Verify Radius Server Connectivity with Test AAA Radius Command

Similar documents
Debugging on Cisco Wireless Controllers

Configuring Client Profiling

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

ISE Version 1.3 Hotspot Configuration Example

LAB: Configuring LEAP. Learning Objectives

IEEE 802.1X Open Authentication

Configure Maximum Concurrent User Sessions on ISE 2.2

ISE Version 1.3 Self Registered Guest Portal Configuration Example

Multicast VLAN, page 1 Passive Clients, page 2 Dynamic Anchoring for Clients with Static IP Addresses, page 5

Configuring FlexConnect Groups

Central Web Authentication on the WLC and ISE Configuration Example

RADIUS Route Download

Universal Wireless Controller Configuration for Cisco Identity Services Engine. Secure Access How-To Guide Series

Configuring FlexConnect Groups

Wireless LAN Controller Web Authentication Configuration Example

Securing Cisco Wireless Enterprise Networks ( )

Configure to Secure a Flexconnect AP Switchport with Dot1x

AAA Administration. Setting up RADIUS. Information About RADIUS

Configuring NAC Out-of-Band Integration

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

IEEE 802.1X Multiple Authentication

Configuring Access Point Groups

Configure Flexconnect ACL's on WLC

Editing WLAN SSID or Profile Name for WLANs (CLI), page 6

CMX Connected Experiences- Social, SMS and Custom Portal Registration Configuration Example

Web Authentication Proxy Configuration Example

Understand and Troubleshoot Central Web- Authentication (CWA) in Guest Anchor Set- Up

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

FortiNAC. Cisco Airespace Wireless Controller Integration. Version: 8.x. Date: 8/28/2018. Rev: B

AAA Server Groups. Finding Feature Information. Information About AAA Server Groups. AAA Server Groups

What Is Wireless Setup

Configure Easy Wireless Setup ISE 2.2

Configure MAC authentication SSID on Cisco Catalyst 9800 Wireless Controllers

Converged Access Wireless Controller (5760/3850/3650) BYOD client Onboarding with FQDN ACLs

Configuring an Access Point as a Local Authenticator

Vendor: Cisco. Exam Code: Exam Name: Implementing Advanced Cisco Unified Wireless Security (IAUWS) v2.0. Version: Demo

Configuring AP Groups

Configuring AP Groups

RADIUS for Multiple UDP Ports

Configuring DHCP Services for Accounting and Security

Troubleshooting Web Authentication on a Wireless LAN Controller (WLC)

IEEE 802.1X RADIUS Accounting

Web Authentication Using LDAP on Wireless LAN Controllers (WLCs) Configuration Example

P ART 3. Configuring the Infrastructure

Supported RADIUS Attributes on the Wireless LAN Controller

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

Pulse Policy Secure. Guest Access Solution Configuration Guide. Product Release 5.2. Document Revision 1.0 Published:

Configuring Access Point Groups

Configure Guest Flow with ISE 2.0 and Aruba WLC

Configuring IEEE 802.1x Port-Based Authentication

Configuring RADIUS Servers

Using the Web Graphical User Interface

RADIUS Change of Authorization

DHCP Server RADIUS Proxy

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

Using the Web Graphical User Interface

Authentication of Wireless LAN Controller's Lobby Administrator via RADIUS Server

Configuring Web-Based Authentication

Configuring Hybrid REAP

Configuration Example: TACACS Administrator Access to Converged Access Wireless LAN Controllers

Configuring WLAN Security

Configuring Security for the ML-Series Card

Per-User ACL Support for 802.1X/MAB/Webauth Users

ISE with Static Redirect for Isolated Guest Networks Configuration Example

Configuring IEEE 802.1x Port-Based Authentication

AAA Dead-Server Detection

Cisco Exam Questions & Answers

IEEE 802.1X with ACL Assignments

Configuring Web-Based Authentication

Client Data Tunneling

Working DERIVATION ROLE for DOMAIN and PERSONAL workstation without CPPM Jan14-Tutorial

Configuring Web-Based Authentication

Configuring RADIUS Clients

Configuring Aggressive Load Balancing

Configuring Security Features on an External AAA Server

Deployment Guide for Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

Configuring Local EAP

IEEE 802.1X VLAN Assignment

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Dynamic VLAN Assignment with WLCs based on ACS to Active Directory Group Mapping Configuration Example

Configuring Layer2 Security

Cisco Exam Questions & Answers

Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+)

Operation Manual AAA RADIUS HWTACACS H3C S5500-EI Series Ethernet Switches. Table of Contents

Configuring Proxy Mobile IPv6

Cisco Deploying Basic Wireless LANs

Configuring OfficeExtend Access Points

ISE Express Installation Guide. Secure Access How -To Guides Series

Configuring Web-Based Authentication

Pulse Policy Secure. Guest Access Solution Guide. Product Release 5.4R1

Configuring IEEE 802.1x Port-Based Authentication

Manage Users. About User Profiles. About User Roles

Configuring RADIUS and TACACS+ Servers

Encrypted Vendor-Specific Attributes

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

Configure 802.1x - PEAP with FreeRadius and WLC 8.3

RADIUS Logical Line ID

Configuring Web-Based Authentication

Transcription:

