01-18-2009 02:44 AM - edited 07-03-2021 05:01 PM
As title (refers, of course, to WCS). Everything else works, guest users are still present on both 4404 controllers, lobby ambassadors can log in and manage their own users, but members of root cannot - they receive the following error:
----------------8<--------------
HTTP Status 500 -
--------------------------------------------------------------------------------
type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: Servlet execution threw an exception
org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1033)
org.apache.struts.tiles.TilesRequestProcessor.doForward(TilesRequestProcessor.java:269)
org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:436)
org.apache.struts.tiles.TilesRequestProcessor.processForwardConfig(TilesRequestProcessor.java:312)
org.apache.struts.action.RequestProcessor.processActionForward(RequestProcessor.java:401)
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1422)
org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:505)
javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
----------------8<--------------
Thanks for any pointers towards fixing this - full logs can be posted on request...
01-19-2009 05:56 AM
When you say members of root cannot do you mean that users of root can not manage guest users or log in?
Do you mean the root users or the root virtual domain?
Go ahead and go to Administration > Logging and change the message level to TRACE and click submit. Try the action again and when done go back to the above area and download the logs and attach the logs starting with wcs-.
01-19-2009 11:45 PM
We have users that are members of the "root" group, they are authenticated by RADIUS (ACS 4.1) and RADIUS sends back the vsa-pairs to WCS to allow the users to log on. We only have one virtual domain called "root".
It is when users that are logged in to the web console via their RADIUS usernames, and they navigate to Configure - Controller Templates - Security - Guest Users, that the error appears.
I have created the logs as you stated and attached the "wcs-" logs (attached as a RAR file).
01-20-2009 06:41 AM
Are the users that are trying to navigate to that area superusers? It looks very similar to this bug:
CSCsw42942
Externally found moderate defect: More (M)
SuperUser cannot see guest users created by admin users
If the users are able to login using their radius credentials but are unable to get to a specific area it is either this bug or maybe a problem with the authorization for the user configured on the radius server.
Can the same user that can not get to the above area get to netusers in the same area? Can they get to an area outside the security config area? Make sure that all of the customer attributes for the specific user group have been entered into the radius server.
01-20-2009 11:17 PM
I'm not sure it's that bug. They're members of root, not superusers.
All other areas are accessible to those users (inc netusers within the same set of templates - I've successfully created new lobbyambassadors after the upgrade).
The VSA pairs returned by the ACS server are copied from the "root" group within WCS. I've reproduced them below for clarity. I wouldn't have expected a security deny to result in an Apache exception though; usually an Access Denied message is displayed.
Only thing I can think is that maybe it's caused by them being members of "root" rather than "superusers" which has effectively the same permissions - is it worth changing that within ACS?
----------------8<------------------
Wireless-WCS:role0=Root
Wireless-WCS:task0=Users and Groups
Wireless-WCS:task1=Audit Trails
Wireless-WCS:task2=TACACS+ Servers
Wireless-WCS:task3=RADIUS Servers
Wireless-WCS:task4=Logging
Wireless-WCS:task5=Licensing
Wireless-WCS:task6=Scheduled Tasks and Data Collection
Wireless-WCS:task7=User Preferences
Wireless-WCS:task8=System Settings
Wireless-WCS:task9=Diagnostic Information
Wireless-WCS:task10=View Alerts and Events
Wireless-WCS:task11=Email Notification
Wireless-WCS:task12=Delete and Clear Alerts
Wireless-WCS:task13=Pick and Unpick Alerts
Wireless-WCS:task14=Configure Controllers
Wireless-WCS:task15=Configure Templates
Wireless-WCS:task16=Configure Config Groups
