Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

In an scenario with Cisco VPN client terminating VPN to Router (IOS 12.4), authenticating with Radius to ACS 4.0 doesn't work with this error:

Jan 29 09:26:29.137: RADIUS(00000421): Send Access-Request to 14.10.64.10:1645 id 1645/42, len 126
.....             
Jan 29 09:26:29.141: RADIUS: Received from id 1645/42 14.10.64.10:1645, Access-Reject, len 32
Jan 29 09:26:29.141: RADIUS:  authenticator 6A 0C 43 74 86 4C 2D 59 - C2 F3 FF 22 AA 5D D9 2A
Jan 29 09:26:29.141: RADIUS:  Reply-Message       [18]  12 
Jan 29 09:26:29.141: RADIUS:   52 65 6A 65 63 74 65 64 0A 0D                    [Rejected??]
Jan 29 09:26:29.141: RADIUS: response-authenticator decrypt fail, pak len 32


Configuration:
....
aaa group server radius RADIUS-ACE
server 14.10.64.10 auth-port 1645 acct-port 1646
ip vrf forwarding MANAGEMENT
ip radius source-interface Vlan406
.....
.....
radius-server attribute 44 include-in-access-req vrf MANAGEMENT
radius-server attribute 69 clear
radius-server attribute 6 on-for-login-auth
radius-server attribute 30 original-called-number
radius-server attribute 4 14.20.3.91
radius-server host 14.10.64.10 auth-port 1645 acct-port 1646 non-standard key 7 1511021F0725
radius-server challenge-noecho
radius-server vsa send cisco-nas-port
radius-server vsa send accounting
radius-server vsa send authentication


Obviously, the key is correctly configured. Do you know about any bug or problem with this scenario ? We don't find any bug in bugtoolkit

With tacacs instead radius works fine.

4 REPLIES

Re: Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

Hi Asans,

The error message appears if there is a mismatch in the shared-key between the RADIUS server and device. In ACS if you have NDG shared key configuered that will over rite individual key configured on aaa-client.


On ACS--->Network configuration--->NDG--->Edit Properties-->Shared key (You can either remove it or put a key that you want to use)


Also such problem can occur due to invisible space " " character at the end of the key. I suggested you to Re-enter the key manually and try again.


Avoid copy/paste.


Regards,

~JG


Do rate helpful posts

New Member

Re: Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

Hi,

Shared-key is correct and we configured it manually in order to avoid problems with "cut & paste".

We had review this issue and we don't know yhe reason because fails...

any idea ?

Thanks for your help.

Re: Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

Did you check NDG key in ACS?

New Member

Re: Cisco VPN Client - IOS 12.4 + ACS 4.0 Radius Authentication

Yes, we had check NDG Key in ACS .... (more than three times......)


is possible some incompatibility between IOS 12.4 and ACS 4.0 ?

426
Views
0
Helpful
4
Replies