TACACS on WCS - ACS says authentication passed

Unanswered Question
Jul 29th, 2010


I have followed this -


When I log into the WCS it says username and password incorrect, although in the ACS it says Authentication Passed.

Do I need to create the usernames in the WCS as well?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Rollin Kibbe Mon, 08/16/2010 - 10:57

Hi Bradley:

First, let's clarify the difference between AUTHENTICation and AUTHORIZation.  Who are you versus what are you allowed to do.

WCS' login errors aren't real clear on whether the problem is with AUTHENTICation or AUTHORIZation.  Usually, the problem is with AUTHORIZation, particularly when ACS says that AUTHENTICation passed successfully.  Trace level logging of a failed attempt will show definitively.

With AUTHORIZation problems, it's usually with getting the services, roles and tasks set up correctly for the group, or since 5.2, if the virtual-domain attribute isn't included.  Once virtual-domains came in, they're on whether you think you're using them or not.

The only scenario where local usernames/passwords need to be configured is for Lobby Ambassadors and when Lobby Ambassador Defaults are involved.  The Lobby Ambassador Defaults can't be passed down from an authentication server.


Rollin Kibbe

Network Management Systems Team

Rollin Kibbe Tue, 08/17/2010 - 07:43


Where did you find Bradley's configuration?  What exactly was wrong?  Why don't you show those "...missing configuration steps..." so that everybody can learn?


bradleyordner Wed, 09/01/2010 - 19:39

I have a feeling that my ACS is not configured correctly.

According to the documentation my Authentication has passed, but the attributes that I have placed into the ACS to determine what level of access don't seem to be getting through. Possibly because the same group is used to control shell commands on routers and switches.

Is it possible that the response to WCS is sending the shell commmands instead of the attributes?

P.S Where are the debug logs...on the WCS?



This Discussion



Trending Topics - Security & Network