Core issue
Authentication can fail for many reasons, but these are two of the commonly known reasons:
- The PIX firewall cannot reach the authentication server.
- The Authentication, Authorization, and Accounting (AAA) server does not respond to the authentication request from the PIX before the authentication request times out.
Resolution
In order to resolve this issue, complete these steps:
- Check the connectivity between the PIX and the server:
If the server is outside the PIX, verify that it is specified in the (if_name) parameter of the aaa-server command. In the example below, the (if_name) parameter represents outside.
aaa-server group_tag (if_name) host server_ip key timeout 5
Ensure that the secret key is correct.
If the network traffic is extremely high, or packet loss is present, increase the timeout for authentication requests. From the PIX command line interface, issue the aaa-server group_tag (if_name) host server_ip key timeout seconds command, and increase the time in seconds to a larger value, such as 20 or 30 seconds. Check the server logs for failed attempts. All servers have some kind of logging function.
Problem Type
Connectivity to the device
Troubleshoot software feature
Product Family
Cisco Secure access control server
Firewall - PIX 500 series