Hi team
I have the follow issue, I'm trying to configure Cisco Any connect + NPS windows Server + LinOTP 2F, but the authentication of cisco asa is failing,
"ERROR:Authentication Rejected: AA failure."
When I entry to debug mode in Freeradius show the following:
rad_recv: Access-Request packet from host 10.127.7.3 port 49617, id=31, length=98
User-Name = "usuario_4"
User-Password = "1234781351"
NAS-IP-Address = 10.127.7.6
NAS-Port = 145
NAS-Port-Type = Virtual
Cisco-AVPair = "coa-push=true"
Proxy-State = 0x0a7f07030000002a
# Executing section authorize from file /etc/freeradius/sites-enabled/linotp
+group authorize {
++[preprocess] = ok
[IPASS] No '/' in User-Name = "usuario_4", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] = noop
[suffix] No '@' in User-Name = "usuario_4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[ntdomain] No '\' in User-Name = "usuario_4", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = perl
# Executing group from file /etc/freeradius/sites-enabled/linotp
+group authenticate {
rlm_perl: Config File /etc/linotp2/rlm_perl.ini found!
rlm_perl: Default URL
https://10.127.7.4/validate/simplecheck
rlm_perl: RAD_REQUEST: User-Password = 1234781351
rlm_perl: RAD_REQUEST: User-Name = usuario_4
rlm_perl: RAD_REQUEST: Cisco-AVPair = coa-push=true
rlm_perl: RAD_REQUEST: NAS-Port = 145
rlm_perl: RAD_REQUEST: Proxy-State = 0x0a7f07030000002a
rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual
rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.127.7.6
rlm_perl: Auth-Type: perl
rlm_perl: Url:
https://10.127.7.4/validate/simplecheck
rlm_perl: User: usuario_4
rlm_perl: urlparam user = usuario_4
rlm_perl: urlparam resConf = LDAP
rlm_perl: urlparam client = 10.127.7.6
rlm_perl: urlparam realm = labotp.local
rlm_perl: urlparam pass = 1234781351
rlm_perl: Content :-)
rlm_perl: LinOTP access granted
rlm_perl: return RLM_MODULE_OK
rlm_perl: Added pair User-Password = 1234781351
rlm_perl: Added pair User-Name = usuario_4
rlm_perl: Added pair Cisco-AVPair = coa-push=true
rlm_perl: Added pair NAS-Port = 145
rlm_perl: Added pair Proxy-State = 0x0a7f07030000002a
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair NAS-IP-Address = 10.127.7.6
rlm_perl: Added pair Reply-Message = LinOTP access granted
rlm_perl: Added pair Auth-Type = perl
++[perl] = ok
+} # group authenticate = ok
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept of id 31 to 10.127.7.3 port 49617
Reply-Message = "LinOTP access granted"
Proxy-State = 0x0a7f07030000002a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 31 with timestamp +15
Ready to process requests.
Could you hel me with some troubleshooting about it?
Active directory: 10.127.7.5
Cisco ASA: 10.127.7.6
NPS Windows Server 2012: 10.127.7.3
LinOTP server: 10.127.7.4
PIN LinOTP: 1234
Domain: labotp.local