ASA SSL VPN radius server marked as failed to Windows 2008 NPS server

Unanswered Question
Aug 24th, 2010

Has anyone seen an issue with using RADIUS between a Cisco ASA5510 and a Windows 2008 NPS server? I had an issue some time ago where I continuously see both configured RADIUS servers marked as failed and then marked and active over and over. After a Windows 2008 server update, the RADIUS issue went away. Just recently it started again. I'm not sure if a Windows update caused it to start happening again.

Thanks for any replies,

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Yudong Wu Tue, 08/24/2010 - 09:40

Could you please provide the following info?

- ASA software version

- related AAA configuration on ASA.

- when the issue happens, please capture the following commands on ASA

  show cpu usage

  show aaa-server (multiple times to show it is marked as failed)

  Also check your windows server's status when the issue happens.

MARK BAKER Tue, 08/24/2010 - 10:45

Hello Yudong,

ASA version s 8.2(2)

aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host

key *****
authentication-port 1812
accounting-port 1813
aaa-server RADIUS (inside) host
key *****
aaa-server RADIUS (inside) host

key *****

All tunnel-groups contain "accounting-server-group RADIUS" and "authentication-server-group RADIUS"

The RADIUS server returns the VPN group assignment as OU=VPNgroup

I just did a packet capture on the RADIUS exchane and see the below happening.


RADIUS request

RADIUS response with correct OU assignment


RADIUS request

RADIUS response with incorrect OU assignment

same time passes

syslog sent stating RADIUS server failed

tries a few more times, if the RADIUS server ever replies with the correct OU it will succeed otherwise it will timeout.

This appears to be a Window 2008 NPA issue.

Yudong Wu Tue, 08/24/2010 - 11:04

Your code version ruled out a bug which I am suspecting to. So, agree, the issue might be on Windows server side.

MARK BAKER Tue, 08/24/2010 - 12:45

Here's another indecator pointing toward the RADIUS server. When I do a packet capture I see the response from the RADIUS server for both the failures and the successes. The difference is that Wireshark is able to identify which response goes to which request for the successful logins, but not for the failures.

I see in the successful response packet this message : "This is a response to a request in frame x". I don't see this in the response that times out.

When I get a login timeout, I see both the request and response packets to/from the RADIUS server. Wireshark doesn't recognize the pair to be related.

From what I am able to read in the packet capture nothing stands out to me that the response isn't formatted correctly.

Thanks for looking this for me.


MARK BAKER Tue, 09/28/2010 - 12:02

This issue was with the Windows 2008 server. After the latest patches, the issue is now gone. It was the previous patch that had started it. This has happened twice this year. I'm not sure which patches broke it and which ones fixed it.

MARK BAKER Sun, 11/30/2014 - 12:46

Someone just voted as having the same issue. If memory is correct, this issue had to do with a patch that updated trusted CAs. This list was so long that It was truncated on the server. We had to remove unused CA certs to fix the issue. To the person that voted, can you let me if this is your issue?

Vitor Stefaneli Fri, 12/05/2014 - 04:32

Hei @Mark, it was me.

So, in fact I thought it could be the same problem, we did not solve it yet, but it is appearing to be some application issue.

I keep this post updated when we finally solved the question.



This Discussion

Related Content