Cisco Support Community
Community Member

Authentication problem with Cisco 3005 and MS RADIUS

I am trying to set up authentication for VPN clients (software) to a Cisco 3005 concentrator through MS RADIUS

on win2k server. I have gone through the Cisco example configurations, which worked

great for setting up hardware clients, but is not working for my software clients.

When trying to authenticate win2k server, test authentication from the concentrator works fine. The client

does not see any error message, it just goes through the process and disconnects.

The client log is showing (sorry if this is a little long):

40 08:15:55.296 11/11/05 Sev=Info/5 IKE/0x6300003C

Received a DELETE payload for IKE SA with Cookies:

I_Cookie=508F2B7F7B7C8497 R_Cookie=35DCC0259EE6FD37

41 08:15:55.296 11/11/05 Sev=Info/4 IKE/0x63000013


42 08:15:55.296 11/11/05 Sev=Info/4 IKE/0x63000048

Discarding IPsec SA negotiation, MsgID=075ECA6A

43 08:15:55.296 11/11/05 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=508F2B7F7B7C8497

R_Cookie=35DCC0259EE6FD37) reason =


44 08:15:55.718 11/11/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

45 08:15:56.218 11/11/05 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=508F2B7F7B7C8497

R_Cookie=35DCC0259EE6FD37) reason =


46 08:15:56.218 11/11/05 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

47 08:15:56.218 11/11/05 Sev=Info/4 IKE/0x63000085

Microsoft IPSec Policy Agent service started successfully

48 08:15:56.718 11/11/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

49 08:15:56.718 11/11/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

50 08:15:56.718 11/11/05 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

51 08:15:56.718 11/11/05 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

The concentrator log shows the following:

10849 11/11/2005 08:26:48.630 SEV=4 IKE/52 RPT=115

Group [IndividualNT] User [<username>]

User (<username>) authenticated.

10850 11/11/2005 08:26:48.640 SEV=5 IKE/184 RPT=106

Group [IndividualNT] User [<username>]

Client OS: WinNT

Client Application Version: 4.0.1 (Rel)

10852 11/11/2005 08:26:49.480 SEV=4 IKE/119 RPT=145

Group [IndividualNT] User [<username>]


10853 11/11/2005 08:26:49.490 SEV=5 IKE/25 RPT=3768

Group [IndividualNT] User [<username>]

Received remote Proxy Host data in ID Payload:

Address, Protocol 0, Port 0

10856 11/11/2005 08:26:49.490 SEV=5 IKE/34 RPT=3906

Group [IndividualNT] User [<username>]

Received local IP Proxy Subnet data in ID Payload:

Address, Mask, Protocol 0, Port 0

10859 11/11/2005 08:26:49.490 SEV=4 IKE/1 RPT=480

Group [IndividualNT] User [<username>]

Received invalid phase 2 L2TP/IPSec Responder ID payload

Expected ID: Type 1, Proto 17, Port 1701, Addr

Received ID: Type 4, Proto 0, Port 0, Addr

10863 11/11/2005 08:26:49.490 SEV=4 IKEDBG/0 RPT=517

QM FSM error (P2 struct &0x1d284fc, mess id 0x2b2a1a0a)!

10864 11/11/2005 08:26:49.490 SEV=4 IKEDBG/65 RPT=1036

Group [IndividualNT] User [<username>]

IKE QM Responder FSM error history (struct &0x1d284fc)

<state>, <event>:





I've been working on this for 2 days, and can't figure out why clients can't connect. Any help would be greatly appreciated.


Re: Authentication problem with Cisco 3005 and MS RADIUS

Some RADIUS servers do not support MSCHAPv1 or MSCHAPv2 user authentication. If you are using a RADIUS server that does not support MSCHAP (v1 or v2), you must configure the Base Group's PPTP authentication protocol to use PAP and/or CHAP and also disable the MSCHAP options. Examples of RADIUS servers that do not support MSCHAP are the Livingston v1.61 RADIUS server or any RADIUS server based on Livingston code.For more information refer to the following url:

Community Member

Re: Authentication problem with Cisco 3005 and MS RADIUS

Thanks for the respone. I see that I should have been more specific in my post; I am using microsoft IAS as a radius server, in addition to which, I have tried changing authentication protocols to no avail. The current configuration comes closest to working, and prduces the output seen above. Other configurations either disconnect befor easking for a password, or do not accept the password. The current behavior is that the client software (cisco vpn client) asks for the password, appears to accept it, then disconnects without any error message on the client side at all.

Community Member

Re: Authentication problem with Cisco 3005 and MS RADIUS


Were you able to solve this issue? I am having exact same problem. VPN with ISA as RADIUS auth was woking fine up until last week. All of the sudden VPN with ISA auth stop working with exact same error as above. I suspect Microsoft hotfix but do not know which one as there are millions of them every week. Any information would be greatly appriciated.

CreatePlease to create content