Dot1x wired and wireless client authentication issues are one of the most challenging problems that network engineers face. However, if we know the step-by-step ways to isolate the issue then it will be very easier for us to resolve the issue. In order to troubleshoot this, it often requires to get the access of the problematic client to get capture and debug, work with the end users who may not have knowledge about the network and you can't expect the same from everyone. In an increasingly critical network, this can cause significant downtime. So there is an easy way to identify if an authentication failure was caused by the radius server which rejects the client, or just simply a reachability issue.
The test aaa radius command lets you do just that. You can now remotely verify without involving the problematic client if the Network device-Radius server communication fails or if the credentials for the client result in a passed or failed authentication.
(Cisco Controller) > test aaa radius username <user name> password <password> wlan-id <wlan-id>
Here I am executing the below test aaa command for the user name dummy and password Admin@123, also I am checking for my wlan TEST which got the ID 1.
(Test-WLC-1) >test aaa radius username dummy password Admin@123 wlan-id 1
Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... none
Attributes Values
---------- ------
User-Name dummy
Called-Station-Id 00-00-00-00-00-00:TEST-OFFICE
Calling-Station-Id 00-11-22-33-44-55
Nas-Port 0x00000008 (8)
Nas-Ip-Address 10.122.106.221
NAS-Identifier Test-WLC-1
Airespace / WLAN-Identifier 0x00000001 (1)
User-Password Admin@123
Service-Type 0x00000008 (8)
Framed-MTU 0x00000514 (1300)
Nas-Port-Type 0x00000013 (19)
Tunnel-Type 0x0000000d (13)
Tunnel-Medium-Type 0x00000006 (6)
Tunnel-Group-Id 0x000000c3 (195)
Cisco / Audit-Session-Id 0a7a6add000b1e7d62b195cb
--More or (q)uit current module or <ctrl-z> to abort
Acct-Session-Id 62b195cb/00:11:22:33:44:55/1894950
test radius auth request successfully sent. Execute 'test aaa show radius' for responseIn order to view the results of the authentication request, you need to execute the command test aaa show radius. This command's output will show if the radius server is unreachable and the WLC needs to retry or fallback to a different radius server.
(Test-WLC-1) test>aaa show radius
Radius Test Request
Wlan-id........................................ 1
ApGroup Name................................... none
Radius Test Response
Radius Server Retry Status
------------- ----- ------
10.122.106.223 1 Success
Authentication Response:
Result Code: Authentication failed
No AVPs in Response
In this case, you can see that the connectivity test resulted in a 'Success', however, the radius server sent an access reject for the username/password combination used.
From the switch also we can execute the same.
Test-SW3#test aaa group radius dummy Admin@123 new-code
User rejected
Conclusion
The user is not found in the internal users identity store
Here we have isolated the issue and can conclude that there is some issue with the user authentication either password is wrong or the user is not present , that we can check from ISE and AD ( where your users will be configured) .