Hi team
I have the follow issue, I'm trying to configure Cisco Any connect + NPS windows Server + LinOTP 2F, but the authentication of cisco asa is failing,
"ERROR:Authentication Rejected: AA failure."

When I entry to debug mode in Freeradius show the following:



rad_recv: Access-Request packet from host 10.127.7.3 port 49617, id=31, length=98
User-Name = "usuario_4"
User-Password = "1234781351"
NAS-IP-Address = 10.127.7.6
NAS-Port = 145
NAS-Port-Type = Virtual
Cisco-AVPair = "coa-push=true"
Proxy-State = 0x0a7f07030000002a
# Executing section authorize from file /etc/freeradius/sites-enabled/linotp
+group authorize {
++[preprocess] = ok
[IPASS] No '/' in User-Name = "usuario_4", looking up realm NULL
[IPASS] No such realm "NULL"
++[IPASS] = noop
[suffix] No '@' in User-Name = "usuario_4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[ntdomain] No '\' in User-Name = "usuario_4", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
[files] users: Matched entry DEFAULT at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = perl
# Executing group from file /etc/freeradius/sites-enabled/linotp
+group authenticate {
rlm_perl: Config File /etc/linotp2/rlm_perl.ini found!
rlm_perl: Default URL https://10.127.7.4/validate/simplecheck
rlm_perl: RAD_REQUEST: User-Password = 1234781351
rlm_perl: RAD_REQUEST: User-Name = usuario_4
rlm_perl: RAD_REQUEST: Cisco-AVPair = coa-push=true
rlm_perl: RAD_REQUEST: NAS-Port = 145
rlm_perl: RAD_REQUEST: Proxy-State = 0x0a7f07030000002a
rlm_perl: RAD_REQUEST: NAS-Port-Type = Virtual
rlm_perl: RAD_REQUEST: NAS-IP-Address = 10.127.7.6
rlm_perl: Auth-Type: perl
rlm_perl: Url: https://10.127.7.4/validate/simplecheck
rlm_perl: User: usuario_4
rlm_perl: urlparam user = usuario_4
rlm_perl: urlparam resConf = LDAP
rlm_perl: urlparam client = 10.127.7.6
rlm_perl: urlparam realm = labotp.local
rlm_perl: urlparam pass = 1234781351
rlm_perl: Content :-)
rlm_perl: LinOTP access granted
rlm_perl: return RLM_MODULE_OK
rlm_perl: Added pair User-Password = 1234781351
rlm_perl: Added pair User-Name = usuario_4
rlm_perl: Added pair Cisco-AVPair = coa-push=true
rlm_perl: Added pair NAS-Port = 145
rlm_perl: Added pair Proxy-State = 0x0a7f07030000002a
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair NAS-IP-Address = 10.127.7.6
rlm_perl: Added pair Reply-Message = LinOTP access granted
rlm_perl: Added pair Auth-Type = perl
++[perl] = ok
+} # group authenticate = ok
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept of id 31 to 10.127.7.3 port 49617
Reply-Message = "LinOTP access granted"
Proxy-State = 0x0a7f07030000002a
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 31 with timestamp +15
Ready to process requests.


Could you hel me with some troubleshooting about it?

Active directory: 10.127.7.5
Cisco ASA: 10.127.7.6
NPS Windows Server 2012: 10.127.7.3
LinOTP server: 10.127.7.4
PIN LinOTP: 1234
Domain: labotp.local
S.O.: Debian 8

Cisco devices uses chap for AAA passwords.

You must have the realm NULL in your freeradius config. This is the same as setting freeradius to do eap authentication for WAP.

Your user did not supply any @realmname so there is no forwarding authentication information to pass along to the auth server which should be configured in your proxy.conf file. Since that does not exist, and there is no NULL realm defined in your proxy.conf, it is trying to authenticate locally via Freeradius. With that being the case, there is also no user auth information existing in your 'users' config file, so there auth is failing.
Configure a realm in your proxy.conf file to forward to your Windows server for the users authentication given there full login user@domain.com, or add a NULL realm to do the forwarding for user auth. Your Windows auth server also needs an entry in your clients.conf file in order to communicate with the users radius server - Windows server in your case.

