topic I don't think the "test aaa" in Network Access Control

Port 1812 config but port 1645 used

Catherine Paquet — Mon, 11 Mar 2019 06:20:09 GMT

Switch configured to use port 1812. Why in debug radius authentication, do we see port 1645 used between switch and ISE? See config and debug output below:

CONFIG:

L3-SWITCH(config)# radius server ISE-PRIMARY
L3-SWITCH(config-radius-server)# address ipv4 10.10.2.50 auth-port 1812 acct-port 1813
L3-SWITCH(config-radius-server)# automate-tester username ISE_HEALTH ignore-acct-port
L3-SWITCH(config-radius-server)# key sharedsecret

DEBUG OUTPUT:
L3-SWITCH# test aaa group radius admin admin$Pwd new-code

Attempting authentication test to server-group radius using radius
Dec 3 21:09:57.873: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 3 21:09:57.873: RADIUS/ENCODE(00000000): dropping service type, "radius-server attribute 6 on-for-login-auth" is off

Dec 3 21:09:57.873: RADIUS(00000000): Config NAS IP: 10.10.2.1
Dec 3 21:09:57.873: RADIUS(00000000): Config NAS IPv6: ::
Dec 3 21:09:57.873: RADIUS(00000000): sending
Dec 3 21:09:57.873: RADIUS/DECODE(00000000): There is no General DB. Want server details may not be specified
Dec 3 21:09:57.873: RADIUS(00000000): Send Access-Request to 10.10.2.50:1645 id 1645/2, len 51
Dec 3 21:09:57.873: RADIUS: authenticator 99 E2 71 98 E2 84 C8 BE - 34 B9 56 91 A8 E3 DC FB
Dec 3 21:09:57.873: RADIUS: User-Password [2] 18 *

Dec 3 21:09:57.873: RADIUS: User-Name [1] 7 "admin"
Dec 3 21:09:57.873: RADIUS: NAS-IP-Address [4] 6 10.10.2.1
Dec 3 21:09:57.873: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 3 21:09:57.873: RADIUS(00000000): Started 5 sec timeout

Dec 3 21:09:57.881: RADIUS: Received from id 1645/2 10.10.2.50:1645, Access-Reject, len 20
Dec 3 21:09:57.881: RADIUS: authenticator 61 6D 9A 38 9B 58 9E 44 - 4C 4A F2 1F 29 B3 74 3F
Dec 3 21:09:57.881: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
L3-SWITCH#

Thanks.

I don't think the "test aaa"

jan.nielsen — Wed, 16 Dec 2015 17:41:14 GMT

I don't think the "test aaa" command uses all the settings from your AAA server group. There is probably an option in the command to specify port.

See the command type, with

Catherine Paquet — Wed, 16 Dec 2015 19:07:57 GMT

command used is:

L3-SWITCH# test aaa group radius admin admin$Pwd new-code

new-code means use port 1812/1813. If the keyword would have been legacy, that would have mean to use port 1645/1646.

So, it's still puzzling that if we tell the switch to use NEW-CODE (1812), the switch is using port 1645.

try this : test aaa group

jan.nielsen — Wed, 16 Dec 2015 20:11:24 GMT

try this : test aaa group radius server 10.10.2.50 auth-port 1812 acct-port 1813 admin admin$Pwd new-code

Hello All,

Ivan Gonzalez — Thu, 17 Dec 2015 16:02:00 GMT

Hello All,

Here is the issue. The command you are using to perform the test is using "radius" group which is default group IOS device uses to put the devices:

test aaa group radius admin admin$Pwd new-code

In order to test the configuration of the group you created and configured port 1812, you need to execute the test command using the group you created called "ISE-PRIMARY":

test aaa group ISE-PRIMARY admin admin$Pwd new-code/legacy

Note: Please mark it as answered if applicable

I tried Jan suggestion and it

Catherine Paquet — Thu, 17 Dec 2015 20:56:16 GMT

I tried Jan suggestion and it worked, on port 1812, without changing the group radius. Following are the results:

L3-Switch#test aaa group radius server 10.10.2.50 auth-port 1812 acct-port 1813 admin admin$Pwd new-code
User rejected
L3-Switch#
<output omitted>
Dec 17 13:20:12.803: RADIUS(00000000): Send Access-Request to 10.10.2.50:1812 id 1645/233, len 51
Dec 17 13:20:12.803: RADIUS: authenticator 8D 14 82 14 C4 AA 68 5B - DC D4 02 53 50 BB 02 AC
Dec 17 13:20:12.803: RADIUS: User-Password [2] 18 *
Dec 17 13:20:12.803: RADIUS: User-Name [1] 7 "admin"
<output omitted>
Dec 17 13:20:12.811: RADIUS: Received from id 1645/233 10.10.2.50:1812, Access-Reject, len 20
Dec 17 13:20:12.811: RADIUS: authenticator 8D 1E 41 8E 9D DC 8E 36 - 9C 70 1A 72 19 DC 04 FE
Dec 17 13:20:12.811: RADIUS/DECODE(00000000): There is no General DB. Reply server details may not be recorded
L3-Switch#
Dec 17 13:20:12.811: RADIUS(00000000): Received from id 1645/233
Dec 17 13:20:12.811: RADIUS/ENCODE(00000000):Orig. component type = Invalid
Dec 17 13:20:12.811: RADIUS(00000000): Config NAS IP: 10.10.2.1
Dec 17 13:20:12.811: RADIUS(00000000): Config NAS IPv6: ::
Dec 17 13:20:12.820: RADIUS(00000000): Sending a IPv4 Radius Packet
Dec 17 13:20:12.820: RADIUS(00000000): Started 5 sec timeout
Dec 17 13:20:12.820: RADIUS: Received from id 1646/208 10.10.2.50:1813, Accounting-response, len 20
Dec 17 13:20:12.82