cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9721
Views
5
Helpful
25
Replies

Configuring WLC 4402 TACACS+ authentication using Cisco ACS 5.0

Hello,

We added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access.

We can't get this work for some reasons.

Other Cisco routers and switches all worked fine with TACACS+ authentication.

This is a TACACS debug output from the WLC;

Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0

Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS

Sun Aug 23 16:19:06 2009: auth_cont get_pass reply: pkt_length=28

Sun Aug 23 16:19:06 2009: processTplusAuthResponse: Continue auth transaction

Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=4 session_id=f59bbf0b length=6 encrypted=0

Sun Aug 23 16:19:06 2009: tplus_make_author_request() from tplus_authen_passed returns rc=0

Sun Aug 23 16:19:06 2009: Forwarding request to 192.168.0.5 port=49

Sun Aug 23 16:19:11 2009: sendTplusMessage: connect timeout: 115:Operation now in progress

Sun Aug 23 16:19:16 2009: Exhausted all available servers

Please review and let me know if I missed anything. Thanks.

25 Replies 25

Erick Delgado
Level 1
Level 1

Hi,

For WLC tacacs authentication the ACS requires a special configuration.

Unfortunately there is no documentation yet for ACS 5.0 but you can use the following documentation as a reference.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

Hope it helps

Where do you add the custom attributes in ACS 5.X? I can not find where to apply these settings.

Hello,

Please see the attach document that I have created for this matter.

Please let me know if this helps.

I tried your guide and it hits the rules when I try to authenticate. I also see authentication pass but never get access to the webgui, or the CLI.

The following is the error I get when trying to login.

*Oct 21 12:17:47.069: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2104 Login failed. User:testuser. Service-Type is not present or it doesn't allow READ/WRITE permission..

I am sorry I forget to change something. under the shell profile it is Role1=ALL. Please change that to role1=ALL. The WLC is very case sensitive.

Hope this helps.

You can call me directly if you have any more issues.

First, thanks for your screen shots, they helped very much.

Particulars:

ACS 5.2.0.26

WLC 4400 - 6.0.196.0

RADIUS server running on an RSA SecurID appliance.

We are in the process of upgrading our ACS infrastructure to 5.x.  We are using the appliances and are testing in our lab.  Following the provided screen shots, I am able to successfully log in to the WLC as an administrator via the web interface or SSH.

However, as soon as I change the authentication to use the RADIUS server, I am unable to log in to the WLC.  Looking at the aaa debug on the WLC, it is clear that the ACS is not sending the role1=ALL statement to the WLC.  However, as far as the ACS is concerned, I successfully authenticated against the RADIUS server.

Has anybody gotten this to work when using an external identity store, particularly RADIUS.  I am hoping I just need to tweak an attribute setting somewhere.

Thanks.

Jim

Jim,

I am having the same Issue. I will be working with TAC on this and will update as I find anything out.

Cory

For authorization attributes only TACACS supports it, you cannot use Radius

I am using Tacacs, And having the same issue.

Hi:

I was not clear in my post.

I am using TACACS+ between the WLC and the ACS.  The only RADIUS communication is between the ACS and the RADIUS server on the RSA SecurID appliance.

What I was trying to get across was that perhaps there is an attribute the RADIUS server needs to pass to the ACS in order for this to work.

Jim

Cory:

Looking forward to hearing what TAC has to say.  We cannot be the only ones having this issue with external identity store authentication.

Good luck.

Jim

Jim,

We have found the fix just one little check box as you will...

You need to make sure you have an authentication server and an authorization server. I did not have an authorization server entered in the ALC.

You can just point to the ACS for both Authentication and Authorization.

-Cory

Cory:

Glad you found the fix.  Unfortunately this setting was already enabled on our WLC, it had to be in order to get this to work under ACS 4.x.  So, whatever issue we are experiencing is different from yours.

I will continue to investigate.  Congratulations again in getting over this hurdle.

Jim

Jim,

Also be sure the Shell Commands are exactly as follows. They are Case sensitive.

-Cory

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: