Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9025
Views
5
Helpful
2
Replies

Authentication Failed to 2008 NPS from Cisco IOS VPN

Go to solution
ripnet
Level 1
Level 1

‎10-21-2010 08:19 AM - edited ‎03-10-2019 05:30 PM

I'm trying to authenticate VPN connections to a Windows 2008 NPS Radius server.

Local authentication works fine.

Here are cisco configs:

aaa new-model
aaa authentication login default local
aaa authentication login VPNauth group radius local
aaa authorization network VPNgroup local
aaa session-id common

ip radius source-interface Loopback0
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 xxxx


crypto map VPNMAP client authentication list VPNauth
crypto map VPNMAP isakmp authorization list VPNgroup
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
...

... other crypto commands

This is the section of the log from NPS:


Authentication Details:
    Connection Request Policy Name:    VPN
    Network Policy Name:        -
    Authentication Provider:        Windows
    Authentication Server:        x.x.x.x
    Authentication Type:        PAP
    EAP Type:            -
    Account Session Identifier:        -
    Logging Results:            Accounting information was written to the local log file.
    Reason Code:            16
    Reason:                Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.

I do have PAP enabled on the Network/Connection Request Policies...

I'm stuck

Please help

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7

‎10-21-2010 09:38 AM

Can you run a "teat aaa " command to see if the user can be authenticated successfully?

I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Yudong Wu
Level 7
Level 7

‎10-21-2010 09:38 AM

Can you run a "teat aaa " command to see if the user can be authenticated successfully?

I think this might be a configuration issue on NPS. You can google it. Here is one I found, refer to "irishHam" post.

http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfbbbae4-a280-4b3f-b214-02867b7d33e3

0 Helpful

Go to solution
ripnet
Level 1
Level 1
In response to Yudong Wu

‎10-21-2010 10:37 AM

Thanks,

Looks like the issue was the RADIUS shared key... It has to be 22 characters or longer. Mine was only 12.

Customers Also Viewed These Support Documents