Policy Server Guides › Policy Server Configuration Guide › Using the Policy Server as a RADIUS Server › Troubleshoot and Test RADIUS

Troubleshoot and Test RADIUS

Once you have configured the Policy Server to act as a RADIUS authentication server, you can test and troubleshoot the policies using the tools described in subsequent topics.

Generate RADIUS Logs for Accounting and Debugging

RADIUS logs track debugging and accounting information generated by the Policy Server. Use the RADIUS log file to track the following:

• State of the Policy Server
• Connection attempts and session creations
• Information about each Policy Server action

Logs are turned on and off using the Policy Server Management Console from the Debug tab.

The Policy Server time stamps the log file with the date and time it was created. For example, "log.txt" can be specified as the name of the file. When the Policy Server is restarted and the Policy Server creates the log file, the date and time are added to the name.

If you are appending logging information to the same file, the date on the file reflects the date and time it was created. The timestamp is only updated if the Policy Server is restarted.

Read RADIUS Log Files With Smreadclog

This tool is used to read RADIUS log files generated by the Policy Server. It is useful for troubleshooting the Policy Server when used as a RADIUS authentication server. Options are provided to display individual RADIUS attributes that are exchanged between NAS and CA SiteMinder®.

Smreadclog uses the following arguments to supply information required to read RADIUS log files:

-i<input-file>

Specifies the filename of the log file.

-o<output-file>

Specifies the filename of the output file.

-s<secret>

Specifies the shared secret that can be used to decode RADIUS passwords.

-r

Indicates that a hex dump of an entire RADIUS packet be displayed.

-a

Indicates that RADIUS attributes should be displayed individually.

-d

Indicates that RADIUS attributes should be displayed according to their definition in the policy store. This option displays actual attribute names as well as attribute values formatted based on their attribute type. Without this option, only the attribute name and value are displayed (as a hex string).

-p<radius-server>

Enables you to record and replay RADIUS activity of the Policy Server service against your RADIUS server.

-m<authentication port>

Specifies the port used for RADIUS authentication if that port is not the default port, 1645.

-n<accounting port>

Specifies the port used for RADIUS accounting if that port is not the default port, 1646.

To use smreadclog

1. Navigate to one of the following locations:
   • On NT, <siteminder_installation>\Bin

     where <siteminder_installation> is the installed location of CA SiteMinder®.

   • On UNIX, <siteminder installation>/bin

     where <siteminder_installation> is the installed location of CA SiteMinder®.

2. Enter the following command:

   smreadclog -i<input-file> -o<output-file>
   -s<secret> -r -a -d -p<radius-server> -m<portnumber>
   -n<portnumber>
   

   For example,

   smreadclog -iradiuslog.txt -oradiuslog2.txt
   -ssecret -r -a -d -p123.123.12.12
   

How to Test using the SiteMinder Test Tool

The CA SiteMinder® Test Tool simulates the behavior of a RADIUS authentication server. Using the Test Tool, you can test policies that authenticate RADIUS users and ensure that the response attributes you configured are returning the appropriate data.

The process of testing RADIUS policies includes the following steps:

1. Create a RADIUS policy.
2. Configure the Policy Server Management Console to use RADIUS, as explained in Configure the Policy Server Management Console.
3. Configure the CA SiteMinder® Test Tool to test RADIUS policies, as explained in Test RADIUS Policies.

Configure the Policy Server Management Console

To configure the Policy Server Management console

1. Start the Policy Server Management Console.

   Important! If you are accessing this graphical user interface on Windows Server 2008, open the shortcut with Administrator permissions. Use Administrator permissions even if you are logged in to the system as an Administrator. For more information, see the release notes for your CA SiteMinder® component.

2. Select the Settings tab.
3. On the Settings tab, do the following:
   1. In the RADIUS UDP Ports group box, select the Enable check box.
   2. In the Authentication field, enter 1645.
   3. In the Accounting field, enter 1646.
4. On the Status tab, restart the Policy Server to enable the Policy Server configuration changes.

   You are now ready to test the RADIUS policies using the Test Tool.

Test RADIUS Policies

To test RADIUS policies

1. Start the Test Tool.

   Important! Before running a CA SiteMinder® utility or executable on Windows Server 2008, open the command-line window with administrator permissions. Open the command-line window this way, even if your account has administrator privileges.

2. In the CA SiteMinder® Agent group box, do the following:
   1. Select the RADIUS radio button.
   2. In the Secret field, enter the shared secret that was defined for the RADIUS agent in the CA SiteMinder® Administration User Interface.
3. In the User Information group box, do the following:
   1. In the User field, enter the name of a user in the RADIUS user directory whose authentication will be tested.
   2. In the Password field, enter the user's password.
   3. Select the CHAP Password check box if you are using a RADIUS CHAP Authentication scheme.
4. In the Command group box, click IsAuthenticated.

The policy is tested and the response attributes appear in the Attributes group box.