Controllerless Networks

 View Only
last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

aaa test-server returns neither error nor failure

This thread has been viewed 38 times

  • 1.  aaa test-server returns neither error nor failure

    Posted Nov 21, 2022 04:39 PM
    Hi all,

    Added a RADIUS server to my Instant configuration, tried testing it in format of:

    aaa test-server PRDDCEUS2001 username <username> password <redacted> auth-type EAP

    Expected behavior: per aaa test-server a successful login gets a return of Authentication is successful

    Observed behavior: Neither a success return nor commentary on an error. Nothing returns, I've no idea if it's right or not.

    Aside from a risky scream test, how do I know I have the RADIUS auth right?


  • 2.  RE: aaa test-server returns neither error nor failure

    EMPLOYEE
    Posted Nov 21, 2022 05:34 PM
    if this is for Instant APs, then the auth-type should be pap

    IAP-1# aaa test-server clearpass username staff1 password blahblah auth-type ?
    <type> pap

    IAP-1#

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------

    Original Message


  • 3.  RE: aaa test-server returns neither error nor failure

    Posted Nov 21, 2022 06:05 PM
    Yes, I see that in the docs, but when PAP isn't enabled on the NPS server (because it's unencrypted) it logs an unsupported type error.
    Original Message


  • 4.  RE: aaa test-server returns neither error nor failure

    EMPLOYEE
    Posted Nov 21, 2022 06:39 PM
    I would look in the Event viewer and see if the NPS receives an authentication message that doesn't match any policies.  AAA test server does not always match the policies you are using to evaluate incoming authentication.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message


  • 5.  RE: aaa test-server returns neither error nor failure

    Posted Nov 21, 2022 09:06 PM
    Yes, I see the auth attemts in the event log so the shared secret and to/from configuration has to be right.  I'd just know I did my auditing that this config is right if I could get the expected Authentication is successful result.  The docs say that's expected behavior.
    Original Message


  • 6.  RE: aaa test-server returns neither error nor failure

    EMPLOYEE
    Posted Nov 21, 2022 09:22 PM
    If you see the attempts, does it pass or fail in the event viewer or is there an error.  The controller only reflects passes, fails and timeouts.  What is happening in the event viewer is your best clue.  If the test command doesn't match what your remote access policies are, it will fail.  Let us know what the event viewer says..

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message


  • 7.  RE: aaa test-server returns neither error nor failure

    Posted Nov 21, 2022 09:23 PM
    Specifically, it logs this.

    AccountSessionIdentifier
    -
    ReasonCode
    66

    Reason
    The user attempted to use an authentication method that is not enabled on the matching network policy.

    LoggingResult
    Accounting information was written to the local log file.


    True fact, type of PAP is not allowed.  It just spews the credentials in plaintext repeatedly at the server until it replies.  Why would aaa test-server demand sending in a format that nobody should be using?
    Original Message


  • 8.  RE: aaa test-server returns neither error nor failure

    EMPLOYEE
    Posted Nov 21, 2022 09:33 PM
    There should be more information lower down in the event viewer message about what attributes it is sending.  You can compare those attributes with your remote access policy to see if they would ever match.

    There are quite a few ways that remote access policies can be configured, depending on what users you want authenticating and what auth types you want them to use, and what attributes you are expecting from the NAS device (the Instant device).  The aaa test server was designed at a time in the past where attributes and remote access policies were more homogenous and simpler.  These days, remote access policies are more specific and the aaa test-server might fail, depending (for example, some radius servers even test to make sure that authentications are coming from the correct SSID).  I personally  would use an actual client to test instead of aaa test-server if it is failing and you cannot figure out the mismatch.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message


  • 9.  RE: aaa test-server returns neither error nor failure

    Posted Nov 22, 2022 09:53 AM
    Totally tracking what you say about comparing what AAA is sending and what NPS is allowing and the mismatch is clear: the docs I cited say that for the auth-type parameter, one should use PAP (which makes me ask why it's even a parameter if there's only one choice to be used).  My NPS policy doesn't allow PAP- we're not going to do repeated plaintext password sends at a server until it replies.

    >I personally would use an actual client to test instead of aaa test-server if it is failing and you cannot figure out the mismatch.

    No doubting that would be the most effective real-world test, but if my configuration is wrong, I've made a self induced Ticket Generating Event, which I'd rather avoid... by doing something like using a command line test tool that confirms a configuration vs putting it into production.  It seems to exist, AND it comes from a past tense of simpler remote access policies, and may not be a reliable choice today, per the reply above.
    Original Message


  • 10.  RE: aaa test-server returns neither error nor failure

    EMPLOYEE
    Posted Nov 22, 2022 11:04 AM
    I think  it is best that I test a command before I comment.  I see now that aruba instant only supports pap (which would be valid for captive portal), but the controller-based aaa test-server command I am familiar with  supports mschapv2:

    (7005) #aaa test-server
mschapv2 MSCHAPv2 Authentication
pap PAP Authentication

(7005) #aaa test-server mschapv2
​

    I don't think that command would be useful in your situation.   If you did enable pap, which is used for captive portal authentication, it would at least let you know that username and password authentication to AD through the radius server does work.  Even the aaa test-server command in the controller using mschapv2 cannot test things like proper client supplicant settings, etc so it has limited value.

    I apologize for the confusion.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message


  • 11.  RE: aaa test-server returns neither error nor failure

    Posted Nov 22, 2022 11:55 AM
    Understood, no problem.

    I guess it's coming down to "if you really want to use aaa test-server to validate a configuration of Aruba Instant, you're obligated to config the NPS side to accept PAP".
    I feel like the fact that my NPS logs show the expected calling station and client within means those parts are communicating. Since the policies are ported from a deployed NPS server, I've high confidence they're as desired.

    Kinda related: is the service order set in a Configuration: Network: Security a Primary/backup use, or a round robin configuration?
    Original Message


  • 12.  RE: aaa test-server returns neither error nor failure

    EMPLOYEE
    Posted Nov 22, 2022 11:59 AM
    Primary/backup

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------

    Original Message


  • 13.  RE: aaa test-server returns neither error nor failure

    Posted Nov 22, 2022 12:17 PM
    Well, the test scenario is obvious.  Promote the new NPS server to the top spot, clear the 2nd, and wait for the screams. :)
    Original Message