https://community.cisco.com/t5/network-access-control/radius-automated-test/m-p/2216397#M126326 <P>Hello, </P><P></P><P>I have performed the following configuration on one of my switch to test periodically the availability of ISE servers : </P><P></P><P>radius server ISE-1</P><P> address ipv4 1.2.3.4 auth-port 1645 acct-port 1646</P><P> key 0 toto123</P><P>automate-tester username radius-test idle-time 10</P><P>!</P><P></P><P>username radius-test password toto</P><P></P><P>And on the ISE server I can see authentication failed with code </P><P> Authentication failed &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: </P><P> <SPAN style="color: red; margin-top: 0pt;">22040 Wrong password or invalid shared secret</SPAN></P><P></P><P>I am sure about the shared secret because when I try test aaa group ....from the same switch it is ok.</P><P></P><P>Does the automated test expect a valid access accept response ?</P><P></P><P>Thanks</P> Tue, 26 Mar 2019 00:30:34 GMT lionel.dupont 2019-03-26T00:30:34Z https://community.cisco.com/t5/network-access-control/radius-automated-test/m-p/2216397#M126326 <P>Hello, </P><P></P><P>I have performed the following configuration on one of my switch to test periodically the availability of ISE servers : </P><P></P><P>radius server ISE-1</P><P> address ipv4 1.2.3.4 auth-port 1645 acct-port 1646</P><P> key 0 toto123</P><P>automate-tester username radius-test idle-time 10</P><P>!</P><P></P><P>username radius-test password toto</P><P></P><P>And on the ISE server I can see authentication failed with code </P><P> Authentication failed &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;: </P><P> <SPAN style="color: red; margin-top: 0pt;">22040 Wrong password or invalid shared secret</SPAN></P><P></P><P>I am sure about the shared secret because when I try test aaa group ....from the same switch it is ok.</P><P></P><P>Does the automated test expect a valid access accept response ?</P><P></P><P>Thanks</P> Tue, 26 Mar 2019 00:30:34 GMT https://community.cisco.com/t5/network-access-control/radius-automated-test/m-p/2216397#M126326 lionel.dupont 2019-03-26T00:30:34Z https://community.cisco.com/t5/network-access-control/radius-automated-test/m-p/2216398#M126328 <HTML><HEAD></HEAD><BODY><P>Yes it is expect a valid access accept response. That is the reason due to which you are getting error.</P></BODY></HTML> Tue, 25 Jun 2013 15:47:53 GMT https://community.cisco.com/t5/network-access-control/radius-automated-test/m-p/2216398#M126328 Ravi Singh 2013-06-25T15:47:53Z https://community.cisco.com/t5/network-access-control/radius-automated-test/m-p/2216399#M126331 <HTML><HEAD></HEAD><BODY><P>It's an IOS platform specific behavior. I observed the same behaviour on different switches.</P><P></P><P><SPAN>See the following thread </SPAN><A class="jive-link-external-small" href="https://community.cisco.com/thread/2170907">https://supportforums.cisco.com/thread/2170907</A></P><P></P><P>The NAD does not expect accept accept response to consider ISE alive. Any type of answer means that ISE is alive.</P></BODY></HTML> Tue, 25 Jun 2013 19:18:37 GMT https://community.cisco.com/t5/network-access-control/radius-automated-test/m-p/2216399#M126331 Octavian Szolga 2013-06-25T19:18:37Z https://community.cisco.com/t5/network-access-control/radius-automated-test/m-p/2216400#M126333 <HTML><HEAD></HEAD><BODY><P>I tested this on 15.0(2)SE2 and got it working with the following:</P><P></P><P>'service password-encryption' is configured</P><P>I use the password option in the radius-test username (Not secret)</P><P>The password I configure on the ISE is the encrypted password (Same as what you would see in a 'show run')</P><P></P><P>I hope this helps in some way. I haven't tested with the 'secret' option.</P><P></P><P>The question I really have is whether I really need to configure the "RADIUS automated tester" feature at all.</P><P>And whether I need to load balance to my ISE PSNs. My logs are full of radius-test user entires.</P><P>I have searched for guidence on this without any success.</P></BODY></HTML> Wed, 26 Jun 2013 10:36:12 GMT https://community.cisco.com/t5/network-access-control/radius-automated-test/m-p/2216400#M126333 bbosch4210 2013-06-26T10:36:12Z https://community.cisco.com/t5/network-access-control/radius-automated-test/m-p/2216401#M126335 <HTML><HEAD></HEAD><BODY><P>Use the automate-tester command to enable automatic testing on the RADIUS server accounting and authentication UDP ports for RADIUS server load balancing. The username could be any username.</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a3.html#wp6780179500">http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a3.html#wp6780179500</A></P><P></P><P>I agree with Octavian that NAD doesn't necessarily expect radius-accept to consider ISE active.</P><P></P><P>Jatin</P><P>*Do rate helpful posts*</P></BODY></HTML> Wed, 26 Jun 2013 16:59:54 GMT https://community.cisco.com/t5/network-access-control/radius-automated-test/m-p/2216401#M126335 Jatin Katyal 2013-06-26T16:59:54Z