Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7117
Views
5
Helpful
9
Replies

WLC Administrator Login Problem

thefindjack
Level 1
Level 1

‎07-08-2008 06:37 AM - edited ‎07-03-2021 04:08 PM

I have a problem with a certain user authenticating to the WLC. I have IAS setup and it is working based on the AD group that I have specified for administrator access. However one user cannot authenticate who is in the group. Here is the WLC error message.....

Jul 07 21:14:10.549 ews_auth.c:2092 EMWEB-1-LOGIN_FAILED: Login failed. User:xxxx.xxxx. Service-Type is not present or it doesn't allow READ/WRITE permission..

IAS is saying that it granted access to that user and it is matching the correct policy that I setup to administer the WLC. I was even able to create a new user add them to the group and the authentication succeeded. The only thing that I could find out about this is the "Excessive Web Authentication Exclusion Blacklist"...so I unchecked that option and had the user try again with the same result. I'm not really sure where to go from here...any suggestions?

Labels:
0 Helpful
9 Replies 9

amritpatek
Level 6
Level 6

‎07-14-2008 11:54 AM

Here is the URL with Wireless LAN Controller Web Authentication Configuration Example and troubleshooting guide which will help you :

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml

http://www.cisco.com/en/US/products/hw/modules/ps2797/products_tech_note09186a0080811085.shtml

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎07-14-2008 06:10 PM

Double check the other policies you have in IAS. See if that user is associated to another poilicy before the wlc policy. Also, have the user log in again and post the screen shot of the event viewer in the IAS box.

-Scott
*** Please rate helpful posts ***
0 Helpful

Richard Atkin
Level 4
Level 4

‎07-15-2008 02:03 AM

You need to set the RADIUS "Login Type" message on the IAS to "Administrative", and make sure the RADIUS Server in the RADIUS Servers list on the WLC has the "Management" check-box ticked.

0 Helpful

thefindjack
Level 1
Level 1
In response to Richard Atkin

‎07-15-2008 09:30 AM

All of the authentication and IAS policies are working correctly for everyone but a single user. When the user in question tries to connect they correctly match the IAS policy and in the event viewer of the server it shows that the authentication was accepted and access was granted but on the WLC login page it just keeps returning the login screen and the error on the WLC is as follows.

ul 07 21:14:10.549 ews_auth.c:2092 EMWEB-1-LOGIN_FAILED: Login failed. User:xxxx.xxxx. Service-Type is not present or it doesn't allow READ/WRITE permission.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to thefindjack

‎07-15-2008 09:46 AM

The only time I had that issue is when on a new machine, I had to either add the site to th epop-up blocker in IE or add the IP to the trusted site in IE for some reason. Try that.

-Scott
*** Please rate helpful posts ***
0 Helpful

jozefburak
Level 1
Level 1

‎08-01-2008 05:57 AM

Hi,

I have the same problem, but instead IAS a I have Cisco ACS 4.2. ACS log shows that authenifitaion passed OK, but WLC return me login window again, and in WLC logs there is message:

ews_auth.c:2092 EMWEB-1-LOGIN_FAILED: Login failed. User:xxxx. Service-Type is not present or it doesn't allow READ/WRITE permission.

Did you find anything out ? What WLC software version do you have ? I have 5.0.148.0 and I have used tacasc+.

Thanx.

j

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to jozefburak

‎08-01-2008 07:03 AM

Do you have an accounting server configured on the wlan. Even if the authentication passes, if the accounting fails, the wlc will show a failure. Disable any accounting first and see if your issue goes away. If it does, then redo your accounting info on your wlc and in ACS. Shared secret can be wrong.

-Scott
*** Please rate helpful posts ***

thefindjack
Level 1
Level 1
In response to Scott Fella

‎08-01-2008 04:53 PM

Actually I figured this problem out, the problem was that for some reason those certain users(even though it wasnt setup like that in AD) were asking for a callback server in the radius request. So there is an option under advanced in the IAS policy that you can add that says "Ignore User Callback Settings". I added that setting and the users worked correctly....it was a strange one. Thanks for the attempted help though! :)

0 Helpful

paul.l.kyte
Level 1
Level 1
In response to jozefburak

‎10-03-2008 03:42 AM

I have the same setup as you, WLC and ACS Server.

If you go to the Interface Configuration page on the ACS and then select RADIUS IETF there is a Service-Type attribute. Enable this for Group or User and then go to the particular group or user and set this to Admnistrative on the account.

the user should now be able to login as an administrator.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card