Hi pal,

Do you have some example how I must configure the proxy.conf file? I was trying to do myself but I have not been sucessfull

There are a plethora of examples existing in the Freeradius proxy.conf file, including NULL and what to do if all else fails.
I think you may want to rethink and simplify your end objective. For example, what do you want to use to handle the users primary authentication.
If Windows, then you should look into Federated Services.
If Linux, then look into implementing a LDAP server.
If Freeradius, then you will need account user credentials within in it to auth against.
Pretty much all of those will need a certificate based authentication provider to handle the communication encryption from point A to point B in the authentication chain. If local, then they each device or server will need the CA root cert installed in order to trust the other.


An old phrase that seems to no longer be used - KISS (keep it simple stupid) i.e. don't over complicate the end objective.

Though I think that last post was a bit harsh, it is not entirely wrong.

However it is also not usefull. Telling someone to change to federated services or ldap is not correct as both use a form of radius to make them work.

I currently use freeradius with an sql backend to act as an auth server for Cisco devices, as a eap-ttls server for wifi/WAWLan and for PPPoE auth and QOS settings for individual users/devices and to authenticate users on both Linux and Windows systems. It can be made to work, but you must make each individual system work one piece at a time or you wont know what you did wrong, syntax is very important.

Without knowing your real cisco device config, the full use type you require and the list of supported operating systems. We can only give poor advice such as RTFM and such.
I would suggest that you set your cisco devices to send a realm as part of the radius server contact, not as part of the username. Set windows to have a username@realmname with a default realm name incase someone forgets to use the proper format.
Linux is a bit more simple, but takes a bit. You must set the pam-radius module (different flavors have different names for this module) to be used during auth. Set the expected username format and auth order to ensure radius first, local second. Set a temporary home dir location and default user level. All of this will be overwritten by the radius response if it needs to be different. I highly suggest setting a network share as the home directory for your users, this allows things to be saved across sessions.

Each device will need different responses and may not play well with responses that are not part of the specific dictionary for that device. So different usernames or realms for different systems may be needed.
You will need to create a rootCA certificate pair and install it on each device that needs to directly auth against your server. If you have untrusted devices that need to auth, setup a radius proxy for them.

Thanks for your comments Shiori-kun,
Perhaps I did not iterate my comments correctly, or it was mis-understood.
I am not telling someone to change to something else, just to use the correct method needed to accomplish the end goal with the minimal amount of pieces needed - kiss applies here.
Cisco can auth direct to Windows if applicable. There was one property that was not default to make that work however, I believe it was one of the tunnel methods.

I also use FreeRadius for wifi auth using Cisco hardware and with local eap-ttls as the cipher with pap for local auth without a supplied realm, or pass it on to Windows using peap if there realm is found for them. Client side certs using tls is was not needed for our usage.

The default proxy.conf is 100% example configs for various scenarios. Although still recommended, my comment in that regard to that was not meant as rtfm. Perhaps the OP's distro does not include those commented out example configs in there FreeRadius installation. That information can be found at the following:
https://github.com/FreeRADIUS/freera...e/v3.0.x/raddb

Not implying this is the case here, but I have seen all to often that someone has set something up using someones examples and do not have any idea what is actually being performed on the backend. When it fails for some reason, they have know idea why or how to fix it.

It was mentioned that LinOTP was being used, I think that is just web auth using oauth. That will require SPN's (service principle names) be setup between the Linux server and the end auth server. I'm not sure if FreeRadius supports that directly.

Your comment on getting each piece working before stepping to the next is spot on in being the correct direct to go, except use the correct method to get the first part working. Once that 'conversation' works, change the method to get to the next step....

Good day,
Rick.