ShellYard

AAA Tester

Probe TACACS+ and RADIUS with PAP, EAP-MD5, EAP-PEAP/MS-CHAPv2, and EAP-TLS — the four real-world enterprise AAA methods, in one tool. Pro and above.

When a device’s AAA login fails, the question is always which side of the chain broke — the switch’s config, the shared secret, the username/password, or the AAA server itself. AAA Tester takes the switch out of the loop so you can probe the server directly.

Available on Pro and above.

Protocols and methods

  • TACACS+ (TCP 49) — PAP authentication, encrypted body using the shared secret.
  • RADIUS (UDP 1812) — pick the auth method per probe:
    • PAP — plain password, secret-protected
    • EAP-MD5 — challenge / response, no transport security beyond the RADIUS shared secret
    • EAP-PEAP / MS-CHAPv2 — outer TLS tunnel, inner MS-CHAPv2 (the most common enterprise RADIUS setup)
    • EAP-TLS — mutual TLS with a client certificate, no password — the “passwordless” enterprise pattern

All four methods speak directly to the RADIUS server from the ShellYard host. No switch involved.

Inputs

For each probe:

  • Server host + port
  • Shared secret (resolved from the active Space’s vault, or entered inline)
  • Username + password (resolved from the vault or entered inline)
  • NAS-IP-Address (RADIUS) / NAS-Address (TACACS+) — optional, useful when the server’s policy varies by NAS
  • Timeout — defaults to 5 seconds

Results

Each probe returns:

  • Outcome — Accept / Reject / Timeout / Network error
  • Server message — the human text the server returned, when present (e.g. “Authentication failed”, “Account expired”)
  • Round-trip time — milliseconds, useful for spotting flaky links
  • Attribute dump — RADIUS attributes or TACACS+ args the server returned, raw

Workflow

The intended pattern is:

  1. Login from the switch fails. Standard “Login denied” or “Authentication failed.”
  2. Run AAA Tester against the same server with the same shared secret and creds.
  3. If the tester gets Accept → the problem is the switch’s config (AAA group config, source-interface, MD5 message-authenticator mismatch).
  4. If the tester gets Reject with a server message → the problem is the credentials or the policy.
  5. If the tester gets Timeout → the problem is reachability (firewall, ACL, wrong port).

That narrows the surface from “AAA is broken” to one of three obvious causes.

Magellan attach

The probe result attaches to Magellan with one click. The snapshot now includes the chosen method (PAP / EAP-MD5 / EAP-PEAP / EAP-TLS) alongside the outcome, server message, and round-trip — useful when the model is interpreting an attribute dump or comparing two probes side-by-side.

Two presets on the Magellan button:

  • Explain this result — annotate the outcome and any attributes the server returned, in operator language.
  • Which EAP method should I use? — compare PAP / EAP-MD5 / EAP-PEAP / EAP-TLS for the environment described in the snapshot (switch model, AAA server, regulatory context) and recommend one with the trade-offs spelled out.