cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

483
Views
0
Helpful
7
Replies
Highlighted
Beginner

VPN Concentrator-ACS 3.1-Radius Error "Bad request from NAS"

I have configured my VPN concentrator for Radius authentication (Cisco ACS 3.1) which uses Active Directory Database for authenticating remote vpn clients. I do not have any problems with the authentication. But in ACS console, under Reporting--Failed Attempts--> I see many log entries with the message "Bad request from NAS"

What does this message indicate and how can I rectify this?

Thanks

7 REPLIES 7
Highlighted

Re: VPN Concentrator-ACS 3.1-Radius Error "Bad request from NAS"

Hi,

Probably This message indicates that a network device does requests of authentication toward RADIUS, but this device is not "registered" on ACS.

In order to permit to a network device (say..router, switch, VPN Concentrator, firewall and so on) to make requests of authentication you must insert it in the table (of ACS) of the network devices authorized to make requests (called NAS).

Probably The message you see is caused by a network device not authorized (not inserted in the table of NAS) to make requests of authorization.

Check also the shared secret.

I hope this helps.

Best regards.

Massimiliano.

Highlighted
Beginner

Re: VPN Concentrator-ACS 3.1-Radius Error "Bad request from NAS"

The device is registered in the ACS and remote VPN users are able to login with out any issues.

My query is why am I getting "BAD request from NAS" message under Fialed Authentication

Highlighted
Beginner

Re: VPN Concentrator-ACS 3.1-Radius Error "Bad request from NAS"

The device is registered in the ACS and remote VPN users are able to login with out any issues.

My query is why am I getting "BAD request from NAS" message under Failed Authentication

Highlighted

Re: VPN Concentrator-ACS 3.1-Radius Error "Bad request from NAS"

This message comes when there is shared secret mismatch.

Regards,

~JG

Do rate helpful posts

Highlighted
Beginner

Re: VPN Concentrator-ACS 3.1-Radius Error "Bad request from NAS"

If there is a mismatch, authentication of remote vpn clients should not work right?

Highlighted
Beginner

Re: VPN Concentrator-ACS 3.1-Radius Error "Bad request from NAS"

hello !

I have the same error.

I installed Cisco ACS 4.2 on windows 2003 SP2 and VPN users can authenticate on AD server. Now I'm implementing password expiry feature.

but it not working. In ACS failed attempts log I have this log:

11/29/201017:21:58Bad request from NAS..Default Group..(Default)
11/29/201017:21:51Authen failedmydomain\vpnuser1Default Group..(Default)Windows user must change password

In VPN Client Enter New Pin window appearing but when user enters new password it rejects.

Could anyone help ?

Highlighted
Contributor

Re: VPN Concentrator-ACS 3.1-Radius Error "Bad request from NAS"

If you look in the CSRadius service log you might get a better idea for what the problem is.

Or you can "net stop csradius" then run "csradius -z -p" from the command line to run it and see debug. Basically, CSRadius will spit out "Bad request from NAS" for anything that looks like a physically malformed RADIUS packet or a packet that doesnt appear to support the RFC.

It could be a wrong shared secret... but that should prevent ANY authentication working.

If you know what the incoming RADIUS packets looks like (that causes the error) you're half way to fixing it