Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1311
Views
0
Helpful
0
Comments

RADIUS authentication tests fail on the VPN 3000 Concentrator with software version 4.7

TCC_2
Level 10
Level 10

on ‎06-18-2009 03:50 PM

Core issue

This issue can occur in either of these situations:

  • The key on the VPN concentrator and the RADIUS server are different.

  • The RADIUS server is not in the top list when multiple authentication  methods are configured.

Resolution

In order to resolve this issue, complete these steps:

  1. In order to test authentication, choose Configuration > System > Servers > Authentication > Test. Test a known username and password combination from the Cisco VPN 3000 Concentrator to see if it is successful.

  2. If authentication fails, try to ping the RADIUS server from the VPN concentrator.

    If the ping is unsuccessful, it is likely a routing issue that can be related to a misconfigured default gateway or subnet mask that sets on the server itself.

    If the RADIUS server is not directly connected to the inside interface of the VPN concentrator, make sure there is a static route on the concentrator for the RADIUS server or the subnet.

  3. If the ping is successful but authentication fails, choose Configuration > System > Events > Classes and add AUTH, AUTHDECODE and AUTHDBG with a log severity of 1 to 13.

      

    In order to test this further, issue the test authentication command and check the live event viewer in order to see the output of the VPN concentrator logs.

       
  4. Ensure that the key on both the VPN concentrator and the RADIUS server are the same.
      

    If multiple authentication methods are to be configured, then ensure that the RADIUS server is at the top of the list on the VPN concentrator.

       

Note: The VPN concentrator uses only Password Authentication Protocol (PAP) when the Test feature is used.

In order to use MS-CHAP, you configure the radius-with-expiry command in the tunnel-group.  This forces the Concentrator to use MS-CHAP.

Refer to the Configure the RADIUS Server and the VPN 3000 Concentrator section of Using Cisco Secure ACS for Windows with the VPN 3000 Concentrator - IPSec for a configuration example.

Refer to these documents for more information:

Problem Type

Connectivity to the device

Troubleshoot software feature

Product Family

VPN - 3000 series concentrator

Frequency

Continuously

VPN 3000 Software Version

4.7

VPN 3000 Model

Concentrator models

VPN Tunnel End Points

VPN 3000 series

Features & Tasks

RADIUS

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents