This issue can occur in either of these situations:
- The key on the VPN concentrator and the RADIUS server are different.
- The RADIUS server is not in the top list when multiple authentication methods are configured.
In order to resolve this issue, complete these steps:
- In order to test authentication, choose Configuration > System > Servers > Authentication > Test. Test a known username and password combination from the Cisco VPN 3000 Concentrator to see if it is successful.
- If authentication fails, try to ping the RADIUS server from the VPN concentrator.
If the ping is unsuccessful, it is likely a routing issue that can be related to a misconfigured default gateway or subnet mask that sets on the server itself.
If the RADIUS server is not directly connected to the inside interface of the VPN concentrator, make sure there is a static route on the concentrator for the RADIUS server or the subnet.
- If the ping is successful but authentication fails, choose Configuration > System > Events > Classes and add AUTH, AUTHDECODE and AUTHDBG with a log severity of 1 to 13.
In order to test this further, issue the test authentication command and check the live event viewer in order to see the output of the VPN concentrator logs.
- Ensure that the key on both the VPN concentrator and the RADIUS server are the same.
If multiple authentication methods are to be configured, then ensure that the RADIUS server is at the top of the list on the VPN concentrator.
Note: The VPN concentrator uses only Password Authentication Protocol (PAP) when the Test feature is used.
In order to use MS-CHAP, you configure the radius-with-expiry command in the tunnel-group. This forces the Concentrator to use MS-CHAP.
Refer to the Configure the RADIUS Server and the VPN 3000 Concentrator section of Using Cisco Secure ACS for Windows with the VPN 3000 Concentrator - IPSec for a configuration example.
Refer to these documents for more information:
- Configuring the Cisco VPN Client to the VPN 3000 Concentrator with Microsoft Windows NT Domain Authentication
- The Configure the VPN 3000 RADIUS with Expiry Feature section of VPN 3000 RADIUS with Expiry Feature Using Microsoft Internet Authentication Server
Connectivity to the device
Troubleshoot software feature
VPN - 3000 series concentrator
VPN 3000 Software Version
VPN 3000 Model
VPN Tunnel End Points
VPN 3000 series
Features & Tasks