Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

Unanswered Question
Jan 29th, 2010

Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

In an scenario with Cisco VPN client terminating VPN to Router (IOS 12.4), authenticating with Radius to ACS 4.0 doesn't work with this error:

Jan 29 09:26:29.137: RADIUS(00000421): Send Access-Request to 14.10.64.10:1645 id 1645/42, len 126
.....             
Jan 29 09:26:29.141: RADIUS: Received from id 1645/42 14.10.64.10:1645, Access-Reject, len 32
Jan 29 09:26:29.141: RADIUS:  authenticator 6A 0C 43 74 86 4C 2D 59 - C2 F3 FF 22 AA 5D D9 2A
Jan 29 09:26:29.141: RADIUS:  Reply-Message       [18]  12 
Jan 29 09:26:29.141: RADIUS:   52 65 6A 65 63 74 65 64 0A 0D                    [Rejected??]
Jan 29 09:26:29.141: RADIUS: response-authenticator decrypt fail, pak len 32


Configuration:
....
aaa group server radius RADIUS-ACE
server 14.10.64.10 auth-port 1645 acct-port 1646
ip vrf forwarding MANAGEMENT
ip radius source-interface Vlan406
.....
.....
radius-server attribute 44 include-in-access-req vrf MANAGEMENT
radius-server attribute 69 clear
radius-server attribute 6 on-for-login-auth
radius-server attribute 30 original-called-number
radius-server attribute 4 14.20.3.91
radius-server host 14.10.64.10 auth-port 1645 acct-port 1646 non-standard key 7 1511021F0725
radius-server challenge-noecho
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication


Obviously, the key is correctly configured. Do you know about any bug or problem with this scenario ? We don't find any bug in bugtoolkit

With tacacs instead radius works fine.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Fri, 01/29/2010 - 02:08

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hi Asans,

The error message appears if there is a mismatch in the shared-key between the RADIUS server and device. In ACS if you have NDG shared key configuered that will over rite individual key configured on aaa-client.


On ACS--->Network configuration--->NDG--->Edit Properties-->Shared key (You can either remove it or put a key that you want to use)


Also such problem can occur due to invisible space " " character at the end of the key. I suggested you to Re-enter the key manually and try again.


Avoid copy/paste.


Regards,

~JG


Do rate helpful posts

asans Fri, 01/29/2010 - 02:16

Hi,

Shared-key is correct and we configured it manually in order to avoid problems with "cut & paste".

We had review this issue and we don't know yhe reason because fails...

any idea ?

Thanks for your help.

asans Fri, 01/29/2010 - 02:39

Yes, we had check NDG Key in ACS .... (more than three times......)


is possible some incompatibility between IOS 12.4 and ACS 4.0 ?

Actions

This Discussion