04-11-2012 08:14 AM - edited 03-10-2019 06:59 PM
Hi
I'm running a ASA5580 to terminate remote access VPN. The ASA sends Radius Requests to a ACS 5.2 for Authentication. The ACS then connects via LDAP to the ActiveDirectory to authenticate the VPN User. So far, this works fine.
But the ASA regularely marks the Radius Server as Dead (Syslog-ID 113022), and after a while, it is marked as alive again. Now, I found out that this happens when I try to connect with Anyconnect without entering a username. The ACS droppes the Request with this message: "11021 RADIUS could not decipher password. packet missing necessary attributes" and does not answer to the ASA. So the ASA believes, the ACS is dead.
Is there any solution for that? Or am I totally wrong with my findings?
Thanks
04-15-2012 09:56 AM
Check the actions for when authentication fails that correspond to the applicable policy on ACS. It's probabyl set to "drop". Change it to "reject" and re-test.
04-15-2012 02:13 PM
Thanks for your reply
All of the Actions are set to reject:
"If authentication failed", "If user not found", "If process failed"
Are there other ideas? Is this not a known issue?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide