Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS not responding to Radius Requests with empty username

Hi

I'm running a ASA5580 to terminate remote access VPN. The ASA sends Radius Requests to a ACS 5.2 for Authentication. The ACS then connects via LDAP to the ActiveDirectory to authenticate the VPN User. So far, this works fine.

But the ASA regularely marks the Radius Server as Dead (Syslog-ID 113022), and after a while, it is marked as alive again. Now, I found out that this happens when I try to connect with Anyconnect without entering a username. The ACS droppes the Request with this message: "11021 RADIUS could not decipher password. packet missing necessary attributes" and does not answer to the ASA. So the ASA believes, the ACS is dead.

Is there any solution for that? Or am I totally wrong with my findings?

Thanks

  • AAA Identity and NAC
Everyone's tags (3)
2 REPLIES
Cisco Employee

ACS not responding to Radius Requests with empty username

Check the actions for when authentication fails that correspond to the applicable policy on ACS. It's probabyl set to "drop". Change it to "reject" and re-test.

New Member

ACS not responding to Radius Requests with empty username

Thanks for your reply

All of the Actions are set to reject:

"If authentication failed", "If user not found", "If process failed"

Are there other ideas? Is this not a known issue?

1412
Views
0
Helpful
2
Replies
This widget could not be displayed.