Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

TACACS+ or RADIUS authentication fails to work with the PIX firewall

Core issue

Authentication can fail for many reasons, but these are two of the commonly known reasons:

  • The PIX firewall cannot reach the authentication server.

  • The Authentication, Authorization, and Accounting (AAA) server does not respond to the authentication request from the PIX before the authentication request times out.


In order to resolve this issue, complete these steps:

  1. Check the connectivity between the PIX and the server:
    • If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.

      aaa-server group_tag (if_name) host server_ip key timeout 5     

    • If Terminal Access Controller Access Control System (TACACS+) is used, verify that the PIX and the server communicate on the same port, Transmission Control Protocol (TCP)/49.

    • If Remote Authentication Dial-In User Service (RADIUS) is used, verify that the PIX and the server communicate on the User Datagram Protocol (UDP) port 1645. Or, if the RADIUS server uses port 1812, verify that the PIX uses software version 6.0 or later. Then, issue the aaa-server radius-authport 1812 command in order to specify port 1812.

  2. Ensure that the secret key is correct.

  3. If the network traffic is extremely high, or packet loss is present, increase the timeout for authentication requests. From the PIX command line interface, issue the aaa-server group_tag (if_name) host server_ip key timeout seconds command, and increase the time in seconds to a larger value, such as 20 or 30 seconds. Check the server logs for failed attempts. All servers have some kind of logging function.

Problem Type

Connectivity to the device

Troubleshoot software feature

Product Family

Cisco Secure access control server

Firewall - PIX 500 series