This issue can occur in either of these situations:
The key on the VPN concentrator and the RADIUS server are different.
The RADIUS server is not in the top list when multiple authentication methods are configured.
In order to resolve this issue, complete these steps:
In order to test authentication, choose Configuration > System > Servers > Authentication > Test. Test a known username and password combination from the Cisco VPN 3000 Concentrator to see if it is successful.
If authentication fails, try to ping the RADIUS server from the VPN concentrator.
If the ping is unsuccessful, it is likely a routing issue that can be related to a misconfigured default gateway or subnet mask that sets on the server itself.
If the RADIUS server is not directly connected to the inside interface of the VPN concentrator, make sure there is a static route on the concentrator for the RADIUS server or the subnet.
If the ping is successful but authentication fails, choose Configuration > System > Events > Classes and add AUTH, AUTHDECODE and AUTHDBG with a log severity of 1 to 13.
In order to test this further, issue the test authentication command and check the live event viewer in order to see the output of the VPN concentrator logs.
Ensure that the key on both the VPN concentrator and the RADIUS server are the same.
If multiple authentication methods are to be configured, then ensure that the RADIUS server is at the top of the list on the VPN concentrator.
Note: The VPN concentrator uses only Password Authentication Protocol (PAP) when the Test feature is used.
In order to use MS-CHAP, you configure the radius-with-expiry command in the tunnel-group. This forces the Concentrator to use MS-CHAP.