Configuring a VPN using XAuth, and it is using external Radius server for the authentication of users. However, the authentication fails. In this scenario, the authentication server is an RSA server that has Radius enabled.
Beginning with ScreenOS 5.2.0 and higher, Radius Accounting requests are sent from the NetScreen to the Radius server when XAuth phase 1 IKE negotiation takes place (using Radius as an external authentication server). This may cause some issues if the Radius server you are using either has the wrong Radius Accounting listening port configured, or is turned off. With RSA Radius, the default is for Radius Accounting to be disabled.
In order to get XAuth authentication working, make sure you have Radius Accounting configured on the Radius server. Also, make sure the Radius Accounting listening port matches what is configured on the NetScreen (the default is port 1646).
To determine what port the NetScreen Radius Accounting communicates on, issue the following command:
ns5gt-> get auth settings radius accounting
RADIUS Accounting port: 1646
Action:
None
ns5gt->
Note: Beginning with ScreenOS 6.2.0 and higher, Radius Accounting can be disabled on the firewall, eliminating the need to enable Radius Accounting on the Radius server (also beneficial if your radius server doesn't support Radius Accounting). To disable accounting globally, the CLI command is "set xauth default accounting off". To disable accounting per IKE gateway, the command is "set ike gateway <gateway name> xauth accounting off".