Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ACS Radius configuration

Hello,

I am trying to configure radius authentication on cisco ACS but running into issue. When i configure my Network Device Group in AAA Client setup to be one of radius device groups, my authentications are failing with authentication failure code as "

CS password invalid" but when i change my Network Device Group to "Not Assigned", everything starts working.

On my AAA client, when authentication are failing, i am seeing

packet from RADIUS server <ip address>  fails verification:

Please note that AAA client is a non cisco device.

Any suggestions?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Cisco ACS Radius configuration

It seems you're running ACS 4.x. You're facing this issues because the key defined on the NDG level (XYZ network device group in your case) over-rides the key at the AAA client level.  Please make sure that you don't have different secret key on the AAA  client inside the NDG and on the NDG itself.

Not assigned is working because there is no key defined in that NDG.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NetCfg.html#wp342738

"Each device that is assigned to the Network Device Group will use the shared key that you enter here. The key that was assigned to the device  when it was added to the system is ignored. If the key entry is null, the AAA client key is used."

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
5 REPLIES

Cisco ACS Radius configuration

Which ACS version you are using?

ACS 4.0 is having this problem, If you are using the same, please update and try.

New Member

Cisco ACS Radius configuration

Hi Nkumarsr,

It is infact ACS v4.0. Is there any cisco bug/document related to this issue?

Thanks

Cisco Employee

Re: Cisco ACS Radius configuration

It seems you're running ACS 4.x. You're facing this issues because the key defined on the NDG level (XYZ network device group in your case) over-rides the key at the AAA client level.  Please make sure that you don't have different secret key on the AAA  client inside the NDG and on the NDG itself.

Not assigned is working because there is no key defined in that NDG.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/NetCfg.html#wp342738

"Each device that is assigned to the Network Device Group will use the shared key that you enter here. The key that was assigned to the device  when it was added to the system is ignored. If the key entry is null, the AAA client key is used."

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
New Member

Cisco ACS Radius configuration

Hi Jatin,

Thanks, that was the issue. When i first created the NDG, it did not pay attention to the field.

Cisco Employee

Cisco ACS Radius configuration

Glad to know zafar.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
257
Views
5
Helpful
5
Replies
CreatePlease to create content