Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

VPN Clients are unable to authenticate to an IAS RADIUS server after an upgrade of the Cisco ASA/PIX to version 7.2.1

Core issue

This problem occurs due to the presence of Cisco bug ID CSCsf27202.

VPN authentication fails after an upgrade of the Adaptive Security Appliance (ASA) software version from 7.1(1) to 7.2(1). In 7.1(1) and earlier versions. RADIUS requests were sent to the RADIUS server with the NAS-Port-Type of Virtual. In version 7.2(1), the NAS-Port-Type is not set.

These examples from the Microsoft RADIUS logs show success from 7.1(1) and a failure from 7.2(1):

Success Example on 7.1(1)

User WOUND\lremcgui was granted access.
Fully-Qualified-User-Name = wound.san/lr/Users/McGuire, Emily
NAS-IP-Address =
NAS-Identifier =
Client-Friendly-Name = lrnasa5520
Client-IP-Address =
Calling-Station-Identifier =
NAS-Port-Type = Virtual
NAS-Port = 182
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = VPN Client Connections
Authentication-Type = MS-CHAPv2
EAP-Type =


As a workaround, do not use password management and downgrade the Cisco ASA/PIX to version 7.1. Refer to Tunnel-group general-attributes for more information.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:37 PM
Updated by:
Labels (1)