Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4360
Views
16
Helpful
7
Replies

Is username "dummy" exist by default in ISE used when testing "automate-tester username dummy probe-on"?

Go to solution
getaway51
Level 2
Level 2

‎10-16-2019 06:02 PM

Hi,

 

Is the password for this CLI "automate-tester username dummy probe-on" needed?

 

radius server ise

automate-tester username dummy probe-on

key testise

Is "key testise" related to automate-tester username dummy probe-on? 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-16-2019 07:31 PM

"dummy" in the "automate-tester username dummy probe-on" command is an administrator defined username, dummy can be replaced with anything. The user does not need to exist anywhere, the switch is perfectly fine with ISE sending a radius-reject back in response to the probe.

"key testise" is the radius shared secret that the switch uses to communicate with ISE. You set the key "testise" to anything you want, but it has to match on the network device configured within the ISE GUI.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-16-2019 07:31 PM

"dummy" in the "automate-tester username dummy probe-on" command is an administrator defined username, dummy can be replaced with anything. The user does not need to exist anywhere, the switch is perfectly fine with ISE sending a radius-reject back in response to the probe.

"key testise" is the radius shared secret that the switch uses to communicate with ISE. You set the key "testise" to anything you want, but it has to match on the network device configured within the ISE GUI.
0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Damien Miller

‎10-17-2019 12:45 AM

Hi,

 

So this "dummy" is not a username configured in ISE. Basically "dummy" is going to fail. 

But the key needs to be correct same like in ISE.

AM i  correct? 

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Damien Miller

‎10-22-2019 06:26 AM

Hi,

 

If I check the username dummy(by filter) in the ISE live logs, can I see the failed session for user "dummy"? 

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to getaway51

‎10-24-2019 07:38 AM

By default ISE will not disclose invalid usernames in the RADIUS logs.  You can turn that annoying feature off in the RADIUS settings in ISE.  As Damien said ISE can reject the authentication and the switch won't care as long as it is getting a response.  

 

I usually setup a policy set for the switch keep alives as I don't like not handling the request properly.  I set the authentication to internal user and set the user not found to Continue.  Then I put in an authorization rule to allow the access with a deny all DACL.  Once I see the successful hits in the RADIUS logs I turn on suppression for the User ID so the switch probes aren't filling up my logs.

Go to solution
fhowzejr2
Level 1
Level 1
In response to paul

‎05-26-2020 12:00 PM

Is it possible to share your authentication and authorization rules in your policy set?  I would like to do this as the "Invalid" errors is filling up the Live logs.

 

Thanks

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to fhowzejr2

‎05-26-2020 12:29 PM

Skip the policy set and just go to Administration->System->Logging->Collection Filters and setup a new collection filter to Filter All for the username "dummy" or whatever you are using for your switch keep-alive probes.

Go to solution
fhowzejr2
Level 1
Level 1
In response to paul

‎05-26-2020 01:32 PM

Thanks so much, I applied the collection filter and no longer have the clutter in Live Logs.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents