Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4650
Views
3
Helpful
4
Replies

Test AAA issue

Go to solution
michaelglosker
Level 1
Level 1

‎06-15-2023 04:59 AM

Hello everyone!

I'm currently in the process of setting up AAA (Authentication, Authorization, and Accounting) on my Cisco Catalyst 9300 Switch to establish communication with a Windows NPS server.

Once the configuration was completed on both ends, I attempted to use the command "test aaa new radius username password new-code" and received a successful result. However, upon inspecting the logs on the NPS side, specifically the Audit success log, I noticed that the Authentication type used was PAP.

I'm curious as to why PAP was employed. Is it the default authentication type? Additionally, I'd like to know if there's a more secure way to perform a AAA test, considering that PAP transmits passwords in clear text.

Another question is, is there a way to test AAA from a specific interface?

The commands I utilized to configure the switch were:

aaa new-model

- aaa authentication dot1x default group radius

- dot1x system-auth-control

1 person had this problem
Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎06-15-2023 05:17 AM

Hi

 "'m curious as to why PAP was employed. "

  For simplicity as it allows you to use username and password.  It would not be easy to test using certificate for example. But it does not mean this is the authentication method for production. 

"Another question is, is there a way to test AAA from a specific interface?"

Yes, just use the command:

 ip tacacs source-interface <layer3 interface / vlan>

 

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP

‎06-15-2023 05:55 AM - edited ‎06-15-2023 06:15 AM

the radius send clear text 
tacacs send password/username with hash in end of packet for security 

ip tacacs/radius source-interface <IP> <<- this IP will always use for connect to AAA and for test AAA

More about tacacs secuirty.

https://security.stackexchange.com/questions/173445/how-exactly-does-tacacs-encryption-work

View solution in original post

4 Replies 4

Go to solution
Flavio Miranda
VIP
VIP

‎06-15-2023 05:17 AM

Hi

 "'m curious as to why PAP was employed. "

  For simplicity as it allows you to use username and password.  It would not be easy to test using certificate for example. But it does not mean this is the authentication method for production. 

"Another question is, is there a way to test AAA from a specific interface?"

Yes, just use the command:

 ip tacacs source-interface <layer3 interface / vlan>

 

Go to solution
MHM Cisco World
VIP
VIP

‎06-15-2023 05:55 AM - edited ‎06-15-2023 06:15 AM

the radius send clear text 
tacacs send password/username with hash in end of packet for security 

ip tacacs/radius source-interface <IP> <<- this IP will always use for connect to AAA and for test AAA

More about tacacs secuirty.

https://security.stackexchange.com/questions/173445/how-exactly-does-tacacs-encryption-work

Go to solution
pokhrelaj
Level 1
Level 1

‎01-23-2025 01:08 AM

Hi Michael,

Can you please share the configuration? I am setting up AAA  on my Cisco Catalyst 9300 Switch to establish communication with a Windows NPS server. Every time I get User authentication request was rejected by the server with the test command. Also, I have configured a port with dot1x but it's not even getting an IP address. Please help.

 

Regards,

Aj

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to pokhrelaj

‎01-23-2025 01:15 AM

Make new post  please 

Thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents