I think it is best that I test a command before I comment. I see now that aruba instant only supports pap (which would be valid for captive portal), but the controller-based aaa test-server command I am familiar with supports mschapv2:
(7005) #aaa test-server
mschapv2 MSCHAPv2 Authentication
pap PAP Authentication
(7005) #aaa test-server mschapv2
I don't think that command would be useful in your situation. If you did enable pap, which is used for captive portal authentication, it would at least let you know that username and password authentication to AD through the radius server does work. Even the aaa test-server command in the controller using mschapv2 cannot test things like proper client supplicant settings, etc so it has limited value.
I apologize for the confusion.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides:
https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card------------------------------
Original Message:
Sent: Nov 22, 2022 09:53 AM
From: Steve Yuroff
Subject: aaa test-server returns neither error nor failure
Totally tracking what you say about comparing what AAA is sending and what NPS is allowing and the mismatch is clear: the docs I cited say that for the auth-type
parameter, one should use PAP (which makes me ask why it's even a parameter if there's only one choice to be used). My NPS policy doesn't allow PAP- we're not going to do repeated plaintext password sends at a server until it replies.
>I personally would use an actual client to test instead of aaa test-server if it is failing and you cannot figure out the mismatch.
No doubting that would be the most effective real-world test, but if my configuration is wrong, I've made a self induced Ticket Generating Event, which I'd rather avoid... by doing something like using a command line test tool that confirms a configuration vs putting it into production. It seems to exist, AND it comes from a past tense of simpler remote access policies, and may not be a reliable choice today, per the reply above.
Original Message:
Sent: Nov 21, 2022 09:33 PM
From: Colin Joseph
Subject: aaa test-server returns neither error nor failure
There should be more information lower down in the event viewer message about what attributes it is sending. You can compare those attributes with your remote access policy to see if they would ever match.
There are quite a few ways that remote access policies can be configured, depending on what users you want authenticating and what auth types you want them to use, and what attributes you are expecting from the NAS device (the Instant device). The aaa test server was designed at a time in the past where attributes and remote access policies were more homogenous and simpler. These days, remote access policies are more specific and the aaa test-server might fail, depending (for example, some radius servers even test to make sure that authentications are coming from the correct SSID). I personally would use an actual client to test instead of aaa test-server if it is failing and you cannot figure out the mismatch.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Nov 21, 2022 09:22 PM
From: Steve Yuroff
Subject: aaa test-server returns neither error nor failure
Specifically, it logs this.
AccountSessionIdentifier
-
ReasonCode
66
Reason
The user attempted to use an authentication method that is not enabled on the matching network policy.
LoggingResult
Accounting information was written to the local log file.
True fact, type of PAP is not allowed. It just spews the credentials in plaintext repeatedly at the server until it replies. Why would aaa test-server demand sending in a format that nobody should be using?
Original Message:
Sent: Nov 21, 2022 06:38 PM
From: Colin Joseph
Subject: aaa test-server returns neither error nor failure
I would look in the Event viewer and see if the NPS receives an authentication message that doesn't match any policies. AAA test server does not always match the policies you are using to evaluate incoming authentication.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Nov 21, 2022 06:05 PM
From: Steve Yuroff
Subject: aaa test-server returns neither error nor failure
Yes, I see that in the docs, but when PAP isn't enabled on the NPS server (because it's unencrypted) it logs an unsupported type error.
Original Message:
Sent: Nov 21, 2022 05:33 PM
From: Ariya Parsamanesh
Subject: aaa test-server returns neither error nor failure
if this is for Instant APs, then the auth-type should be pap
IAP-1# aaa test-server clearpass username staff1 password blahblah auth-type ?
<type> pap
IAP-1#
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
Original Message:
Sent: Nov 21, 2022 04:38 PM
From: Steve Yuroff
Subject: aaa test-server returns neither error nor failure
Hi all,
Added a RADIUS server to my Instant configuration, tried testing it in format of:
aaa test-server PRDDCEUS2001 username <username> password <redacted> auth-type EAP
Expected behavior: per aaa test-server a successful login gets a return of Authentication is successful
Observed behavior: Neither a success return nor commentary on an error. Nothing returns, I've no idea if it's right or not.
Aside from a risky scream test, how do I know I have the RADIUS auth right?