Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
16245
Views
0
Helpful
7
Replies

Test ISE radius server authentication with Cisco switch using "test aaa"

Go to solution
getaway51
Level 2
Level 2

‎10-16-2019 05:51 PM

Hi,

 

Is it possbile to Test ISE radius server authentication with Cisco switch using "test aaa"?

I noticed username is needed when doing "test aaa group radius..." , but when setting up network devices & key in ISE, no username was used, only has secret key.

When i test tacacs, i have username & pwd. 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Afolarin Omole
Level 1
Level 1
In response to jj27

‎10-18-2019 01:43 AM

Hello,

The test aaa command is typically use on NAD to test radius server reachability and authentication against booth locally created user on ISE or for user with the AD integrated into ISE.

The above also depends on the configuration in place I mean the radius server configured on ISE i.e. if this is ISE then ISE IP address will be the radius server authentication and  this also will be reflected in all AAA commands on NAD.

 

Now let say we don't have access to the NAD , fine Cisco ISE is also capable of testing user based on Kerberos , MS RPC and Lookup for both locally created user on ISE NAD within the AD. which can be view on ISE following the below TAB :

Administration --> external identity store ---- Active Directory

From the above page you can click on the AD to test user by selecting all integrated DC using the methods explained above (Kerberos , MS RPC and Lookup ).

For administrator Troubleshooting , I belief the best is using lookup because this does not require user password. If Users are not locally created , one can get this via live logs or from the context visibility tab.

 

 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-16-2019 07:35 PM

When you use the test aaa command, you typically enter a real username and password that is either configured in the local identity store of ISE, or more commonly, an active directory/ldap account.

In order for the authentication to pass there has to be some basic rule on ISE. At the most basic level, the test aaa command validates that the radius server IP and shared key are configured correctly. It works in a nearly identical way to how the tacacs test does, only it leverages radius.
0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Damien Miller

‎10-17-2019 01:50 AM

where can i get the username frm ISE? where can i check for this info in ISE? I only remembered having to specify network devices IP and key. No username.

0 Helpful

Go to solution
jj27
Spotlight
In response to getaway51

‎10-17-2019 06:20 AM

There is no username to configure or required for RADIUS integration between a network device and ISE.  The test aaa command simply lets you authenticate a real username and password from the switch to ISE, and as Damien said, it is stored either as a local user or in some external identity source such as AD or LDAP.  The credentials have to be valid and a policy has to be in place to succeed.

 

For example, maybe the username you use to login to your computer is 'getaway51', you would test aaa with that username and password.

0 Helpful

Go to solution
Afolarin Omole
Level 1
Level 1
In response to jj27

‎10-18-2019 01:43 AM

Hello,

The test aaa command is typically use on NAD to test radius server reachability and authentication against booth locally created user on ISE or for user with the AD integrated into ISE.

The above also depends on the configuration in place I mean the radius server configured on ISE i.e. if this is ISE then ISE IP address will be the radius server authentication and  this also will be reflected in all AAA commands on NAD.

 

Now let say we don't have access to the NAD , fine Cisco ISE is also capable of testing user based on Kerberos , MS RPC and Lookup for both locally created user on ISE NAD within the AD. which can be view on ISE following the below TAB :

Administration --> external identity store ---- Active Directory

From the above page you can click on the AD to test user by selecting all integrated DC using the methods explained above (Kerberos , MS RPC and Lookup ).

For administrator Troubleshooting , I belief the best is using lookup because this does not require user password. If Users are not locally created , one can get this via live logs or from the context visibility tab.

 

 

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to jj27

‎10-18-2019 02:32 AM

Hi

Do you mean tht i put in the ad username & pwd tht my pc use to login to
Windows domain?
0 Helpful

Go to solution
Afolarin Omole
Level 1
Level 1
In response to getaway51

‎10-18-2019 03:17 AM

Hello ,

Yes , as long as the user is part of the AD integrated into cisco ISE . But if you don't have the password then that's still possible both on switch and Cisco ISE. Check the attached , that's what it look like on ISE , and you can change authentication type from RPC, KERBEROS OR LOOKUP .

On switch use AAA command.

 

ISE.JPG
Preview file
36 KB
0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Afolarin Omole

‎10-18-2019 06:58 AM

the screenshot you provided i can use to test AD authentication frm ISE to the AD servers? 

Where is it in ISE can i launch the test ?

0 Helpful
Top