Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SA540 to Windows 2008 Radius Authentication Failure

I am having trouble getting my SA540 small business router to authenticate.

Problem 1) Authentication fails with Windows 2008 radius server

Problem 2) Digicert 3rd party SSL certifictate fails to load into Self Signed Certificates


Step 1: Configure Radius client on Windows 2008

In configured the settings for

* Friendly Name: SA540

* IP/DNS: LAN address of Cisco SA540

* Secret: xxxx

I tried two vendor settings: RADIUS Standard and Cisco

I left the boxes unchecked for:

* Require access requests to contain the Message Authentication Attribute

* Nap capable

Step2: Configure Connection Request Policy on Windows 2008


* Name: SA540

* Enable policy: checked

* Network Connection Method: Unspecified


* Client Friendly Name (must match Radius Client Name above)


* Required Authentication Methods:

- Check box for Override network policy authentication settings

- CHAP (always fails), PAP (a test worked from inside LAN using a radius test utility)

- I would like to use certificates for authentication but my digicert will not load into the SA540 3rd party cert area

* Forwarding Connection Requests:

- Authenticate requests on this server (checked)

* Radius Attributes:

- I want to have a login prompt sent to the Cisco VPN client being authenticated but am unclear what attributes are required

- I chose "Standard: Login-IP-Host" = (IP address of Active Directory Server)"


Step 1: Use IPSEC VPN Wizard to create IKE and VPN policies

* VPN Type:  Remote Access

* Enable Cisco Client (checked)

* Name

* Key

* WAN Interface

* Remote GW: FQDN = URL that is on my 3rd party certificate (

Step 2: Change authentication to radius

* VPN - VPN Policies: disable vpn policy

* VPN - IKE Policies: change IKE policy

* Authentication Type: Radius - PAP or Radius - CHAP

* Click Apply

* note that the help file says that there should also be MS-CHAP and MS-CHAPv2 but they do not appear

Step 3: Configure Dynamic IP Range

* VPN - IPSEC - Dynamic IP Range:

- Split tunnel (only remote traffic goes through tunnel)

- Start/End IP address: New IP segment with DHCP for VPN users

* Split DNS Names: Active Directory domain (docvera.local)

Step 4: Add Authentication Certificates (if you use them)

* Administration - Authentication: My digicert 3rd party SSL certificate will not load into the Self Certificates area

Step 5:Configure Radius Server

* Administration - RADIUS server:

* IP address

* Authentication port: 1812 (also tried 1645)

* Secret

* Timeout: 180

* Retries: 3


* Cisco VPN Client v5.0.07 connects find when using Local Users but always fails to the radius server

* I ran wireshark and could NOT find:

- requests from the SA540 LAN IP address

- packets using UDP port 1812 (or 1645 when I tested it)

* Cisco VPN client gets an error message 413

* Connection tests to the radius server test utility from inside the LAN work with PAP buy not CHAP


* Clients today failed to connect using local user database.

* I deleted the VPN and IKE policy, added them back and then the users could connect

In sum:

* I hope to get radius authentication working

* I hope to use 3rd party certificates working for authentication

New Member

SA540 to Windows 2008 Radius Authentication Failure

I checked the Windows NPS Event log and found a CHAP authentication error that the user could not be authenticated using CHAP because a reversibly encrypted password does not exist for this account

* Windows Security Event 6273