Cannot manage Guest users as root after upgrade from 4.2.110.0 to 5.2.110.0

Unanswered Question
Jan 18th, 2009

As title (refers, of course, to WCS). Everything else works, guest users are still present on both 4404 controllers, lobby ambassadors can log in and manage their own users, but members of root cannot - they receive the following error:

----------------8<--------------

HTTP Status 500 -

--------------------------------------------------------------------------------

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Servlet execution threw an exception

org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1033)

org.apache.struts.tiles.TilesRequestProcessor.doForward(TilesRequestProcessor.java:269)

org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:436)

org.apache.struts.tiles.TilesRequestProcessor.processForwardConfig(TilesRequestProcessor.java:312)

org.apache.struts.action.RequestProcessor.processActionForward(RequestProcessor.java:401)

org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)

org.apache.struts.action.ActionServlet.process(ActionServlet.java:1422)

org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:505)

javax.servlet.http.HttpServlet.service(HttpServlet.java:690)

javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

----------------8<--------------

Thanks for any pointers towards fixing this - full logs can be posted on request...

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sschmidt Mon, 01/19/2009 - 05:56

When you say members of root cannot do you mean that users of root can not manage guest users or log in?

Do you mean the root users or the root virtual domain?

Go ahead and go to Administration > Logging and change the message level to TRACE and click submit. Try the action again and when done go back to the above area and download the logs and attach the logs starting with wcs-.

generaljoe Mon, 01/19/2009 - 23:45

We have users that are members of the "root" group, they are authenticated by RADIUS (ACS 4.1) and RADIUS sends back the vsa-pairs to WCS to allow the users to log on. We only have one virtual domain called "root".

It is when users that are logged in to the web console via their RADIUS usernames, and they navigate to Configure - Controller Templates - Security - Guest Users, that the error appears.

I have created the logs as you stated and attached the "wcs-" logs (attached as a RAR file).

Attachment: 
sschmidt Tue, 01/20/2009 - 06:41

Are the users that are trying to navigate to that area superusers? It looks very similar to this bug:

CSCsw42942

Externally found moderate defect: More (M)

SuperUser cannot see guest users created by admin users

If the users are able to login using their radius credentials but are unable to get to a specific area it is either this bug or maybe a problem with the authorization for the user configured on the radius server.

Can the same user that can not get to the above area get to netusers in the same area? Can they get to an area outside the security config area? Make sure that all of the customer attributes for the specific user group have been entered into the radius server.

generaljoe Tue, 01/20/2009 - 23:17

I'm not sure it's that bug. They're members of root, not superusers.

All other areas are accessible to those users (inc netusers within the same set of templates - I've successfully created new lobbyambassadors after the upgrade).

The VSA pairs returned by the ACS server are copied from the "root" group within WCS. I've reproduced them below for clarity. I wouldn't have expected a security deny to result in an Apache exception though; usually an Access Denied message is displayed.

Only thing I can think is that maybe it's caused by them being members of "root" rather than "superusers" which has effectively the same permissions - is it worth changing that within ACS?

----------------8<------------------

Wireless-WCS:role0=Root

Wireless-WCS:task0=Users and Groups

Wireless-WCS:task1=Audit Trails

Wireless-WCS:task2=TACACS+ Servers

Wireless-WCS:task3=RADIUS Servers

Wireless-WCS:task4=Logging

Wireless-WCS:task5=Licensing

Wireless-WCS:task6=Scheduled Tasks and Data Collection

Wireless-WCS:task7=User Preferences

Wireless-WCS:task8=System Settings

Wireless-WCS:task9=Diagnostic Information

Wireless-WCS:task10=View Alerts and Events

Wireless-WCS:task11=Email Notification

Wireless-WCS:task12=Delete and Clear Alerts

Wireless-WCS:task13=Pick and Unpick Alerts

Wireless-WCS:task14=Configure Controllers

Wireless-WCS:task15=Configure Templates

Wireless-WCS:task16=Configure Config Groups

Wireless-WCS:task17=Configure Access Points

Wireless-WCS:task18=Configure Access Point Templates

Wireless-WCS:task19=Configure Choke Points

Wireless-WCS:task20=Monitor Controllers

Wireless-WCS:task21=Monitor Access Points

Wireless-WCS:task22=Monitor Clients

Wireless-WCS:task23=Monitor Tags

Wireless-WCS:task24=Monitor Security

Wireless-WCS:task25=Monitor Chokepoints

Wireless-WCS:task26=Access Point Reports

Wireless-WCS:task27=Mesh Reports

Wireless-WCS:task28=Client Reports

Wireless-WCS:task29=Inventory Reports

Wireless-WCS:task30=Performance Reports

Wireless-WCS:task31=Security Reports

Wireless-WCS:task32=Location Server Management

Wireless-WCS:task33=View Location Notifications

Wireless-WCS:task34=Maps Read Only

Wireless-WCS:task35=Maps Read Write

Wireless-WCS:task36=Client Location

Wireless-WCS:task37=Rogue Location

Wireless-WCS:task38=Planning Mode

Wireless-WCS:task39=Ack and Unack Alerts

Wireless-WCS:task40=Migration Templates

Wireless-WCS:task41=Configure Spectrum Experts

Wireless-WCS:task42=Monitor Spectrum Experts

Wireless-WCS:task43=Interferers Search

Wireless-WCS:task44=Audit Reports

Wireless-WCS:task45=802.11n Scaling Reports

Wireless-WCS:task46=802.11n Scaling Reports

Wireless-WCS:task47=802.11n Scaling Reports

Wireless-WCS:task48=Virtual Domain Management

Wireless-WCS:task49=High Availability Configuration

Wireless-WCS:task50=Health Monitor Details

Wireless-WCS:task51=Configure WIPS Profiles

Wireless-WCS:task52=Global SSID Groups

Wireless-WCS:task53=Configure Lightweight Access Point Templates

Wireless-WCS:task54=Configure Autonomous Access Point Templates

Wireless-WCS:task55=Scheduled Configuration Tasks

Wireless-WCS:task56=Configure Location Sensors

Wireless-WCS:task57=Configure ACS View Servers

Wireless-WCS:task58=Configure Switches

Wireless-WCS:task59=Auto Provisioning

Wireless-WCS:task60=Monitor Location Sensors

Wireless-WCS:task61=RRM Dashboard

Wireless-WCS:task62=Compliance Assistance Reports

Wireless-WCS:task63=Voice Audit Report

Wireless-WCS:task64=Config Audit Dashboard

Wireless-WCS:task65=Handover Server Management

Wireless-WCS:task66=Monitor Handover Server

sschmidt Wed, 01/21/2009 - 06:36

Have you added the virtual domain to ACS:

Wireless-WCS:virtual-domain0=root

The underlying problem with that bug is the check that goes on for the virtual domain which is causing issues with login and accessibility to certain areas.

generaljoe Wed, 01/21/2009 - 23:41

I hadn't done so, but have now updated the vsa-pairs in ACS so they read as below, and have restarted ACS and WCS. However, the Guest Users section still produces the same error.

Is it possible that the Guests section of the database is in some way corrupt?

