Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
273
Views
1
Helpful
7
Replies

Testing Radius via FTD CLI issues

tahscolony
Level 1
Level 1

‎04-08-2025 08:47 AM

> test aaa-server authentication PINGid host 172.26.38.87 username admin
Password: >

Attempting to test without entering the password since it is plain text AND logged, it puts a > after the prompt.  Anything typed afterwards just sits, have to enter ctrl-C to break out of it.

Another issue I have is if I enter username and password, authentication fails. It is sending a bad password, and the same test on an ASA returns the ping prompt to validate MFA, but on the FTD no PING response and if I try too many times my account gets locked out.   I can't test VPN because its failing to authenticate. 

Why would it send a fouled password?

 

0 Helpful
7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-08-2025 09:46 AM

Try it from the LINA shell ("system support diagnostic-cli" and "en" with no enable password).

tahscolony
Level 1
Level 1
In response to Marvin Rhoads

‎04-08-2025 10:11 AM

How do I stop all the scrolling though?  It's like watching a debug all!  

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tahscolony

‎04-08-2025 10:24 AM

Check your platform settings in FMC - you probably have console logging enabled (which is not a default setting).

0 Helpful

tahscolony
Level 1
Level 1
In response to Marvin Rhoads

‎04-08-2025 11:13 AM

Thanks Marvin, that was it. I'm testing successfully, however, one thing noted in logging is the NAS IP is all 0's, 0.0.0.0.  How do I get it to report the inside IP that it is sourcing from?   

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tahscolony

‎04-09-2025 06:48 AM

The log you are looking at may not include the RADIUS Device IP address. I just tested from an FTD to ISE and it shows up in the ISE RADIUS Live log authentication details.

MarvinRhoads_0-1744204718347.png

 

0 Helpful

tahscolony
Level 1
Level 1

‎04-09-2025 07:58 AM

The log from PINGid server is showing NAS-IP-ADDRESS: 0.0.0.0 instead of probably the inside IP that it should source from. When same test is run on the ASA it shows the inside IP of the ASA.  Is this just normal behavior, or is something misconfigured?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to tahscolony

‎04-09-2025 09:20 AM - edited ‎04-09-2025 09:20 AM

I suspect it is just reflecting the particular RADIUS Attribute-Value (A-V) pair they are parsing and showing to you on the PINGid side. You can validate this by capturing the traffic to it at the FTD and looking at the A-V pairs being sent to them. As I confirmed with Cisco ISE, the source address is definitely being passed from and FTD device. Third party products may or may not show that detail, but it's included in the information that FTD sends.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card