Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Authenticating SIP request, Using ACS configured as Radius

Hello everyone,

I have a Cisco 1112 SACS device configured as Radius server, the SIP servers are added to the ACS as Radius clients for server key: ?key? under authenticate using I choose ?Radius-IETF? for both Radius clients.

I setup users on the SIP server as follow ?1? and ?2? just for testing for calling to and from each other?

ACS Interface configuration for Radius-IETF for the Default Group I checked Login-TCP-port under group configuration Radius-IETF Login-TCP-Port I use port ?1812?.

On the ACS I setup users as follow ?1? and ?2? and the user configuration for both users are as followed Password Authentication: Cisco Secure Database and add the user to the default group.

My problem is when I call from phone 1 to phone 2 I get the message ?Authentication failed? up on checking the ACS failed log I can see the ACS communicating with both SIPS I also see the message ?Bad request from NAS?

Can anyone say what I?m missing and/or what I need to do so the ACS can authenticate the SIP request??

All I wan to accomplish is when the SIP sends a request to the ACS to check if the user is setup the ACS authenticate the user and sends the authorization response back to the SIPS.

Any help is appreciated.

  • AAA Identity and NAC

Re: Authenticating SIP request, Using ACS configured as Radius

Authentication can occur at a RADIUS server or at the proxy server.

Two types of authentication are supported: HTTP digest authentication and HTTP basic authentication.

Either type can occur at either location.

During authentication, the UAC password is stored as follows:

For RADIUS-supported authentication, it is stored at the RADIUS server. For proxy-supported authentication, it is stored in a subscriber table in a MySQL database.

The default authentication scheme is HTTP digest authentication performed at the Cisco SPS. When digest authentication and basic authentication are performed at the proxy server, the username, as found in the authorization header or the proxy-authorization header, is the key to query the MySQL database.

If authentication takes place at the RADIUS server, Cisco SPS passes the username as one of the attribute/value pairs to the RADIUS server, where it can be used to key the user search before authentication. Additionally, you can configure Cisco SPS to add any desired SIP headers as VSAs in the authentication request to the RADIUS server. More info:

For more info and configuration, please see:

This widget could not be displayed.