Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


VPN Concentrator-ACS 3.1-Radius Error "Bad request from NAS"

I have configured my VPN concentrator for Radius authentication (Cisco ACS 3.1) which uses Active Directory Database for authenticating remote vpn clients. I do not have any problems with the authentication. But in ACS console, under Reporting--Failed Attempts--> I see many log entries with the message "Bad request from NAS"

What does this message indicate and how can I rectify this?




Probably This message indicates that a network device does requests of authentication toward RADIUS, but this device is not "registered" on ACS.

In order to permit to a network device (say..router, switch, VPN Concentrator, firewall and so on) to make requests of authentication you must insert it in the table (of ACS) of the network devices authorized to make requests (called NAS).

Probably The message you see is caused by a network device not authorized (not inserted in the table of NAS) to make requests of authorization.

Check also the shared secret.

I hope this helps.

Best regards.


The device is registered in the ACS and remote VPN users are able to login with out any issues.

My query is why am I getting "BAD request from NAS" message under Fialed Authentication

The device is registered in the ACS and remote VPN users are able to login with out any issues.

My query is why am I getting "BAD request from NAS" message under Failed Authentication

This message comes when there is shared secret mismatch.



Do rate helpful posts

If there is a mismatch, authentication of remote vpn clients should not work right?

hello !

I have the same error.

I installed Cisco ACS 4.2 on windows 2003 SP2 and VPN users can authenticate on AD server. Now I'm implementing password expiry feature.

but it not working. In ACS failed attempts log I have this log:

11/29/201017:21:58Bad request from NAS..Default Group..(Default)
11/29/201017:21:51Authen failedmydomain\vpnuser1Default Group..(Default)Windows user must change password

In VPN Client Enter New Pin window appearing but when user enters new password it rejects.

Could anyone help ?

If you look in the CSRadius service log you might get a better idea for what the problem is.

Or you can "net stop csradius" then run "csradius -z -p" from the command line to run it and see debug. Basically, CSRadius will spit out "Bad request from NAS" for anything that looks like a physically malformed RADIUS packet or a packet that doesnt appear to support the RFC.

It could be a wrong shared secret... but that should prevent ANY authentication working.

If you know what the incoming RADIUS packets looks like (that causes the error) you're half way to fixing it

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube