Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1723
Views
0
Helpful
0
Comments

VPN Clients are unable to authenticate to an IAS RADIUS server after an upgrade of the Cisco ASA/PIX to version 7.2.1

TCC_2
Level 10
Level 10

‎06-22-2009 04:37 PM - edited ‎03-08-2019 06:16 PM

Core issue

This problem occurs due to the presence of Cisco bug ID CSCsf27202.

VPN authentication fails after an upgrade of the Adaptive Security Appliance (ASA) software version from 7.1(1) to 7.2(1). In 7.1(1) and earlier versions. RADIUS requests were sent to the RADIUS server with the NAS-Port-Type of Virtual. In version 7.2(1), the NAS-Port-Type is not set.


These examples from the Microsoft RADIUS logs show success from 7.1(1) and a failure from 7.2(1):

Success Example on 7.1(1)

User WOUND\lremcgui was granted access.
Fully-Qualified-User-Name = wound.san/lr/Users/McGuire, Emily
NAS-IP-Address = 10.58.1.8
NAS-Identifier =
Client-Friendly-Name = lrnasa5520
Client-IP-Address = 10.58.1.8
Calling-Station-Identifier = 24.216.66.122
NAS-Port-Type = Virtual
NAS-Port = 182
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server =
Policy-Name = VPN Client Connections
Authentication-Type = MS-CHAPv2
EAP-Type =

Resolution

As a workaround, do not use password management and downgrade the Cisco ASA/PIX to version 7.1. Refer to Tunnel-group general-attributes for more information.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents