Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15210
Views
1
Helpful
4
Replies

Radius Automated Test

lionel.dupont
Level 1
Level 1

‎06-25-2013 05:49 AM - last edited on ‎03-25-2019 05:30 PM by Community Manager

Hello,

I have performed the following configuration on one of my switch to test periodically the availability of ISE servers :

radius server ISE-1

address ipv4 1.2.3.4 auth-port 1645 acct-port 1646

key 0 toto123

automate-tester username radius-test idle-time 10

!

username radius-test password toto

And on the ISE server I can see authentication failed with code

Authentication failed                                                                                 :

22040 Wrong password or invalid shared secret

I am sure about the shared secret because when I try test aaa group ....from the same switch it is ok.

Does the automated test expect a valid access accept response ?

Thanks

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Ravi Singh
Level 7
Level 7

‎06-25-2013 08:47 AM

Yes it is expect a valid access accept response. That is the reason due to which you are getting error.

0 Helpful

Octavian Szolga
Level 4
Level 4

‎06-25-2013 12:18 PM

It's an IOS platform specific behavior. I observed the same behaviour on different switches.

See the following thread https://supportforums.cisco.com/thread/2170907

The NAD does not expect accept accept response to consider ISE alive. Any type of answer means that ISE is alive.

bbosch4210
Level 1
Level 1
In response to Octavian Szolga

‎06-26-2013 03:36 AM

I tested this on 15.0(2)SE2 and got it working with the following:

'service password-encryption' is configured

I use the password option in the radius-test username (Not secret)

The password I configure on the ISE is the encrypted password (Same as what you would see in a 'show run')

I hope this helps in some way. I haven't tested with the 'secret' option.

The question I really have is whether I really need to configure the "RADIUS automated tester" feature at all.

And whether I need to load balance to my ISE PSNs. My logs are full of radius-test user entires.

I have searched for guidence on this without any success.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-26-2013 09:59 AM

Use the automate-tester command to enable automatic testing on the RADIUS server accounting and authentication UDP ports for RADIUS server load balancing. The username could be any username.

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-a3.html#wp6780179500

I agree with Octavian that NAD doesn't necessarily expect radius-accept to consider ISE active.

Jatin

*Do rate helpful posts*

~Jatin
0 Helpful
Customers Also Viewed These Support Documents