Wireless-WCS:task17=Configure Access Points
Wireless-WCS:task18=Configure Access Point Templates
Wireless-WCS:task19=Configure Choke Points
Wireless-WCS:task20=Monitor Controllers
Wireless-WCS:task21=Monitor Access Points
Wireless-WCS:task22=Monitor Clients
Wireless-WCS:task23=Monitor Tags
Wireless-WCS:task24=Monitor Security
Wireless-WCS:task25=Monitor Chokepoints
Wireless-WCS:task26=Access Point Reports
Wireless-WCS:task27=Mesh Reports
Wireless-WCS:task28=Client Reports
Wireless-WCS:task29=Inventory Reports
Wireless-WCS:task30=Performance Reports
Wireless-WCS:task31=Security Reports
Wireless-WCS:task32=Location Server Management
Wireless-WCS:task33=View Location Notifications
Wireless-WCS:task34=Maps Read Only
Wireless-WCS:task35=Maps Read Write
Wireless-WCS:task36=Client Location
Wireless-WCS:task37=Rogue Location
Wireless-WCS:task38=Planning Mode
Wireless-WCS:task39=Ack and Unack Alerts
Wireless-WCS:task40=Migration Templates
Wireless-WCS:task41=Configure Spectrum Experts
Wireless-WCS:task42=Monitor Spectrum Experts
Wireless-WCS:task43=Interferers Search
Wireless-WCS:task44=Audit Reports
Wireless-WCS:task45=802.11n Scaling Reports
Wireless-WCS:task46=802.11n Scaling Reports
Wireless-WCS:task47=802.11n Scaling Reports
Wireless-WCS:task48=Virtual Domain Management
Wireless-WCS:task49=High Availability Configuration
Wireless-WCS:task50=Health Monitor Details
Wireless-WCS:task51=Configure WIPS Profiles
Wireless-WCS:task52=Global SSID Groups
Wireless-WCS:task53=Configure Lightweight Access Point Templates
Wireless-WCS:task54=Configure Autonomous Access Point Templates
Wireless-WCS:task55=Scheduled Configuration Tasks
Wireless-WCS:task56=Configure Location Sensors
Wireless-WCS:task57=Configure ACS View Servers
Wireless-WCS:task58=Configure Switches
Wireless-WCS:task59=Auto Provisioning
Wireless-WCS:task60=Monitor Location Sensors
Wireless-WCS:task61=RRM Dashboard
Wireless-WCS:task62=Compliance Assistance Reports
Wireless-WCS:task63=Voice Audit Report
Wireless-WCS:task64=Config Audit Dashboard
Wireless-WCS:task65=Handover Server Management
Wireless-WCS:task66=Monitor Handover Server
01-21-2009 06:36 AM
Have you added the virtual domain to ACS:
Wireless-WCS:virtual-domain0=root
The underlying problem with that bug is the check that goes on for the virtual domain which is causing issues with login and accessibility to certain areas.
01-21-2009 11:41 PM
I hadn't done so, but have now updated the vsa-pairs in ACS so they read as below, and have restarted ACS and WCS. However, the Guest Users section still produces the same error.
Is it possible that the Guests section of the database is in some way corrupt?
Wireless-WCS:virtual-domain0=root
Wireless-WCS:role0=Root
Wireless-WCS:task0=Users and Groups
Wireless-WCS:task1=Audit Trails
Wireless-WCS:task2=TACACS+ Servers
Wireless-WCS:task3=RADIUS Servers
Wireless-WCS:task4=Logging
Wireless-WCS:task5=Licensing
Wireless-WCS:task6=Scheduled Tasks and Data Collection
Wireless-WCS:task7=User Preferences
Wireless-WCS:task8=System Settings
Wireless-WCS:task9=Diagnostic Information
Wireless-WCS:task10=View Alerts and Events
Wireless-WCS:task11=Email Notification
Wireless-WCS:task12=Delete and Clear Alerts
Wireless-WCS:task13=Pick and Unpick Alerts
Wireless-WCS:task14=Configure Controllers
Wireless-WCS:task15=Configure Templates
Wireless-WCS:task16=Configure Config Groups
Wireless-WCS:task17=Configure Access Points
Wireless-WCS:task18=Configure Access Point Templates
Wireless-WCS:task19=Configure Choke Points
Wireless-WCS:task20=Monitor Controllers
Wireless-WCS:task21=Monitor Access Points
Wireless-WCS:task22=Monitor Clients
Wireless-WCS:task23=Monitor Tags
Wireless-WCS:task24=Monitor Security
Wireless-WCS:task25=Monitor Chokepoints
Wireless-WCS:task26=Access Point Reports
Wireless-WCS:task27=Mesh Reports
Wireless-WCS:task28=Client Reports
Wireless-WCS:task29=Inventory Reports
Wireless-WCS:task30=Performance Reports
Wireless-WCS:task31=Security Reports
Wireless-WCS:task32=Location Server Management
Wireless-WCS:task33=View Location Notifications
Wireless-WCS:task34=Maps Read Only
Wireless-WCS:task35=Maps Read Write
Wireless-WCS:task36=Client Location
Wireless-WCS:task37=Rogue Location
Wireless-WCS:task38=Planning Mode
Wireless-WCS:task39=Ack and Unack Alerts
Wireless-WCS:task40=Migration Templates
Wireless-WCS:task41=Configure Spectrum Experts
Wireless-WCS:task42=Monitor Spectrum Experts
Wireless-WCS:task43=Interferers Search
Wireless-WCS:task44=Audit Reports
Wireless-WCS:task45=802.11n Scaling Reports
Wireless-WCS:task46=802.11n Scaling Reports
Wireless-WCS:task47=802.11n Scaling Reports
Wireless-WCS:task48=Virtual Domain Management
Wireless-WCS:task49=High Availability Configuration
Wireless-WCS:task50=Health Monitor Details
Wireless-WCS:task51=Configure WIPS Profiles
Wireless-WCS:task52=Global SSID Groups
Wireless-WCS:task53=Configure Lightweight Access Point Templates
Wireless-WCS:task54=Configure Autonomous Access Point Templates
Wireless-WCS:task55=Scheduled Configuration Tasks
Wireless-WCS:task56=Configure Location Sensors
Wireless-WCS:task57=Configure ACS View Servers
Wireless-WCS:task58=Configure Switches
Wireless-WCS:task59=Auto Provisioning
Wireless-WCS:task60=Monitor Location Sensors
Wireless-WCS:task61=RRM Dashboard
Wireless-WCS:task62=Compliance Assistance Reports
Wireless-WCS:task63=Voice Audit Report
Wireless-WCS:task64=Config Audit Dashboard
Wireless-WCS:task65=Handover Server Management
Wireless-WCS:task66=Monitor Handover Server
01-22-2009 06:20 AM
I have not been able to recreate the issue in my lab. Would you be able to upload a backup to ftp-sj.cisco.com. You can cd to incoming and drop it there. You will not be able to get a directory listing or verify it has uploaded. If it fails change the name slightly and start again. Use passive ftp and label it 12209-sschmidt-wcs. I'd like to see if your db causes the same issue in my lab.
01-22-2009 06:37 AM
On its way. File size is 136,998 (Windows) KB, and file is named as you requested: 12209-sschmidt-wcs.zip. I'm leaving for the day but will be online tomorrow at 07:00 - if the upload failed please let me know. Thanks for looking into this! Of course, this is the time when the Guest users need most management... :)
01-22-2009 12:58 PM
I was able to recreate the issue both with you db and in my lab with mine. I have written this bug on it and it should appear for customers in a few days:
CSCsx21459
WCS: Unable to navigate to Guest Users under controller templates
Customer is unable to navigate to Configure > Controller Templates >
Security > Guest Users when logging in using TACACS/Radius as user
configured as Superuser. Attempts to get to this page generate an
HTTP 500 error.
01-22-2009 11:10 PM
Ah, glad it's re-createable. Any workaround for the moment, or do we just live with it till an update? I still have the pre-upgrade backups from 4.2.110.0.
01-23-2009 07:03 AM
Try this workaround even though it mentions lobby ambassador:
You have to add both the virtual domain attribute to the ACS group and create a lobby ambassador account locally with the same name as the lobby ambassador account in ACS.
Further Problem Description:
Issue is that WCS requires virtual domains to exist and the code is checking to see if the user exists locally as a lobby ambassador after authenticating. It should factor in that TACACS could cause the lobby ambassador to not exist locally.
01-25-2009 11:38 PM
Hmm, I tried this (substituting SuperUsers for LobbyAmbassador) and it did get round the HTTP 500 error - however there were no guest users visible.
Is it the case that even Superusers cannot see guest users created by others?
02-08-2009 03:29 AM
Hello all,
I have similar problem to yours.
I've updated WCS from 4.2.62.0 to 5.2.110.0, now have results as you have... additionally:
- only root can see all guest accounts
- even user with lobby administrator rights receive error HTTP 500 after loging when authenticated by RADIUS
- after disabling RADIUS and using only local accounts everything works fine
- even SuperUser can see only guest accounts created by himself
I have no access to RADIUS right now but I'll try to find out where is the problem.
regards
Marcin
02-08-2009 11:50 PM
It should be fixed in 5.2.116.0, which I've been waiting for for about a week and a half now. :) Keep checking the download links, it's not RADIUS, it's an issue within WCS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide