
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 05:51 PM
Hi,
Is it possbile to Test ISE radius server authentication with Cisco switch using "test aaa"?
I noticed username is needed when doing "test aaa group radius..." , but when setting up network devices & key in ISE, no username was used, only has secret key.
When i test tacacs, i have username & pwd.
Solved! Go to Solution.
- Labels:
-
Identity Services Engine (ISE)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2019 01:43 AM
Hello,
The test aaa command is typically use on NAD to test radius server reachability and authentication against booth locally created user on ISE or for user with the AD integrated into ISE.
The above also depends on the configuration in place I mean the radius server configured on ISE i.e. if this is ISE then ISE IP address will be the radius server authentication and this also will be reflected in all AAA commands on NAD.
Now let say we don't have access to the NAD , fine Cisco ISE is also capable of testing user based on Kerberos , MS RPC and Lookup for both locally created user on ISE NAD within the AD. which can be view on ISE following the below TAB :
Administration --> external identity store ---- Active Directory
From the above page you can click on the AD to test user by selecting all integrated DC using the methods explained above (Kerberos , MS RPC and Lookup ).
For administrator Troubleshooting , I belief the best is using lookup because this does not require user password. If Users are not locally created , one can get this via live logs or from the context visibility tab.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-16-2019 07:35 PM
In order for the authentication to pass there has to be some basic rule on ISE. At the most basic level, the test aaa command validates that the radius server IP and shared key are configured correctly. It works in a nearly identical way to how the tacacs test does, only it leverages radius.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2019 01:50 AM
where can i get the username frm ISE? where can i check for this info in ISE? I only remembered having to specify network devices IP and key. No username.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2019 06:20 AM
There is no username to configure or required for RADIUS integration between a network device and ISE. The test aaa command simply lets you authenticate a real username and password from the switch to ISE, and as Damien said, it is stored either as a local user or in some external identity source such as AD or LDAP. The credentials have to be valid and a policy has to be in place to succeed.
For example, maybe the username you use to login to your computer is 'getaway51', you would test aaa with that username and password.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2019 01:43 AM
Hello,
The test aaa command is typically use on NAD to test radius server reachability and authentication against booth locally created user on ISE or for user with the AD integrated into ISE.
The above also depends on the configuration in place I mean the radius server configured on ISE i.e. if this is ISE then ISE IP address will be the radius server authentication and this also will be reflected in all AAA commands on NAD.
Now let say we don't have access to the NAD , fine Cisco ISE is also capable of testing user based on Kerberos , MS RPC and Lookup for both locally created user on ISE NAD within the AD. which can be view on ISE following the below TAB :
Administration --> external identity store ---- Active Directory
From the above page you can click on the AD to test user by selecting all integrated DC using the methods explained above (Kerberos , MS RPC and Lookup ).
For administrator Troubleshooting , I belief the best is using lookup because this does not require user password. If Users are not locally created , one can get this via live logs or from the context visibility tab.

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2019 02:32 AM
Do you mean tht i put in the ad username & pwd tht my pc use to login to
Windows domain?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2019 03:17 AM
Hello ,
Yes , as long as the user is part of the AD integrated into cisco ISE . But if you don't have the password then that's still possible both on switch and Cisco ISE. Check the attached , that's what it look like on ISE , and you can change authentication type from RPC, KERBEROS OR LOOKUP .
On switch use AAA command.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-18-2019 06:58 AM
the screenshot you provided i can use to test AD authentication frm ISE to the AD servers?
Where is it in ISE can i launch the test ?
