Authentication with a Defender token fails. The DSS log shows the following error:
"User not valid for this route"
Users may see the following message when attempting to log in:
"Access Denied - No valid route found. Please contact your administrator."
Either of three things, or a combination of all three, could be the problem here.
1. The user who is assigned the token and cannot authenticate is not on the "Members" tab of the Access Node, either directly or indirectly.
2. The IP address entered on the Access Node configuration is incorrect.
3. The service account does not have permissions to read the permissions of the user.
1. Add the user to the "Members" tab of the Access Node being indicated in the DSS log. A group the user is a member of can also be added here. The Access Node name will appear next to "NAS". For example:
Sat 19 Mar 2011 10:23:19 Radius request: Access-Request for testacct from 10.10.10.25:12001 through NAS:AccessNode Request ID: 107 Session ID: 83BC5102
In the above line from a DSS log, the Access Node name is indicated as "NAS:AccessNode"
2. Depending on what the Access Node is configured to allow, you may have entered an IP subnet, ie: 10.10.10.0, or a specific IP address, ie: 10.10.10.10. Ensure that the IP from which the authentication request is coming from meets the requirements. For example:
Sat 19 Mar 2011 10:23:19 Radius Request from 10.10.10.25:12001 Request ID: 107
In the above sample line from a DSS log file, the request is coming from IP address 10.10.10.25. If the Access Node is configured for subnet 10.10.10.0, this will work, but if the Access Node specifies only one IP address, e.g. 10.10.10.32, then the authentication request will be refused.
3. Confirm that the service account has permissions to read "view members of" permissions on the user account.
For more information on configuration of Access Nodes, please refer to Knowledge Article 45588, Defender Access Node Configuration.
Also, this same error message may appear when a user is assigned no token at all and the above requirements are being met.