Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13617
Views
10
Helpful
6
Replies

"test AAA group xxx username password new-code" always showed the "user rejected"

yaoszhan
Cisco Employee
Cisco Employee

‎09-14-2020 12:35 AM - edited ‎07-05-2021 12:30 PM

I would like to test aaa connection in 9800-40 WLC, the software version of WLC is 16.12.03, I used the following command:

 

C9840-2#test aaa group zys-20 zys1 Test12345 new-code
User rejected

 

but it should be passed for authentication in ISE as follow:

I am not sure why it show user rejected, it should be User access. what wrong for this?

Screen Shot 2020-09-14 at 15.24.05.png

0 Helpful
6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

‎09-14-2020 05:51 AM

I did try that also and got the same results and figured that it probably was not yet supported/functional since I didn’t see it referenced in the command reference guide.
-Scott
*** Please rate helpful posts ***
0 Helpful

yaoszhan
Cisco Employee
Cisco Employee
In response to Scott Fella

‎09-14-2020 06:18 PM

Thanks Scott for help validation again. It looks like ISE can receive the access-request message, but the WLC can’t handle access-accept message from ISE correctly.
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to yaoszhan

‎09-14-2020 06:21 PM

Yes you are correct, that is why I believe the feature isn’t available since it’s not in the reference guide. So until they fix/support that command, you will have to figure out another way to test.
-Scott
*** Please rate helpful posts ***

OCT
Level 1
Level 1

‎11-17-2020 06:49 AM

Hi Yaoszhan

 

not sure what code you are running but i am able to test

 

ZA-WLC-9800-ENT-WLC#test aaa group tacacs+ octvwyk xxxx new-code
Sending password
User successfully authenticated

USER ATTRIBUTES

username 0 "octvwyk"
reply-message 0 "password: "

 

using the below reference

 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html#anc10

 

 

regards

 

 

0 Helpful

Grendizer
Cisco Employee
Cisco Employee

‎12-03-2020 12:33 PM

As a reference:

#test aaa group radius yourusername yourpassword new-code

#test aaa group radius dummy 1234 new-code

Or if you have multiple RADIUS Servers configured on the 9800 then you need to specify the correct one as below:

#test aaa group radius server name ISE24 dummy 1234 new-code

Or

#test aaa group radius server name ISE24 dummy 1234 legacy

legacy will give you understandable results better than new-code BUT the legacy option will not work with ISE 2.2 but will work with ISE 2.4 and after

While ISE24 is not actually the DNS Name of this server, it is the server name as it’s configured on the 9800 and called out under the radius group. dummy is the username, 1234 is the password

TACACS is the same but we can't test individual servers as RADIUS
#test aaa group tacacs+ dummy 1234 new-code
Or
#test aaa group tacacs+ dummy 1234 legacy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card