Test ISE radius server authentication with Cisco WLC/Switch using "test aaa"
Priyanka Shyam
Network Geek with a robust skill set | CCDE (Written) | CCIE | CWNA | Cisco SCOR | Cisco SD-WAN Expert | Technical Writer | Multitasker | Considerate & Empathic Communicator
Dot1x wired and wireless client authentication issues are one of the most challenging problems that network engineers face . However if we know the step by step ways to isolate the issue then it will be very easier for us to resolve the issue. In order to troubleshoot this, it often requires to get the access of the problematic client to get the capture and debug, work with the end users who may not have knowledge about the network and you can't expect the same from everyone . In an increasingly critical network, this can cause significant downtime.So there is a easy way to identify if an authentication failure was caused by the radius server which rejects the client, or just simply a reachability issue.
The?test aaa radius?command lets you do just that. You can now remotely verify without involving the problematic client if the Network device-Radius server communication fails or if the credentials for the client results in a passed or failed authentication.
(Cisco Controller) >?test aaa radius username <user name> password <password> wlan-id <wlan-id>
Here I am executing the below test aaa command for the user name dummy and password Admin@123, also I am checking for my wlan TEST which got the ID 1.
(Test-WLC-1) >test aaa radius username dummy password Admin@123 wlan-id 1
?
Radius Test Request
? Wlan-id........................................ 1
? ApGroup Name................................... none
?
? Attributes????????????????????? Values
? ----------????????????????????? ------
? User-Name?????????????????????? dummy
? Called-Station-Id?????????????? 00-00-00-00-00-00:TEST-OFFICE
? Calling-Station-Id????????????? 00-11-22-33-44-55
? Nas-Port??????????????????????? 0x00000008 (8)
? Nas-Ip-Address????????????????? 10.122.106.221
? NAS-Identifier????????????????? Test-WLC-1
? Airespace / WLAN-Identifier???? 0x00000001 (1)
? User-Password?????????????????? Admin@123
? Service-Type??????????????????? 0x00000008 (8)
? Framed-MTU????????????????????? 0x00000514 (1300)
? Nas-Port-Type?????????????????? 0x00000013 (19)
? Tunnel-Type???????????????????? 0x0000000d (13)
? Tunnel-Medium-Type????????????? 0x00000006 (6)
? Tunnel-Group-Id???????????????? 0x000000c3 (195)
? Cisco / Audit-Session-Id??????? 0a7a6add000b1e7d62b195cb
?
--More or (q)uit current module or <ctrl-z> to abort
? Acct-Session-Id???????????????? 62b195cb/00:11:22:33:44:55/1894950
?
?
test radius auth request successfully sent. Execute 'test aaa show radius' for response?
In order to view the results of the authentication request, you need to execute the command?test aaa show radius. This command's output will show if radius server is unreachable and the WLC needs to retry or fallback to a different radius server
(Test-WLC-1) test>aaa show radius
?
Radius Test Request
? Wlan-id........................................ 1
? ApGroup Name................................... none
Radius Test Response
?
Radius Server??????????? Retry Status
-------------??????????? ----- ------
10.122.106.223?????????? 1???? Success
?
Authentication Response:
? Result Code: Authentication failed
? No AVPs in Response
In this case, you can see that the connectivity test resulted in a 'Success', however the radius server sent an access-reject for the username/password combination used.
领英推荐
From the switch also we can execute the same.
Test-SW3#test aaa group radius dummy Admin@123 new-code
User rejected
Conclusion :
The user is not found in the internal users identity store
Here we have isolated the issue and can conclude that there is some issue with the user authentication either password is wrong or the user is not present , that we can check from ISE and AD ( where your users will be configured) .