How to test your RADIUS configuration on the Cisco 5508 controller without having APs and clients.
Authentication problems are pretty common when configuring the WLAN controller to authenticate users on a WLAN against a RADIUS server.
When configuring the WLAN controller, you have to create the WLAN itself on the controller, and then create the RADIUS Authentication and Accounting configurations as well. This is where most of the problems lie. If the RADIUS keys do not match, the users will not be able to get on the WLAN.
Create the WLAN according to your requirements:
Create the RADIUS Authentication and Accounting configurations:
Go back to the WLAN and add/select the AAA servers you just created:
With the WLAN completely configured to your requirements (meaning, configure the other requirements on the other tabs for the WLAN) it is time to test. One way would be to use an AP and a client and try to join the WLAN. However, if you are remote, and configuring the WLANs for future deployments, not being onsite presents a challenge when testing the RADIUS configuration on the WLAN Controller.
This document assumes you are comfortable with command line access into the WLAN Controller.
We are going to use the “test aaa radius” command to test the scenario mentioned in the paragraph above. We are going to use a fictitious username and password of “juser” & “mypassword”. Since we just created the WLAN, we know it is WLAN ID #5, and there is no AP Group, so we will use “default-group”. We just created the RADIUS server configuration, and its server index is #1.
Here is the syntax of the command:
Test aaa radius username juser password mypassword wlan-id 5 apgroup default-group server-index 1
Next, you have to issue a command, “test aaa show radius” to see if everything is working correctly: (your session will tell you the command to issue, as seen here:
Here’s a successful authentication test output:
(Cisco Controller) >test aaa show radius
Radius Test Request
Wlan-id........................................ 5
ApGroup Name................................... default-group
Server Index................................... 1
Radius Test Response
Radius Server Retry Status
------------- ----- ------
192.168.100.100 1 Success
Authentication Response:
Result Code: Success
Here’s an unsuccessful authentication test output:
(Cisco Controller) >test aaa show radius
Radius Test Request
Wlan-id........................................ 5
ApGroup Name................................... default-group
Server Index................................... 1
Radius Test Response
Radius Server Retry Status
------------- ----- ------
192.168.100.100 1 Success
Authentication Response:
Result Code: Authentication failed (this is wrong username/password)
Here’s an unsuccessful authentication test output because controller cannot reach server:
(Cisco Controller) >test aaa show radius
Radius Test Request
Wlan-id........................................ 5
ApGroup Name................................... default-group
Server Index................................... 1
Radius Test Response
Radius Server Retry Status
------------- ----- ------
192.168.100.100 6 No response received from server (this is self-explanatory)
Authentication Response:
Result Code: No response received from server (this is self-explanatory)
Here’s how to test RADIUS Fallback:
Make sure it is configured:
Make sure both authentication servers are listed in the WLAN profile
Then go back to where we were in testing:
(Cisco Controller) >test aaa show radius
Radius Test Request
Wlan-id........................................ 5
ApGroup Name................................... default-group
Server Index................................... 1
Radius Test Response
Radius Server Retry Status
------------- ----- ------
192.168.100.100 6 No response received from server
192.168.100.101 1 Success
Authentication Response:
Result Code: Success
