Testing the current Cisco IOS AAA configuration interactively, from the command line.

This command is useful, when debugging AAA configuration made on a given component that runs IOS, router or switch. No needless login routine needed.

Usually 2 separate terminal sessions are needed when configuring or debugging AAA, on whatever component. One terminal is needed for the debug output, and also to have a session to not shot yourself in the knee while configuring AAA, the 2-nd terminal session is needed to initiate a user AAA session.

You do not mess around with AAA configuration on routers, switches, linux or windows nodes. This is universally true, AAA configuration needs to be alweay dealt with care. Everyone made at least once an experience, with misconfigured AAA and its consequences.

Run IOS AAA tests using the currently running SSH or telnet session. Test if this command is available, in the current used firmware. If it is not, then the image does not have this test feature.

Testing in this netlab using following IOS version. This is already a pretty dated firmware, so chances are good Cisco has put this test aaa command into its firmware, shipping as default:

R1# sh ver | i Cisco.IOS
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S3, RELEASE SOFTWARE (fc1)

List available test aaa commmands:

R1# test aaa ?

  accounting AAA accounting tests aes-encrypted Test AES Encrypted routine authentication AAA Client authentication test authorization AAA Client authorization test group AAA Server Group Keyword stop Stop non-blocking AAA Server Group Testing

TACACS+ authentication testing, username cisco and password the same. There are 3 options to choose from:

R1# test aaa group tacacs+ cisco cisco ?

  legacy Code path through legacy new-code Code path through new-code port Port send as part of request

This is the output using the legacy option:

R1# test aaa group tacacs+ cisco cisco legacy

Attempting authentication test to server-group tacacs+ using tacacs+ User was successfully authenticated.

This is the output using the new-code option, this option shows the reply-message.The reply-message reveals the name of the use AAA software used at the backend.

R1# test aaa group tacacs+ cisco cisco new-code

Sending password User successfully authenticated   USER ATTRIBUTES   username 0 'cisco' reply-message 0 ' Welcome to TACACS+NG   Password:

Testing the port option:

port      Port send as part of request

Not sure where port would be used. It is inclueded int the test aaa group IOS command, maybe you will have a use case for this. If yes then let me know, I'll update this entry then.

To make the AAA almost complete, IOS has the same option testing AAA using RADIUS or the Diameter protocol . Use the test aaa group ? command:

R1# test aaa group ?

  WORD AAA Server group name diameter Test list of all Diameter hosts radius Test list of all Radius hosts tacacs+ Test list of all Tacacs+ hosts

Ask yourself which AAA protocols are missing in this list. Ask youself why they eventually are missing. Not focusing on the implementation side from the vendor.

Cisco IOS-XR and NX-OS might have similar CLI commands for AAA configuration testing.