WLC authentication issue to ACS

danhosking · ‎01-12-2009

When I web browse to a WLC I enter my username and password. However it keeps propting me as though the login is incorrect. When I check the ACS server it is showing successful login attempts. Why would the ACS successfully authenticate but the WLC still stops me from accessing it?

danhosking · ‎01-13-2009

This is the log from the WLC. On the ACS it says it has passed. I have altered to the username field below.

*Jan 13 02:27:09.532: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2092 Login failed. User:Johnsmith. Service-Type is not present or it doesn't allow READ/WRITE permission..

jhedstr2 · ‎01-14-2009

Hi Danhosking,

You need to set roles for the user in the ACS. Read this document under "Configure TACACS+ on the ACS":

http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52sol.html#wp1422107

After thats done, you should be able to login to the WLC.

Good luck!

Johan

danhosking · ‎01-14-2009

Hi,

The roll has been set for Admin with no luck. I raised a TAC case and it seems the WCS and WLC are casuing a conflict when they are both set up to authenticat management users to the ACS. If just the WLC and ACS are configured it works, or just he WCS and ACS it works but not both. I will update when I have a work around.

jhedstr2 · ‎01-14-2009

Hi,

I didn't know about that issue you describe. A workaround could be to use Radius in WCS and TACACS+ for WLC. That should work.

Scott Fella · ‎01-17-2009

The problem is that in ACS you can only specify one device to either use radius or tacacs. So if you are authenticating users in the wlc to use that ACS server, then you can't setup tacacs also. You need to setup the wlc to use radius.

-Scott
*** Please rate helpful posts ***

marcelnjkoks · ‎03-21-2011

For anyone searching for this, check the RADIUS shared key. Try something small and easy.

We found that having a complex key often causes problems. Test with test.