Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix TACACS+/Radius client authentication


I'm in the process of setting up our Pix 515E (ver 6.1(4)) to act as a VPN endpoint for remote users (mainly Windows OS clients). I wanted to eliminate the need to download the Cisco VPN client software (using Windows built-in VPN capabilities). So far I've successfully setup the Pix to work with Win2k / XP (the client OSs we're dealing with) using local client authentication, but haven't been able to get the Pix to authenticate with our Cisco ACS server (NT, ver 2.4). I know it's an old version, but I'd think it would be able to accomplish the simple task of verifying the entered username/password. We're using the ACS for permissions and monitoring/logging on our routers, etc. for this purpose. When I enter the client authentication mode for the vpdn group like so:

vpdn group 1 client authentication aaa OVHDauth

I get the following error: "Error 781: The encryption attempt failed because no valid certificate was found."

When I use radius (cisco or the ietf mode) I get "Error 742: The remote computer does not support the required data encryption type." Doesn't the pix just pass the user's credentials to the radius server?

Thanks in advance for your help,


ovt Bronze

Re: Pix TACACS+/Radius client authentication

It depends on tunnel type. For example, PPTP encryption (MPPE) works

with LOCAL or RADIUS only and MS-CHAP and CS ACS 3.0 or later

is required. If you use PPTP try to disable encryption on the client first.

Oleg Tipisov,



New Member

Re: Pix TACACS+/Radius client authentication


Thanks for the response. We're using CS ACS 2.4 and I was trying it with TACACS. I guess I'll have to wait until we upgrade our ACS to a new version before using any authentication beyond local!


Tim C

New Member

Re: Pix TACACS+/Radius client authentication

If you are trying to do IPSec over L2TP with the Microsoft client then you need a digital certificate for the client. There is a reg hack you can use to disable IPSec encryption and get the MS client to work, but then you are only tunneling the packets so what's the point. The Cisco VPN client will let you use a static key (not the ideal solution).

If you want to use the MS client and not do the dig cert thing then I'm pretty sure you'll have to go with PPTP.

CreatePlease to create content