Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member



I'm trying to get a VPN connection in to an SA520 to authenticate with RADIUS to a Windows server.

We are using the ShrewSoft VPN client. I've got it working fine with the SA520's internal database, but I cannot get authentication working when I switch it to RADUIS.

I'm not entirely confident that I've got the NAP server set up on the Windows 2008 Server, but if anyone has any advice on the SA520 front then if I know that is correct I can tackle the server after.



Cisco Employee


Hi Adam,

To setup RADIUS authentication of VPN Client connections, you have to do a couple on steps on the SA 520.  First define your RADIUS server to the SA:  on the SA Web Configuration Utility, go to the Administration Menu select RADIUS Server on the navigation pane to open Radius Server Page. Click Add to enter the config page to enter your Radius Server's configuration and importantly the Shared Secret.

Next, since you already have working VPN remote access policies, you just need to switch the extended authentication of your users from the Internal User Database to XAUTH Configuration: Edge Device and the Authentication type: Radius - CHAP or PAP. First you need to stop the Associated VPN Policies of the IKE Policy that you want to modify.

1) Select the VPN Menu, click VPN Policies on the navigation pane, then checkmark the VPN Policies that are associate with your IKE Policy (Shrew), and finally Click Disable to temporarily stop these Policies.

2) Click IKE Policies, then click the Edit icon to modify the Policy that your Shrew Clients use.

3) Change the Extended Authentication settings as stated above: XAUTH Configuration: Edge Device and the Authentication type:  Radius - CHAP or RADIUS - PAP depending on your 2008 server config.

4) Now go back to the VPN Policies Page, and re-Enable the policies that you had to temporarily disable to edit the IKE Policy.

This should help you get there...Let us know how this worked out for you.

BTW, make sure you you are not blocking  fragmented packets on the SA, or you will have problems getting authenticated by the Radius server.



New Member


Hi folks,

I try to configure a SA 520 IPSec VPN with Radius authentication and I've exactly the same problem. My config is :

SA520w with Block Fragmented Packets disabled

Primary Firmware Version:2.1.18
Secondary Firmware Version:1.1.42

Radius Server on OS X Server 10.6.7

I setup IPSec VPN for Mac OS X and iOS remote device, I've setup my VPN for RemoteAccess with the wizard by checking the Cisco VPN Client option. If I try from iOS or OS X with VPN setup on local database, everything work really well. As long I switch on Radius with Chap, nothing work.

I've try to connect from built-in OS X / iOS Cisco VPN client and with VPN Tracker and I got the same result, I can't connect to my VPN. On client no special error message, just I can't be authenticated. On the Server, if I read the system logs, I've nothing, I see the XAUTH request and then nothing, the connexion is closed. On the Radius Server I can't see any incoming request.

Someone can explain to me what I've missed ?

Best regards,

Yoann Gini

Cisco Employee


Hi Yoann,

The first things that you should verify are the Radius Server information as stored on your SA500.  Verify the RADIUS Server's IP address, Authentication Port used, and Shared Secret phrase match those of your RADIUS server.  On the SA500's Web Configuration Utility, navigate to the Administartion -> RADIUS Server page, and make sure the RADIUS server information listed matches your environment.

If properly configured, perform a packet capture between the SA500 and the RADIUS server to verify requests and responses are being exchanged between the SA500 and your Radius Server.

There is a nice utility that can test your RADIUS server settings...



New Member


Hi Julio,

Thank for your answer. I've planed to check the communication with tcpdump as soon as possible yes.

About NTRadPing, it's not useful for me, I work on Mac OS X. Do you know an other tool, make for Unix and with sources available ? I've found a lot of Unix tools but only in binaries for Linux, Solaris, FreeBSD, but not Darwin or sources… So if you know one, I'm really interested !

Best regards,


New Member


OK, I don't know why but now it's work.

I haven't change anythings since my last test and now it's work well. The only things happening between my two test is an electric reboot of the router…


CreatePlease login to create content