cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

8156
Views
0
Helpful
2
Replies
ripnet
Beginner

Authentication Failed to 2008 NPS from Cisco IOS VPN

I'm trying to authenticate VPN connections to a Windows 2008 NPS Radius server.

Local authentication works fine.

Here are cisco configs:

aaa new-model
aaa authentication login default local
aaa authentication login VPNauth group radius local
aaa authorization network VPNgroup local
aaa session-id common

ip radius source-interface Loopback0
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxxx


crypto map VPNMAP client authentication list VPNauth
crypto map VPNMAP isakmp authorization list VPNgroup
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
...

... other crypto commands

This is the section of the log from NPS:


Authentication Details:
    Connection Request Policy Name:    VPN
    Network Policy Name:        -
    Authentication Provider:        Windows
    Authentication Server:        x.x.x.x
    Authentication Type:        PAP
    EAP Type:            -
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            16
    Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

I do have PAP enabled on the Network/Connection Request Policies...

I'm stuck

Please help

1 ACCEPTED SOLUTION

Accepted Solutions
Yudong Wu
Rising star

Can you run a "teat aaa " command to see if the user can be authenticated successfully?

I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3

View solution in original post

2 REPLIES 2
Yudong Wu
Rising star

Can you run a "teat aaa " command to see if the user can be authenticated successfully?

I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3

View solution in original post

Thanks,

Looks like the issue was the RADIUS shared key... It has to be 22 characters or longer. Mine was only 12.

Content for Community-Ad