Testing AAA Configuration on Cisco ASA & Cisco IOS

ByChase Smith Hours Updated on Categories Networking

This tutorial focuses on testing AAA (Authentication, Authorization, and Accounting) on common Cisco ASA and IOS (including IOS-XE and IOS-XR) devices to verify the AAA configuration works as expected and the AAA server is reachable.

Testing AAA on Cisco ASA

Command:

ciscoasa# test aaa-server authentication <ServerGroupName> host <ServerIP> username <username> password <password>

Explanation of Variables:

  • test aaa-server: Think of this as the ASA’s way of asking, “Hey, server, are you listening?” It simulates a login attempt without actually logging you into anything.
  • authentication: Specifies that you are testing the authentication feature.
  • <ServerGroupName>: This is the group of AAA servers you configured. If you called it RADIUS-GROUP, that’s what you’d use here. Naming your groups intuitively can save you headaches later.
  • host <ServerIP>: The IP address of the AAA server you want to test.
  • username <username>: This is the account you’re using to test. I once saw a team testing with an admin account, only to discover the admin account wasn’t even set up on the RADIUS server yet. Lesson learned: verify your test credentials!
  • password <password>: The password for the test account. This is where most issues crop up—typos, expired passwords, or accounts locked due to too many failed attempts.

Example:

ciscoasa# test aaa-server authentication RADIUS-GROUP host 192.168.1.10 username admin password admin123

Expected Successful Output:

INFO: Authentication Successful

Enable Debugging if Test Fails:

ciscoasa# debug aaa authentication

This displays real-time logs to identify issues such as incorrect server configuration or invalid credentials. Debugging is powerful.

Disable Debugging After Troubleshooting:

ciscoasa# undebug all

Testing AAA on Cisco IOS Switch or Router

Command:

Switch# test aaa group <GroupName|radius|tacacs+|diameter> <username> <password> new-code

Explanation of Variables:

  • test aaa: A built-in Cisco IOS command to test AAA server connectivity and authentication.
  • group <GroupName|radius|tacacs+|diameter>: Specify the protocol group or a specific group name. If you called it RADIUS-GROUP, that’s what you’d use here.
  • <username>: The username to test authentication, matching an account configured on the AAA server.
  • <password>: The password corresponding to the username.
  • new-code: Ensures the command uses the new authentication code, improving compatibility with modern AAA servers.

Example:

Switch# test aaa group RADIUS-GROUP admin admin123 new-code

Expected Success Output:

User successfully authenticated

Debugging:

Switch# debug aaa authentication
Switch# debug radius

One time, debugging revealed that the switch was sending the wrong IP address to the RADIUS server due to a misconfigured NAT rule. It was a facepalm moment, but also a valuable learning experience.

Disable Debugging:

Switch# undebug all

Recommended Tool: ManageEngine OpManager

  • Multi-vendor Network Monitoring
  • Simple Installation & Setup
  • Intuitive UI
  • Complete Visibility
  • Intelligent Detections
  • Easy Resolutions

Avatar

Network Engineer III

I am a Senior Network Engineer who has spent the last decade elbow deep in enterprise System Administration and Networking in the local government and energy sectors. I can usually be found trying to warm up behind the storage arrays in the datacenter.

Leave a Reply

Your email address will not be published. Required fields are marked *