AAA Authentication on Cisco IOS

Hello, I’ve went through this lesson and also check the guide from Cisco but there are still some confusions.

" Enter a case-sensitive password that is common among users who access this RADIUS authorization server via the Cisco ASA under the Common Password field. If you do not use a common password, the user’s username is used as the password when accessing the RADIUS authorization server."

I thought when users access VPN, VPN send the requests to the radius server for authentication, why do we still need a common password?
What is the differences between key and radius-common-pw?
The shared key that we configured in the radius server should be key, right?

After setting up the VPN for test, I received “You have no dial in permission”, what could be the issue?

Hello Po

This is a good question. After doing some research, I have found that the radius-common-pw parameter is used internally by the ASA for its communication with the RADIUS server for all authorization transactions. More about it can be found at this ASA command line reference. The syntax is:

radius-common-pw string

It states:

The RADIUS authorization server requires a password and username for each connecting user. The ASA provides the username automatically. You enter the password here. The RADIUS server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this ASA. Be sure to provide this information to your RADIUS server administrator.

If you do not specify a common user password, each user password is the username. If you are using usernames for common user passwords, as a security precaution, do not use the RADIUS server for authorization anywhere else on your network.

It also says (interestingly):

The string argument is essentially a space-filler. The RADIUS server expects and requires it, but does not use it. Users do not need to know it.

So this configuration is optional, but the administrator of the RADIUS server must know what has been configured in order to correctly communicate with the ASA. Note also, that this password is used only for internal communication between the ASA and the RADIUS server, and only for authorization mechanisms. End users don’t need to know this password. They simply use their own credentials.

The “key” parameter is used for authentication. This authenticates the ASA to the RADIUS server. More about this can be found at this CiscoPress article.

This error typically means that the user account trying to connect through the VPN does not have permission to dial in. This could be due to several reasons which may be related to the key or the common password, or even the credentials of the user. You would typically have to start troubleshooting by checking the user’s permissions in the RADIUS server. Then you should try to verify your configs on the ASA and the RAIDUS server.

I hope this has been helpful!