Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

Unanswered Question
Jan 29th, 2010
User Badges:

Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

In an scenario with Cisco VPN client terminating VPN to Router (IOS 12.4), authenticating with Radius to ACS 4.0 doesn't work with this error:

Jan 29 09:26:29.137: RADIUS(00000421): Send Access-Request to id 1645/42, len 126
Jan 29 09:26:29.141: RADIUS: Received from id 1645/42, Access-Reject, len 32
Jan 29 09:26:29.141: RADIUS:  authenticator 6A 0C 43 74 86 4C 2D 59 - C2 F3 FF 22 AA 5D D9 2A
Jan 29 09:26:29.141: RADIUS:  Reply-Message       [18]  12 
Jan 29 09:26:29.141: RADIUS:   52 65 6A 65 63 74 65 64 0A 0D                    [Rejected??]
Jan 29 09:26:29.141: RADIUS: response-authenticator decrypt fail, pak len 32

aaa group server radius RADIUS-ACE
server auth-port 1645 acct-port 1646
ip vrf forwarding MANAGEMENT
ip radius source-interface Vlan406
radius-server attribute 44 include-in-access-req vrf MANAGEMENT
radius-server attribute 69 clear
radius-server attribute 6 on-for-login-auth
radius-server attribute 30 original-called-number
radius-server attribute 4
radius-server host auth-port 1645 acct-port 1646 non-standard key 7 1511021F0725
radius-server challenge-noecho
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication

Obviously, the key is correctly configured. Do you know about any bug or problem with this scenario ? We don't find any bug in bugtoolkit

With tacacs instead radius works fine.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Fri, 01/29/2010 - 02:08
User Badges:
  • Red, 2250 points or more

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hi Asans,

The error message appears if there is a mismatch in the shared-key between the RADIUS server and device. In ACS if you have NDG shared key configuered that will over rite individual key configured on aaa-client.

On ACS--->Network configuration--->NDG--->Edit Properties-->Shared key (You can either remove it or put a key that you want to use)

Also such problem can occur due to invisible space " " character at the end of the key. I suggested you to Re-enter the key manually and try again.

Avoid copy/paste.



Do rate helpful posts

asans Fri, 01/29/2010 - 02:16
User Badges:


Shared-key is correct and we configured it manually in order to avoid problems with "cut & paste".

We had review this issue and we don't know yhe reason because fails...

any idea ?

Thanks for your help.

asans Fri, 01/29/2010 - 02:39
User Badges:

Yes, we had check NDG Key in ACS .... (more than three times......)

is possible some incompatibility between IOS 12.4 and ACS 4.0 ?


This Discussion