Authentication problem using test aa command

WafaaK21 · ‎08-20-2024

I have a simple gns3 architecture :

Ethernet2 has the ise and the windows server2012 of my architecture , i used the sw1 as a NAD but when i try to test the authentication and authorization i have this :

sw1#test aaa group radius MyRadiusGroup abcd legacy
Attempting authentication test to server-group radius using radius
User authentication request was rejected by server.

here is the switch config : sw1#sh run
Building configuration...

Current configuration : 2488 bytes
!
! Last configuration change at 14:38:35 UTC Tue Aug 20 2024
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname sw1
!
boot-start-marker
boot-end-marker
!
!
logging discriminator EXCESS severity drops 6 msg-body drops EXCESSCOLL
logging buffered 50000
logging console discriminator EXCESS
!
aaa new-model
!
!
aaa group server radius MyRadiusGroup
server name MyRadiusGroup
!
aaa authentication dot1x default group MyRadiusGroup
aaa authorization network default group MyRadiusGroup
aaa accounting dot1x default start-stop group MyRadiusGroup
!
!
!
!
!
aaa server radius dynamic-author
client 10.0.2.28 server-key abcd
!
aaa session-id common
!
!
!
!
!
no ip icmp rate-limit unreachable
!
!
!
no ip domain-lookup
no ip cef
no ipv6 cef
!
!
dot1x system-auth-control
!
spanning-tree mode rapid-pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
ip tcp synwait-time 5
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0/0
switchport access vlan 200
switchport trunk encapsulation dot1q
switchport mode access
!
interface Ethernet0/1
switchport access vlan 10
switchport mode access
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
mab
dot1x pae authenticator
spanning-tree portfast edge
!
interface Ethernet0/2
switchport access vlan 20
switchport mode access
!
interface Ethernet0/3
switchport access vlan 30
switchport mode access
!
interface Ethernet1/0
!
interface Ethernet1/1
!
interface Ethernet1/2
!
interface Ethernet1/3
!
interface Ethernet2/0
!
interface Ethernet2/1
!
interface Ethernet2/2
!
interface Ethernet2/3
!
interface Ethernet3/0
!
interface Ethernet3/1
!
interface Ethernet3/2
!
interface Ethernet3/3
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.1.10.100 255.255.255.0
!
interface Vlan200
ip address 10.0.2.1 255.255.255.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.10.1
!
!
!
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server host 10.0.2.28 auth-port 1812 acct-port 1813 key abcd
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
!
!
end

sw1#

i dont know if i have a problem in the rules i used or what but this is what i have right now and my windows 10 is supposed to be authenticated using AD

MHM Cisco World · ‎08-20-2024

I think it gns3 issue'

Try use mab if not work

The sorry you need to use other emulate programs (to be honest all same I never see one work correctly)

Sorry again

MHM

WafaaK21 · ‎08-20-2024

what can I use other than gns3? does eve ng work better? and how can I use mab? normally I am using them both as I added the windows10 mac address ad an endpoint

MHM Cisco World · ‎08-20-2024

Do

Show aaa server

This give statistics count for request reject etc.

For mab I see you config it so if 802.1x failed then it auto try mab

And again sorry I don't know any emulate that work for dot1x

MHM

WafaaK21 · ‎08-20-2024

sw1#Show aaa server

RADIUS: id 1, priority 1, host 10.0.2.28, auth-port 1812, acct-port 1813
State: current UP, duration 1924s, previous duration 0s
Dead: total time 0s, count 0
Quarantined: No
Authen: request 3, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 3, server error 0, incorrect 0, time 762220ms
Transaction: success 3, failure 0
Throttled: transaction 0, timeout 0, failure 0
Author: request 0, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Account: request 0, timeouts 0, failover 0, retransmission 0
Request: start 0, interim 0, stop 0
Response: start 0, interim 0, stop 0
Response: unexpected 0, server error 0, incorrect 0, time 0ms
Transaction: success 0, failure 0
Throttled: transaction 0, timeout 0, failure 0
Elapsed time since counters last cleared: 32m
Estimated Outstanding Access Transactions: 0
Estimated Outstanding Accounting Transactions: 0
Estimated Throttled Access Transactions: 0
Estimated Throttled Accounting Transactions: 0
Maximum Throttled Transactions: access 0, accounting 0
Requests per minute past 24 hours:
high - 0 hours, 29 minutes ago: 1
low - 0 hours, 32 minutes ago: 0
average: 0
sw1#

MHM Cisco World · ‎08-20-2024

Authen: request 3, timeouts 0, failover 0, retransmission 0
Response: accept 0, reject 0, challenge 0
Response: unexpected 3, server error 0, incorrect 0, time 762220ms

these counter with misconfig network device count 1 appear in ISE log point to one thing
you dont config
1- correct key between ISE and SW
2- correct UDP port

MHM

Rob Ingram · ‎08-20-2024

@WafaaK21 the RADIUS request is received by ISE, the connection has hit the Default Policy set, is that to be expected? Or do you have a custom policy that was not matched?

What is the output of the connection request in the ISE Live Logs, that should provide a clue to the error.

The username is masked, go to Administration >> Settings >> Protocols >> RADIUS >> Disclose invalid usernames and select the checkbox. Then run the test again, the username should appear. Provide the ISE logs.

WafaaK21 · ‎08-20-2024

I've done some basic policies just so that he knows that my user is in my AD and in users folders, these are my policies, also can you please explain for me how to disclose invalid usernames and select what exactly?

Rob Ingram · ‎08-20-2024

@WafaaK21 the AAA test test won't match that policy as the connection request won't be a "Wired_802.1X" connection, so won't match the conditions in your rule. Either test with a 802.1X client, change your conditions in your policy set or create another policy set. The ISE Live Logs will tell you the authentication method/protocol (PAP_ASCII) and from there you can modify the policy set accordingly.

That command has moved, go to Adminsitration > Settings > Security Settings > Disclose invalid usernames.

Arne Bier · ‎08-21-2024

As @Rob Ingram said, the "test aaa" command is only there to test basic RADIUS connectivity between the NAS and the AAA server, using PAP authentication. If you want to test your switch's NAC configuration, then you will need a real supplicant connected to a NAC configured interface. In the lab you can get away with a VM running an OS such as Windows, connected to the switch. But if you are learning how to write ISE Policy Sets, then you don't need any NAS devices. You can use software to send 802.1X EAP requests to ISE. Examples of such software is wpa_supplicant (linux) and on MAC there is EAPTest. if this is what you're after, watch Thomas Howard's Youtube video on this. I have also written a three part guide on how to use radtest and wpa_supplicant (what I call, "Lab in a Laptop")