Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9022
Views
5
Helpful
2
Replies

Authentication Failed to 2008 NPS from Cisco IOS VPN

Go to solution
ripnet
Level 1
Level 1

‎10-21-2010 08:19 AM - edited ‎03-10-2019 05:30 PM

I'm trying to authenticate VPN connections to a Windows 2008 NPS Radius server.

Local authentication works fine.

Here are cisco configs:

aaa new-model
aaa authentication login default local
aaa authentication login VPNauth group radius local
aaa authorization network VPNgroup local
aaa session-id common

ip radius source-interface Loopback0
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxxx


crypto map VPNMAP client authentication list VPNauth
crypto map VPNMAP isakmp authorization list VPNgroup
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
...

... other crypto commands

This is the section of the log from NPS:


Authentication Details:
    Connection Request Policy Name:    VPN
    Network Policy Name:        -
    Authentication Provider:        Windows
    Authentication Server:        x.x.x.x
    Authentication Type:        PAP
    EAP Type:            -
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            16
    Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

I do have PAP enabled on the Network/Connection Request Policies...

I'm stuck

Please help

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7

‎10-21-2010 09:38 AM

Can you run a "teat aaa " command to see if the user can be authenticated successfully?

I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Yudong Wu
Level 7
Level 7

‎10-21-2010 09:38 AM

Can you run a "teat aaa " command to see if the user can be authenticated successfully?

I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3

0 Helpful

Go to solution
ripnet
Level 1
Level 1
In response to Yudong Wu

‎10-21-2010 10:37 AM

Thanks,

Looks like the issue was the RADIUS shared key... It has to be 22 characters or longer. Mine was only 12.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents