Cisco ASA and IOS Command Tip — Test Aaa-​​Server

I have been work­ing on a VPN setup that loads the Group Policy from a CiscoSecure ACS server. During the pro­cess I dis­covered the test aaa-​​server com­mand. Its very handy tool when you are doing this kind of stuff.

Read on.….

When you are con­fig­ur­ing AAA on your ASA or later ver­sions IOS, you want to con­firm that your con­fig­ur­a­tion is goodly and that the server is avail­able and respond­ing correctly.

IOS Version


r1#test aaa group tacacs+ greg password legacy
Attempting authentication test to server-group tacacs+ using tacacs+
User was successfully authenticated.

r1#


ASA Version


fw2# test aaa-server authentication csacs-radius
Server IP Address or name: 192.168.200.80
Username: gf
Password: ********
INFO: Attempting Authentication test to IP address (timeout: 12 seconds)
ERROR: Authentication Rejected: AAA failure
fw2# test aaa-server authentication csacs-radius
Server IP Address or name: 192.168.200.80
Username: gf
Password: ********
INFO: Attempting Authentication test to IP address (timeout: 12 seconds)
INFO: Authentication Successful
fw2#


Note that you can choose the group, or spe­cific server in the group on IOS. This makes it pos­sible to check all serv­ers in the group are working.

There are some other switches that would be of use to people doing more soph­ist­ic­ated AAA con­fig­ur­a­tion. For example on IOS this account­ing switch:


r1#test aaa accounting ?
alloc_fid Allocate flow id
alloc_uid Allocate AAA unique id
dealloc_fid Deallocate flow id
dealloc_uid Deallocate unique id
giga Giga-word accounting test
init Initialize test aaa accounting infrastructure
reset Reset the variables
send_acct_start Send accounting start
send_acct_stop Send accounting stop
send_authen_req Send authen req
r1#


Please rate this post:

(1 votes, average: 1.00 out of 10)

 Loading ...