Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
889
Views
0
Helpful
4
Replies

Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

asans
Level 1
Level 1

‎01-29-2010 01:31 AM - edited ‎03-10-2019 04:54 PM

Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

In an scenario with Cisco VPN client terminating VPN to Router (IOS 12.4), authenticating with Radius to ACS 4.0 doesn't work with this error:

Jan 29 09:26:29.137: RADIUS(00000421): Send Access-Request to 14.10.64.10:1645 id 1645/42, len 126
.....             
Jan 29 09:26:29.141: RADIUS: Received from id 1645/42 14.10.64.10:1645, Access-Reject, len 32
Jan 29 09:26:29.141: RADIUS:  authenticator 6A 0C 43 74 86 4C 2D 59 - C2 F3 FF 22 AA 5D D9 2A
Jan 29 09:26:29.141: RADIUS:  Reply-Message       [18]  12 
Jan 29 09:26:29.141: RADIUS:   52 65 6A 65 63 74 65 64 0A 0D                    [Rejected??]
Jan 29 09:26:29.141: RADIUS: response-authenticator decrypt fail, pak len 32


Configuration:
....
aaa group server radius RADIUS-ACE
server 14.10.64.10 auth-port 1645 acct-port 1646
ip vrf forwarding MANAGEMENT
ip radius source-interface Vlan406
.....
.....
radius-server attribute 44 include-in-access-req vrf MANAGEMENT
radius-server attribute 69 clear
radius-server attribute 6 on-for-login-auth
radius-server attribute 30 original-called-number
radius-server attribute 4 14.20.3.91
radius-server host 14.10.64.10 auth-port 1645 acct-port 1646 non-standard key 7 1511021F0725
radius-server challenge-noecho
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication


Obviously, the key is correctly configured. Do you know about any bug or problem with this scenario ? We don't find any bug in bugtoolkit

With tacacs instead radius works fine.

Labels:
0 Helpful
4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

‎01-29-2010 02:08 AM

Hi Asans,

The error message appears if there is a mismatch in the shared-key between the RADIUS server and device. In ACS if you have NDG shared key configuered that will over rite individual key configured on aaa-client.


On ACS--->Network configuration--->NDG--->Edit Properties-->Shared key (You can either remove it or put a key that you want to use)


Also such problem can occur due to invisible space " " character at the end of the key. I suggested you to Re-enter the key manually and try again.


Avoid copy/paste.


Regards,

~JG


Do rate helpful posts

0 Helpful

asans
Level 1
Level 1
In response to Jagdeep Gambhir

‎01-29-2010 02:16 AM

Hi,

Shared-key is correct and we configured it manually in order to avoid problems with "cut & paste".

We had review this issue and we don't know yhe reason because fails...

any idea ?

Thanks for your help.

0 Helpful

Jagdeep Gambhir
Level 10
Level 10

‎01-29-2010 02:23 AM

Did you check NDG key in ACS?

0 Helpful

asans
Level 1
Level 1
In response to Jagdeep Gambhir

‎01-29-2010 02:39 AM

Yes, we had check NDG Key in ACS .... (more than three times......)


is possible some incompatibility between IOS 12.4 and ACS 4.0 ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents