01-29-2010 01:31 AM - edited 03-10-2019 04:54 PM
Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication
In an scenario with Cisco VPN client terminating VPN to Router (IOS 12.4), authenticating with Radius to ACS 4.0 doesn't work with this error:
Jan 29 09:26:29.137: RADIUS(00000421): Send Access-Request to 14.10.64.10:1645 id 1645/42, len 126
.....
Jan 29 09:26:29.141: RADIUS: Received from id 1645/42 14.10.64.10:1645, Access-Reject, len 32
Jan 29 09:26:29.141: RADIUS: authenticator 6A 0C 43 74 86 4C 2D 59 - C2 F3 FF 22 AA 5D D9 2A
Jan 29 09:26:29.141: RADIUS: Reply-Message [18] 12
Jan 29 09:26:29.141: RADIUS: 52 65 6A 65 63 74 65 64 0A 0D [Rejected??]
Jan 29 09:26:29.141: RADIUS: response-authenticator decrypt fail, pak len 32
Configuration:
....
aaa group server radius RADIUS-ACE
server 14.10.64.10 auth-port 1645 acct-port 1646
ip vrf forwarding MANAGEMENT
ip radius source-interface Vlan406
.....
.....
radius-server attribute 44 include-in-access-req vrf MANAGEMENT
radius-server attribute 69 clear
radius-server attribute 6 on-for-login-auth
radius-server attribute 30 original-called-number
radius-server attribute 4 14.20.3.91
radius-server host 14.10.64.10 auth-port 1645 acct-port 1646 non-standard key 7 1511021F0725
radius-server challenge-noecho
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication
Obviously, the key is correctly configured. Do you know about any bug or problem with this scenario ? We don't find any bug in bugtoolkit
With tacacs instead radius works fine.
01-29-2010 02:08 AM
Hi Asans,
The error message appears if there is a mismatch in the shared-key between the RADIUS server and device. In ACS if you have NDG shared key configuered that will over rite individual key configured on aaa-client.
On ACS--->Network configuration--->NDG--->Edit Properties-->Shared key (You can either remove it or put a key that you want to use)
Also such problem can occur due to invisible space " " character at the end of the key. I suggested you to Re-enter the key manually and try again.
Avoid copy/paste.
Regards,
~JG
Do rate helpful posts
01-29-2010 02:16 AM
Hi,
Shared-key is correct and we configured it manually in order to avoid problems with "cut & paste".
We had review this issue and we don't know yhe reason because fails...
any idea ?
Thanks for your help.
01-29-2010 02:23 AM
Did you check NDG key in ACS?
01-29-2010 02:39 AM
Yes, we had check NDG Key in ACS .... (more than three times......)
is possible some incompatibility between IOS 12.4 and ACS 4.0 ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide