RADIUS authentication tests fail on the VPN 3000 Concentrator with software version 4.7


Wed, 07/22/2009 - 19:36
Jun 18th, 2009

Core issue

This issue can occur in either of these situations:

  • The key on the VPN concentrator and the RADIUS server are different.

  • The RADIUS server is not in the top list when multiple authentication  methods are configured.


In order to resolve this issue, complete these steps:

  1. In order to test authentication, choose Configuration > System > Servers > Authentication > Test. Test a known username and password combination from the Cisco VPN 3000 Concentrator to see if it is successful.

  2. If authentication fails, try to ping the RADIUS server from the VPN concentrator.

    If the ping is unsuccessful, it is likely a routing issue that can be related to a misconfigured default gateway or subnet mask that sets on the server itself.

    If the RADIUS server is not directly connected to the inside interface of the VPN concentrator, make sure there is a static route on the concentrator for the RADIUS server or the subnet.

  3. If the ping is successful but authentication fails, choose Configuration > System > Events > Classes and add AUTH, AUTHDECODE and AUTHDBG with a log severity of 1 to 13.


    In order to test this further, issue the test authentication command and check the live event viewer in order to see the output of the VPN concentrator logs.

  4. Ensure that the key on both the VPN concentrator and the RADIUS server are the same.

    If multiple authentication methods are to be configured, then ensure that the RADIUS server is at the top of the list on the VPN concentrator.


Note: The VPN concentrator uses only Password Authentication Protocol (PAP) when the Test feature is used.

In order to use MS-CHAP, you configure the radius-with-expiry command in the tunnel-group.  This forces the Concentrator to use MS-CHAP.

Refer to the Configure the RADIUS Server and the VPN 3000 Concentrator section of Using Cisco Secure ACS for Windows with the VPN 3000 Concentrator - IPSec for a configuration example.

Refer to these documents for more information:

Problem Type

Connectivity to the device

Troubleshoot software feature

Product Family

VPN - 3000 series concentrator



VPN 3000 Software Version


VPN 3000 Model

Concentrator models

VPN Tunnel End Points

VPN 3000 series

Features & Tasks




This Document

Related Content