Using TACACS+ from a v6.0 WLC to v5.1 ACS

Answered Question
Dec 9th, 2009

Hi All,

I'm trying to setup TACACS+ a WLC (v6.0.188.0), to a v5.1 ACS.  I've got all the ACS policies setup for integration with AD, Group Mapping, etc... and that all works fine, the problem is that the 'Shell Profile' and/or 'Command Set' I'm using doesn't suitably authorise the user, and so the WLC doesn't let them on... A success / access-accept message is generated and transmitted, but as far as the WLC is concerned it doesn't contain the necessary rights, so the admin doesn't get on.

I am aware of the requirements and how to create this in ACS 4.x, but 5.1 is a different beast and I can't find the necessary bits in the ACS 5.1 GUI to create the config.

Does anybody know how to create the equivalent configuration in ACS 5.1?

Basically need to work out how to do this;

PPP IP

Shell (exec)

Service = ciscowlc, Protocol = common

  Custom Attributes:

  role1=ALL

Any help, much appreciated!!

Cheers,

Richard

I have this problem too.
0 votes
Correct Answer by Michael Langerreiter about 7 years 1 day ago

Richard!

The shell profile for the different wcs roles works - thanks a lot for your help!

Even the shell profile for my WLCs works with role1=ALL. I also confirmed it with role1=WLAN.

You seem to use role=ALL, maybe you should give role1=ALL a try?

Regards,

Mike

Correct Answer by Michael Langerreiter about 7 years 1 day ago

Hi!

I'm trying the same thing for my WLCs and I would also like to do my WCS authentication and authorization via ACS 5.1 (for admin and lobby ambassador access)

I also know how to configure ACS 4.2 to hand out the custom attributes ("Interface Configuration" --> "TACACS+ (Cisco)" --> "New Services" ciscowlc/common for the WLCs and Wireless-WCS/HTTP for WCS. Appropriate roleX=Y strings in the group settings), but have no clue how do the same thing with ACS 5.1.

Any ideas anyone?

Regards,

Michael

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (6 ratings)
Loading.
Correct Answer
Michael Langerreiter Thu, 12/10/2009 - 01:27

Hi!

I'm trying the same thing for my WLCs and I would also like to do my WCS authentication and authorization via ACS 5.1 (for admin and lobby ambassador access)

I also know how to configure ACS 4.2 to hand out the custom attributes ("Interface Configuration" --> "TACACS+ (Cisco)" --> "New Services" ciscowlc/common for the WLCs and Wireless-WCS/HTTP for WCS. Appropriate roleX=Y strings in the group settings), but have no clue how do the same thing with ACS 5.1.

Any ideas anyone?

Regards,

Michael

Richard Atkin Thu, 12/10/2009 - 01:47

You can do the WCS Authorisation by doing this;

Go to Policy Elements > Authorisation & Permissions > Device Administration > Shell Profiles

Create a new Shell profile for WCS

Go to the Custom Attributes for your WCS Shell Profile

You have then have three fields to populate, Attribute, Requirements & Value, you have to create one entry for each WCS Role / Task. Ie,

Attribute = role0

Requirements = Mandatory

Value = Root

Attribute = task0

Requirements = Mandatory

Value = Users and Groups

Attribute = task1

Requirements = Mandatory

Value = Audit Trails

etc...

There are about 69 entries to make in total so it takes a little while...  Once complete you then just need to reference the WCS Shell Profile in the relevant Authorisation Profile.

Back to the original problem, this doesn't seem to work for the WLC, where I tried the following with no success.

Attribute = role

Requirements = Mandatory

Value = ALL

Cheers,

Richard

Correct Answer
Michael Langerreiter Thu, 12/10/2009 - 06:14

Richard!

The shell profile for the different wcs roles works - thanks a lot for your help!

Even the shell profile for my WLCs works with role1=ALL. I also confirmed it with role1=WLAN.

You seem to use role=ALL, maybe you should give role1=ALL a try?

Regards,

Mike

Richard Atkin Thu, 12/10/2009 - 06:38

Mike, thank you!

It's been a long week here, I knew it would be something simple!!

Thanks for the pointer, glad you got WCS working too...

Richard

hugh.turner Fri, 08/06/2010 - 08:55

Hi... just reading the post and I have the same issue trying to use TACACS to authenticate users to log into a 5508 WLC. I'm also using ACS 5.1.

Can you clarify what exactly needs to be in the shell profile for me, I'm a little confused.

So far I have created a brand new shell profle and applied it be used when a user connects to a WLC.

All I have added to it is one custom attribute:

Attribute: role1

Requirement: Mandatory

Value: ALL

I've not put anything in the common tasks.  Do I need to?

I must have something I'm missing, since the WLC just rejects me and repeats it's request for a log on.

LUCAS NEEDHAM Fri, 05/07/2010 - 11:56

role1=ALL did the trick for me.  Thanks for this post.  You saved me a TAC case!

c.yeo Mon, 01/04/2010 - 14:28

We've been struggling with ACS 5.0 and not getting anywhere.

I think we're missing some 'concepts'.

You mention 3 fields to populate....I don't see anything like that:

When I create a WCS Profile, I only see Name and Description on the General Tab, and two other tabs" Privilege and Shell Attributes.

It appears I am looking in the wrong places.

Our exact version of ACS is:  5.0.0.21

Can you shed any light on what we are supposed to see?

Charles

Richard Atkin Tue, 01/05/2010 - 01:46

Cisco don't recommend using ACS v5.0, as frankly, it's crap.  The upgrade to v5.1 is a free download off CCO...

Rgds,

Richard

volven.didata Tue, 04/06/2010 - 23:09

Hi All,

I tried integrating the WCS 6.0 with ACS 5.1 using TACACS but unable to login, I get the following error " [AuthenticationAction] User has no usergroups/roles assigned. Username= lobadmin "

Note - I have created the Shell Profile and added the following custom attibutes...

Attribute               Requirement               Value

role0                    Mandatory           LobbyAmbassador
task0                   Mandatory           Configure Guest Users
task1                   Mandatory           Lobby Ambassador User Preferences

Is there anything else i need to do?

Thanks

Volven

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network