Why does RADIUS authentication always fail with Cisco ACS 4.2?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba Mobility Controllers and ArubaOS 

The RADIUS authentication always fails when the clients attempt to authenticate with the Cisco ACS server through the Aruba Mobility Controller. The sniffer captures show that the ACS is sending the RADIUS accept message. The ACS log shows that the users passed the authentication, but the controller dropped the request with incorrect MD5 message digest error. 

When the “aaa test-server” utility is used to test the authentication request, the error message is “Invalid response (4) from server”. In general, the message implies that the share secret is mismatched between the controller and the Cisco ACS server. The shared secret for the device created in ACS does match the value configured in the controller. 

After further investigation, it was discovered that the issue is cause by the new feature in ACS 4.2 where it supports the network device group configuration. In this case, the share secret configuration takes precedence over the share secret configured on the device. 

Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 11:47 AM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: