Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2428
Views
0
Helpful
2
Replies

ACS not responding to Radius Requests with empty username

t.erdin
Level 1
Level 1

‎04-11-2012 08:14 AM - edited ‎03-10-2019 06:59 PM

Hi

I'm running a ASA5580 to terminate remote access VPN. The ASA sends Radius Requests to a ACS 5.2 for Authentication. The ACS then connects via LDAP to the ActiveDirectory to authenticate the VPN User. So far, this works fine.

But the ASA regularely marks the Radius Server as Dead (Syslog-ID 113022), and after a while, it is marked as alive again. Now, I found out that this happens when I try to connect with Anyconnect without entering a username. The ACS droppes the Request with this message: "11021 RADIUS could not decipher password. packet missing necessary attributes" and does not answer to the ASA. So the ASA believes, the ACS is dead.

Is there any solution for that? Or am I totally wrong with my findings?

Thanks

Labels:
0 Helpful
2 Replies 2

Javier Henderson
Level 4
Level 4

‎04-15-2012 09:56 AM

Check the actions for when authentication fails that correspond to the applicable policy on ACS. It's probabyl set to "drop". Change it to "reject" and re-test.

0 Helpful

t.erdin
Level 1
Level 1
In response to Javier Henderson

‎04-15-2012 02:13 PM

Thanks for your reply

All of the Actions are set to reject:

"If authentication failed", "If user not found", "If process failed"

Are there other ideas? Is this not a known issue?

0 Helpful
Customers Also Viewed These Support Documents