Verify Connectivity with Test AAA Radius Command Contents Introduction Prerequisites Requirements Components Used Background Information How The Feature Works Command Syntax Scenario 1. Passed Authentication Attempt Scenario 2: Failed Authentication Attempt Scenario 3: Communication Failed Between WLC and Scenario 4: Radius Fallback Caveats Introduction This document describes how the test aaa radius command on the Cisco WLC can be used to identify radius server connectivity and client authentication issues without the use of a wireless client. Prerequisites Requirements Cisco recommends that you have knowledge of Wireless LAN Controller (WLC) code 8.2 and above. Components Used This document is not restricted to specific software and hardware versions. Background Information Wireless client authentication issues are one of the most challenging problems that wireless network engineers face. In order to troubleshoot this, it often requires to get hold of the problematic client, work with the end users who may not have the best knowledge of wireless networks and to collect debugs and captures. In an increasingly critical wireless network, this can cause significant downtime. Up until now there was no easy way to identify if an authentication failure was caused by the

radius server which rejects the client, or just simply a reachability issue. The test aaa radius command lets you do just that. You can now remotely verify if the WLC-Radius server communication fails or if the credentials for the client results in a passed or failed authentication. How The Feature Works This is a basic workflow when you use the command test aaa radius, as shown in the image. Step 1. The WLC sends an access request message to the radius server along with the parameters that is mentioned in the test aaa radius command. For ex: test aaa radius username admin password cisco123 wlan-id 1 apgroup defaultgroup server-index 2 Step 2. The radius server validates the credentials provided and provides the results of the authentication request. Command Syntax These parameters need to be provided to execute the command: (Cisco Controller) > test aaa radius username <user name> password <password> wlan-id <wlan-id> ap-group <apgroup-name> server-index <server-index> <username> ---> Username that you are testing. <password> ---> Password that you are testing <wlan-id> ---> WLAN ID of the SSID that you are testing. <apgroup-name> (optional) ---> AP group name. This will be default-group if there is no AP group configured. <server-index> (optional) ---> The server index configured for the radius server that you are trying to test. This can be found under Security > Authentication tab. Scenario 1. Passed Authentication Attempt Let's have a look at how the command works and the outputs are seen when the test aaa radius command results in a passed authentication. When the command is executed, WLC displays the parameters with which it sends out the access request: (Cisco Controller) >test aaa radius username admin password cisco123 wlan-id 1 apgroup defaultgroup server-index 2

Attributes Values ---------- ------ User-Name admin Called-Station-Id 00:00:00:00:00:00:WLC5508 Calling-Station-Id 00:11:22:33:44:55 Nas-Port 0x0000000d (13) Nas-Ip-Address 10.20.227.39 NAS-Identifier WLC_5508 Airespace / WLAN-Identifier 0x00000001 (1) User-Password cisco123 Service-Type 0x00000008 (8) Framed-MTU 0x00000514 (1300) Nas-Port-Type 0x00000013 (19) Tunnel-Type 0x0000000d (13) Tunnel-Medium-Type 0x00000006 (6) Tunnel-Group-Id 0x00000051 (81) Cisco / Audit-Session-Id ad14e327000000c466191e23 Acct-Session-Id 56131b33/00:11:22:33:44:55/210 test radius auth request successfully sent. Execute 'test aaa show radius' for response In order to view the results of the authentication request, you need to execute the command test aaa show radius. The command can take some time to show the output if a radius server is unreachable and the WLC needs to retry or fallback to a different radius server. Result Code: Success Attributes Values ---------- ------ User-Name admin Class CACS:rs-acs5-6-0-22/230677882/20313 Session-Timeout 0x0000001e (30) Termination-Action 0x00000000 (0) Tunnel-Type 0x0000000d (13) Tunnel-Medium-Type 0x00000006 (6) Tunnel-Group-Id 0x00000051 (81) The extremely useful aspect of this command is that it shows the attributes which are returned by the radius server. This can be redirect URL and Access Control List (ACL). For example, in the case of Central Web Authentication (CWA) or VLAN info when you use VLAN override. Caution: The username/password in the access request are sent in clear text to the radius server, so you need to use it with caution if traffic flows over an unsecured network. Scenario 2: Failed Authentication Attempt Let's see how the output appears when a username/password entry results in a failed authentication.

In this case, you can see that the connectivity test resulted in a 'Success', however the radius server sent an access-reject for the username/password combination used. Scenario 3: Communication Failed Between WLC and Radius Server You need to wait for the WLC to finish it's retries before it displays the output. The time can vary based on the retry thresholds configured. In the above output you can see that the WLC tried to contact the radius server 6 times and when there was no response it marked the radius server as unreachable. Scenario 4: Radius Fallback When you have multiple radius servers configured under the Service Set Identifier (SSID) and the

primary radius server does not respond, then the WLC tries with the secondary radius server configured. This is shown very clearly in the output where the first radius server does not respond and the WLC then tries the second radius server which responds immediately. Caveats There is currently no GUI support. It is only a command that can be executed from the WLC. The verification is only for radius. It cannot be used for TACACS authentication. Flexconnect local authentication cannot be tested with this method.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback