Initially Radius authentication to PAM was working, when using AAA radius. An attempt was made to switch to opendj radius, but Radius authentication did not work with the new server. Reverting to the original AAA Radius did not resolve the problem, though authentication by the same AAA Radius server worked for another PAM instance.
During a debug session with PAM support it was found that there was corruption in a Radius client configuration file.
It was determined that there were two defects. The first was parsing the authserver section of the configuration file when the shared secret contains a colon(:). The second issue involves the Radius configuration information not being replicated to secondary nodes in a PAM cluster.
A fix is to be included in maintenance release 3.2.5, and the upcoming 3.3 release.
The problem was resolved without a patch with the help from PAM support.
1. Remove all RADIUS configurations from the Configuration --> 3rd Party --> RADIUS and TACACS+ table.
2. Have support clear out any remaining corruption in the Radius client configuration file.
3. Re-add a valid RADIUS configuration to the PAM Configuration --> 3rd Party --> RADIUS and TACACS+ table. Ensure the target account used has a secret that does NOT contain a colon.
At this point, Radius Authentication should again work.
If you experience this problem, and an upgrade to 3.2.5 or 3.3 is not possible yet, please open a case with PAM support to get it fixed.