0

for some time I have been using 2008 R2 as my Radius server and I have a Cisco ASA FW who is configured as Radius client and working ok. I have introduced another Windows 2012 DC, and also configured the same policy straight from the book for NPS.

But when I do the test in AAA Server groups in ASDM of ASA I get an AAA Authentification error.

I have done the debug radius on ASA and got the following:

Parsed packet data.....

Radius: Code = 3 (0x03)

Radius: Identifier = 176 (0xB0)

Radius: Length = 20 (0x0014)

Radius: Vector: 49E1FD50243A3E1FC620F4C4F030AC6B

rad_procpkt: REJECT

RADIUS_DELETE

Is there sometthing on 2012 to be reconfigured to allow the Radius Client ASA to work.

The Radius polices are the same as in 2008 R2.

Kind regards.

ultimo_frogman
  • 11
  • 3

1 Answers1

1

we actually just went through same exercise with same or similar result.

First try disabling MS-CHAPv2 support for the RADIUS server on your ASA.

If that did help then the issue is likely on your 2012 server where it does not allow NTLMv1 which is needed for MS-CHAPv2. By default only NTLMv2 is allowed.

If that did not help then you likely have some other issue.

Jaroslav Orban
  • 11
  • 2