• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1344
  • Last Modified:

VPN failing authentication after migrating RADIUS

I have a Cisco 5500 ASA using the Cisco VPN client (version 4.8?) and a Windows Server 2008 doing RADIUS Authentication.  I still have a Windows Server 2003 DC connected that is also still doing RADIUS.  What I did is basically copy the RADIUS settings from the 2003 DC to the 2008 DC by having the screens side by side to make sure all the settings are the same.  I have checked through them over and over and everything is the same, except the 2003 server works and the 2008 server does not.  They both have the exact same setting (with the IP address different, obviously) in the AAA Server Groups setting on the 5500 ASA.

The problem I am having is that when I disable the RADIUS service on the 2003 Domain Controller (the working one) I can no longer successfully connect to VPN, I get "Secure VPN Connection Terminated Locally By Client:  Reason 413 User Authentication Failed."  The thing that is really strange is that after I attempt to authenticate through VPN and fail, I can go to the domain controller Security log and see my account credentials hitting the DC and that I've logged on successfully.

I checked the logs from the Cisco VPN client to see what was going on:

On success:
390    10:38:08.656  05/26/09  Sev=Info/4      CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system

On failure:
347    10:36:48.828  05/26/09  Sev=Info/4      CM/0x63100018
User does not provide any authentication data

What could be going on here?
1 Solution
usomAuthor Commented:
Fixed it.  Found the article that tells you about the hotfix that allows you to mgirate the settings between versions.  Wish MS mentioned that in the article that tells you you can't migrate between versions....
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now