Contivity ES1000 and SecurID

[lemke () Research Panasonic COM (Kennedy Lemke)]

Hello--I apologize if this is considered a fringe topic, but I
hope the discussion may help others.

I am installing a VPN box--a "Contivity ES1000" from Nortel
(formerly Bay Networks).  I've configured the box to work in
parallel with our firewall.  I picked this box because it advertises
that it will work with SecurID which we've been using here
successfully for many years.  I'm able to use username/password-only
authentication but do not wish to do this for obvious reasons--I'd
like this to work with our existing SecurID authentication.

I'm currently running version 3.01 of aceserver on a Solaris box.
I've added the contivity box as a valid client.  However, when
the connection program on the remote PC tries to connect, this error
message is displayed: "Radius Authentication failed".  On the SecurID
server, *nothing at all* is displayed in the aceserver logs, but the
Contivity box reports: 

03/18/1999 16:53:42 0 Security [11] Radius: verified server "aceserver.ip.address" reply, result: -2, message: 
Non-matching id in server response. 
03/18/1999 16:53:42 0 Security [12] Radius: "aceserver.ip.address" sent invalid response packet for "username". 
03/18/1999 16:53:42 0 Security [13] Session: IPSEC[username]:24 authentication failed using RADIUS 

I'm using the latest version of the Contivity software (V02_10.06).
The Nortel support representative reports that this version of their
software should work fine with the version of aceserver I'm using, but
I suspect I need to upgrade the aceserver software to version 3.3 for
a few reasons: first, because authorization isn't working; second,
because there's no mention of "RADIUS" in the 3.01 aceserver documentation,
and third because this document on Security Dynamics' web server:

        http://www.securitydynamics.com/service/guides/nortel.html

reports that this was tested with version 3.3.  I have three questions
regarding this:

(1) Is anyone successfully using a Contivity box with SecurID authentication?
    If so, is it necessary to upgrade the aceserver server software to
    version 3.3?

(2) The document mentioned in the URL above indicates as a product
    requirement: "ACE/Server v3.3 and later with RADIUS front-end."  Is
    the "RADIUS front-end" a completely separate component to the software,
    or is it included with version 3.3?

(3) Currently I use the aceserver software in conjunction with a Micro-Annex
    XL terminal server for SecurID authentication (this is done via the
    "erpcd" process that runs on the aceserver, so the only current client
    of the aceserver is itself, and I have not had to muck with "node
    secrets" so far).  This Annex box is running version R10.0.  Will
    this version of the Annex software work with version 3.3 of aceserver,
    or will I *also* have to upgrade the Annex software.

Thanks in advance for any help/pointers you can provide.  I'll summarize
when this project is complete.

 _____ _______ _____    Kennedy Lemke
|  __ \__   __|_   _|   Computer Systems Manager
| |__) | | |    | |     UNIX && TCP/IP Network administrator
|  ___/  | |    | |     Postmaster && Webmaster && News administrator
| |      | |   _| |_    Panasonic Technologies, Inc.
|_|      |_|  |_____|   2 Research Way
Work: (609) 734-7329    Princeton, New Jersey  08540-6628
Fax:  (609) 987-8827    Email: lemke () Research Panasonic COM