pam_radius and Cisco ACS

Tom tjonesjr at
Wed Feb 15 22:50:13 CET 2006

I have been tasked with having all non windows devices on our network
to authenticate against our Active Directory, which is the reason we
are using Cisco ACS.  ACS currently authenticates for all cisco
devices against our AD, via the external windows database option.  I
am now trying to get pam_radius to do the same with ACS's radius.

I have compiled pam_radius and it appears to be working as intended,
however Cisco ACS reports "External DB User Invalid or bad password"
anytime I try to use the same credentials that properly authenticate
with ACS's tacacs on a linux or freebsd server.  The username shows up
properly on the ACS server, so I am assuming that the NAS is sending
the proper username, but it appears that the password is not being
sent correctly.  I know the ACS server is trying to authenticate
against AD because after so many tries the account get's locked out.

Has anyone been able to accomplish what I am trying to do here?  Any
suggestions besides "lose ACS" to get this to work?  Is there
something I can pass to the pam_radius module to have it transmit the
password the way the ACS server is expecting to see it?

I appreciate any help or suggestions anyone can provide in advance.

Thank you,


More information about the Freeradius-Users mailing list