Wireless-WCS:virtual-domain0=root

Wireless-WCS:role0=Root

Wireless-WCS:task0=Users and Groups

Wireless-WCS:task1=Audit Trails

Wireless-WCS:task2=TACACS+ Servers

Wireless-WCS:task3=RADIUS Servers

Wireless-WCS:task4=Logging

Wireless-WCS:task5=Licensing

Wireless-WCS:task6=Scheduled Tasks and Data Collection

Wireless-WCS:task7=User Preferences

Wireless-WCS:task8=System Settings

Wireless-WCS:task9=Diagnostic Information

Wireless-WCS:task10=View Alerts and Events

Wireless-WCS:task11=Email Notification

Wireless-WCS:task12=Delete and Clear Alerts

Wireless-WCS:task13=Pick and Unpick Alerts

Wireless-WCS:task14=Configure Controllers

Wireless-WCS:task15=Configure Templates

Wireless-WCS:task16=Configure Config Groups

Wireless-WCS:task17=Configure Access Points

Wireless-WCS:task18=Configure Access Point Templates

Wireless-WCS:task19=Configure Choke Points

Wireless-WCS:task20=Monitor Controllers

Wireless-WCS:task21=Monitor Access Points

Wireless-WCS:task22=Monitor Clients

Wireless-WCS:task23=Monitor Tags

Wireless-WCS:task24=Monitor Security

Wireless-WCS:task25=Monitor Chokepoints

Wireless-WCS:task26=Access Point Reports

Wireless-WCS:task27=Mesh Reports

Wireless-WCS:task28=Client Reports

Wireless-WCS:task29=Inventory Reports

Wireless-WCS:task30=Performance Reports

Wireless-WCS:task31=Security Reports

Wireless-WCS:task32=Location Server Management

Wireless-WCS:task33=View Location Notifications

Wireless-WCS:task34=Maps Read Only

Wireless-WCS:task35=Maps Read Write

Wireless-WCS:task36=Client Location

Wireless-WCS:task37=Rogue Location

Wireless-WCS:task38=Planning Mode

Wireless-WCS:task39=Ack and Unack Alerts

Wireless-WCS:task40=Migration Templates

Wireless-WCS:task41=Configure Spectrum Experts

Wireless-WCS:task42=Monitor Spectrum Experts

Wireless-WCS:task43=Interferers Search

Wireless-WCS:task44=Audit Reports

Wireless-WCS:task45=802.11n Scaling Reports

Wireless-WCS:task46=802.11n Scaling Reports

Wireless-WCS:task47=802.11n Scaling Reports

Wireless-WCS:task48=Virtual Domain Management

Wireless-WCS:task49=High Availability Configuration

Wireless-WCS:task50=Health Monitor Details

Wireless-WCS:task51=Configure WIPS Profiles

Wireless-WCS:task52=Global SSID Groups

Wireless-WCS:task53=Configure Lightweight Access Point Templates

Wireless-WCS:task54=Configure Autonomous Access Point Templates

Wireless-WCS:task55=Scheduled Configuration Tasks

Wireless-WCS:task56=Configure Location Sensors

Wireless-WCS:task57=Configure ACS View Servers

Wireless-WCS:task58=Configure Switches

Wireless-WCS:task59=Auto Provisioning

Wireless-WCS:task60=Monitor Location Sensors

Wireless-WCS:task61=RRM Dashboard

Wireless-WCS:task62=Compliance Assistance Reports

Wireless-WCS:task63=Voice Audit Report

Wireless-WCS:task64=Config Audit Dashboard

Wireless-WCS:task65=Handover Server Management

Wireless-WCS:task66=Monitor Handover Server

sschmidt Thu, 01/22/2009 - 06:20

I have not been able to recreate the issue in my lab. Would you be able to upload a backup to ftp-sj.cisco.com. You can cd to incoming and drop it there. You will not be able to get a directory listing or verify it has uploaded. If it fails change the name slightly and start again. Use passive ftp and label it 12209-sschmidt-wcs. I'd like to see if your db causes the same issue in my lab.

generaljoe Thu, 01/22/2009 - 06:37

On its way. File size is 136,998 (Windows) KB, and file is named as you requested: 12209-sschmidt-wcs.zip. I'm leaving for the day but will be online tomorrow at 07:00 - if the upload failed please let me know. Thanks for looking into this! Of course, this is the time when the Guest users need most management... :)

sschmidt Thu, 01/22/2009 - 12:58

I was able to recreate the issue both with you db and in my lab with mine. I have written this bug on it and it should appear for customers in a few days:

CSCsx21459

WCS: Unable to navigate to Guest Users under controller templates

Customer is unable to navigate to Configure > Controller Templates >

Security > Guest Users when logging in using TACACS/Radius as user

configured as Superuser. Attempts to get to this page generate an

HTTP 500 error.

generaljoe Thu, 01/22/2009 - 23:10

Ah, glad it's re-createable. Any workaround for the moment, or do we just live with it till an update? I still have the pre-upgrade backups from 4.2.110.0.

sschmidt Fri, 01/23/2009 - 07:03

Try this workaround even though it mentions lobby ambassador:

You have to add both the virtual domain attribute to the ACS group and create a lobby ambassador account locally with the same name as the lobby ambassador account in ACS.

Further Problem Description:

Issue is that WCS requires virtual domains to exist and the code is checking to see if the user exists locally as a lobby ambassador after authenticating. It should factor in that TACACS could cause the lobby ambassador to not exist locally.

generaljoe Sun, 01/25/2009 - 23:38

Hmm, I tried this (substituting SuperUsers for LobbyAmbassador) and it did get round the HTTP 500 error - however there were no guest users visible.

Is it the case that even Superusers cannot see guest users created by others?

mwaliczek Sun, 02/08/2009 - 03:29

Hello all,

I have similar problem to yours.

I've updated WCS from 4.2.62.0 to 5.2.110.0, now have results as you have... additionally:

- only root can see all guest accounts

- even user with lobby administrator rights receive error HTTP 500 after loging when authenticated by RADIUS

- after disabling RADIUS and using only local accounts everything works fine

- even SuperUser can see only guest accounts created by himself

I have no access to RADIUS right now but I'll try to find out where is the problem.

regards

Marcin

generaljoe Sun, 02/08/2009 - 23:50

It should be fixed in 5.2.116.0, which I've been waiting for for about a week and a half now. :) Keep checking the download links, it's not RADIUS, it's an issue within WCS.

sschmidt Mon, 02/09/2009 - 06:38

We have also been pursuing that issue and it looks like the underlying issue is similar to this bug:

CSCsw79725

Externally found severe defect

Fail to trace the switch port with non-root user

It isn't the switch port tracing that is broken but the underlying tasks that are handed back from the radius/tacacs server.

This issue is supposed to be resolved in the next version of 5.2 as well as a patch for the guest user issue.

generaljoe Mon, 02/09/2009 - 22:53

Excellent news that it is fixed in 5.2.116.0; do you know when we will see it on the downloads page? :)

generaljoe Sun, 02/22/2009 - 00:43

Superseded by 5.2.130.0, which has been "performing backup" for 18 hours now, even though the backup file was created within the first hour of the upgrade. Pff. This product is buggy. Looks like I'm going to have to install it from scratch. This is nearly as unreliable as ACS, nowadays.

generaljoe Sun, 02/22/2009 - 23:42

Got it working by a process of starting it up in 5.2.110.0, making sure it did a clean shutdown, and re-running the installer; this time "performing backup" lasted 2 seconds, not 18 hours. Seriously, an installer should just work, what on earth is the issue here?

Guest accounts management via WCS now also works, woohoo!

Actions

This Discussion

 

 

Trending Topics - Security & Network