dialup authentication via RADIUS ACS 4.0

Unanswered Question
May 14th, 2008

What should be configured/set on the ACS for the Radius ietf authentication?

This is a new setup. Users failed to authenticate via ACS (both local users and AD). Failed attempts are being logged at ACS.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 05/15/2008 - 04:27


If authentication requests are getting to the server then it sounds like most of the router config is in place. If there are entries in the failed attempts logs then there should be an indication of what the error is. What does the failed attempts log have for the error for these attempts?

In my experience the most common errors are not having the same value for the shared key between the router and the server or having the authentication request source address from the router not match the address configured in ACS. What do the failed attempt logs say about the error?



che.candeloza Thu, 05/15/2008 - 22:08

error are "CS password invalid" for local users of ACS and "External DB user invalid or bad password" for the AD users. Same users are being used for 802.1x authenication, users are authenticated succesfully.

What seems to be the problem?

Richard Burts Fri, 05/16/2008 - 12:19


The title in the original post indicates that this is dialup. Can you tell us a bit about the dialup and how it is setup. And can you post the appropriate parts of the router configuration? In particular I am wondering whether the router may be using PAP or CHAP for PPP authentication.

And would I be correct in assuming that in the failed attempts report that it is showing the correct ID of the user when it is reporting that password invalid or user invalid?



Jagdeep Gambhir Sat, 05/17/2008 - 04:44

Other then this, also cross check shared secret key and acs and on your aaa-client.



Richard Burts Sat, 05/17/2008 - 09:52


If the issue were a mismatch between the shared secret key would it not have failed before it got to the point where the error is:

"CS password invalid" ?

In my experience ACS checks the shared secret key long before it gets to the point of checking the user password.




This Discussion