
[2005-05-11 10:46:02 AM] (->)NADMAuthRequest()
[2005-05-11 10:46:02 AM] (->)NADMAuthRequest(TMoore.<container>.<org>)
succeeded, time:515
[2005-05-11 10:46:02 AM] (->)Authenticate (0 policy, NDS pswd) (for
TMoore.<container>.<org>), succeeded
[2005-05-11 10:46:02 AM] (->)NDSReadData:NWDSRead
(TMoore.<container>.<org>,RADIUS:Concurrent Limit) failed, no such
attribute (-603), time:16
[2005-05-11 10:46:02 AM] CACHE: CacheGetConcurrentLimit(Tulsa-
DAS.<container>.<org>), using cache
[2005-05-11 10:46:02 AM] User:TMoore.<container>.<org>, Current Login:0,
Login Limit:-1, succeeded
[2005-05-11 10:46:02 AM] (->)Authentication SUCCEEDED
[2005-05-11 10:46:02 AM] ->Sending Access-Accept (2) [(ip) <private-ip-
address>(32811)] count=20
[2005-05-11 10:46:02 AM] ->Inserting into RespQ , code(2) id(81).
[2005-05-11 10:46:02 AM] -------- END : (Access-Request (1)) [(ip)
<private-ip-address>:32811]: time:774175043---


VPN Login (Failed)
==================
[2005-05-11 11:05:21 AM] -------- START : (Access-Request (1)) [(ip)
<private-ip-address>:32811]: time:785758648---
[2005-05-11 11:05:21 AM] CACHE: CacheDomainListExist(Tulsa-
DAS.<container>.<org>), using cache
[2005-05-11 11:05:21 AM] AuthRequestHandler(), Calling RequestHandler.
[2005-05-11 11:05:21 AM] CACHE: CacheReadSecretForNASAddress(Tulsa-
DAS.<container>.<org>), using cache
[2005-05-11 11:05:21 AM] CACHE: CacheGetEnableCNLogin(Tulsa-
DAS.<container>.<org>), using cache
[2005-05-11 11:05:21 AM] (->)CacheGetDNForName:NWDSReadObjectInfo
(tmoore), succeeded, time:18
[2005-05-11 11:05:21 AM] userName: tmoore
[2005-05-11 11:05:21 AM] userDN: TMoore.<container>.<org>
[2005-05-11 11:05:21 AM] (->)NDSVerifyAttr:NWDSRead
(TMoore.<container>.<org>,RADIUS:Dial Access Group) succeeded, time:13
[2005-05-11 11:05:21 AM] User "TMoore.<container>.<org>", does not
have "RADIUS:Dial Access Group" defined, trying parent "<container>.<org>"
[2005-05-11 11:05:21 AM] (->)NWDSCompare:(<container>.<org>) succeeded,
time:9
[2005-05-11 11:05:21 AM] User "TMoore.<container>.<org>"is not member of
Dial Access System, checking rights to object "Tulsa-DAS.<container>.<org>"
[2005-05-11 11:05:21 AM] (->)NWDSRead(TMoore.<container>.<org>,RADIUS
Enable Attr) failed, no such attribute (-603), time:12
[2005-05-11 11:05:21 AM] (->)User "TMoore.<container>.<org>", Looking in
(<container>.<org>) for (RADIUS:Enable Dial Access)
[2005-05-11 11:05:21 AM] (->)NWDSRead(<container>.<org>,RADIUS Enable
Attr) succeeded, time:20
[2005-05-11 11:05:21 AM] User Name: tmoore, User DN:
TMoore.<container>.<org>, Domain: , Service Tag:
[2005-05-11 11:05:21 AM] ->Sending Access-Reject (3) [(ip) <private-ip-
address>(32811)] count=20
[2005-05-11 11:05:21 AM] ->Inserting into RespQ , code(3) id(235).
[2005-05-11 11:05:21 AM] -------- END : (Access-Request (1)) [(ip)
<private-ip-address>:32811]: time:785758797---