RadiusTest Guide: Troubleshooting AAA and RADIUS Server Connectivity
When deploying secure networks, RADIUS (Remote Authentication Dial-In User Service) is the backbone of Authentication, Authorization, and Accounting (AAA). However, misconfigurations, network restrictions, or server issues can lead to authentication failures, causing headaches for network administrators.
The test aaa command (or similar radiustest utilities on various platforms) is an indispensable tool for diagnosing these issues in real-time. This guide explains how to use these commands to pinpoint connectivity problems between your network access devices (NAS) and the RADIUS server. 1. Understanding the test aaa Command
The “RadiusTest” function allows a network device (such as a Cisco WLC, AP, or Switch) to act as a client and send a synthetic authentication request to a configured RADIUS server. This helps determine if the issue is with the user credentials, the server configuration, or network connectivity. Basic Command Syntax (Cisco WLC Example)
test aaa server radius Use code with caution.
: The IP address of your RADIUS server (e.g., Cisco ISE, FreeRADIUS, Microsoft NPS). /: Credentials to test. : Typically 1812 for authentication. 2. Step-by-Step Troubleshooting Scenario Step A: Verify Network Reachability (Ping)
Before testing RADIUS protocols, ensure the server is reachable. Action: Ping the RADIUS server from the device.
Result: If pings fail, check routing, firewall rules, or VPN connectivity between the AP/WLC and the RADIUS server. Step B: Execute the Test Command
Use the command tailored to your platform to simulate a user login.
Example (Cisco): test aaa server radius 192.168.1.10 testuser1 password123 1812 key Step C: Interpret the Output Success: The server sends an Access-Accept.
Conclusion: Connectivity is fine; the issue likely lies with the client device, supplicant configuration, or certificate issues on the client side. Failure – “No Response” (Timeout):
Conclusion: The request is not reaching the server, or the server is ignoring it. Check UDP ⁄1813 firewall rules. Failure – “Access-Reject”: Conclusion: The server received the request but denied it. 3. Common RADIUS Failure Causes & Fixes
Based on test aaa results, here are the most common issues to check, as documented in Fortinet and Cisco troubleshooting guides:
Shared Secret Mismatch: The most common cause. The “shared secret” configured on the network device (AP/WLC) must exactly match the secret configured on the RADIUS server.
IP Address Misconfiguration: The RADIUS server must recognize the NAS IP address sending the request as a valid client. If the WLC sends packets from a management IP that is not defined, the server will reject them.
Incorrect UDP Ports: Ensure Authentication (1812) and Accounting (1813) ports are correct.
Server Certificate Issues: If using EAP-TLS or PEAP, the RADIUS server must have a valid certificate that the client trusts.
Firewall Blocking UDP: RADIUS relies on UDP. Ensure that intermediate firewalls are not blocking ports 1812 and 1813. 4. Advanced Troubleshooting
If the test aaa command still doesn’t explain the failure, utilize packet captures (Sniffer) on the server. Look for Access-Request arriving and check if the server is responding, as described in Fortinet’s guide.
Check RADIUS server logs to see if it sees the incoming packets but rejects them due to invalid credentials or user policies.
For further details, refer to the documentation for your specific infrastructure, such as Cisco Meraki RADIUS troubleshooting or Arista CloudVision WiFi RADIUS setup.
If you’d like to share which specific vendor’s hardware (e.g., Cisco, Arista, Fortinet) you are using and what specific error message you see, I can provide more targeted troubleshooting steps. RADIUS Issue Resolution Guide – Cisco Meraki Documentation
Leave a Reply