Can anyone help explain the step I'm missing to get this to work? Unfortunately there is no documentation on ACS 5.1 on how to get this to work....
So here is what I have tried...
Under "Policy Elements" -> Authorization & Permissions -> Devices Administration -> Shell Profiles
I created a new custom shell profile called "ciscowlc"... (I am pretty sure that is just a name & doesn't have to match anything in particular like in ACS 4.x but just to be consistent, that is what I called it)
Under the "Custom Attributes" tab, I created a new custom attribute
To apply this custom attribute, i did the following:
"Access Policies" -> Created a custom policy called "TACACS WLC Administration" -> Service type = "Device Adiministration", Policy Structure: = Identitiy & Authorization. Allowed Protocols = PAP/ASCII, CHAP & MS-CHAPV2
My Identity is pointing to AD
Under Authorization, created a custom Policy with the following settings:
AD:ExternalGroups = "my ad group my user is contained"
Shell Profile: = "ciscowlc" (same as custom shell profile above)
When I look at the the logs for ACS, it shows successful Authentication & Authorization & that I am hitting the correct policy "TACACS WLC Administration"
When I run a "debug aaa tacacs enable" from CLI on the WLC, here is what I receive...
(Cisco Controller) >debug aaa tacacs enable
(Cisco Controller) >*Sep 10 18:24:43.350: Forwarding request to <removed> port=49
*Sep 10 18:59:09.601: Forwarding request to <removed> port=49
*Sep 10 18:59:10.411: tplus response: type=1 seq_no=2 session_id=51a14953 length=16 encrypted=0
*Sep 10 18:59:10.411: TPLUS_AUTHEN_STATUS_GETPASS
*Sep 10 18:59:10.411: auth_cont get_pass reply: pkt_length=25
*Sep 10 18:59:10.411: processTplusAuthResponse: Continue auth transaction
*Sep 10 18:59:10.664: tplus response: type=1 seq_no=4 session_id=51a14953 length=6 encrypted=0
*Sep 10 18:59:10.664: tplus_make_author_request() from tplus_authen_passed returns rc=0
*Sep 10 18:59:10.664: Forwarding request to 220.127.116.11 port=49
*Sep 10 18:59:11.030: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*Sep 10 18:59:11.030: arg = [role1=ALL ]
*Sep 10 18:59:11.030:
User has the following mgmtRole 0
So it looks like it worked... however it just comes back & keeps prompting me with the username & password again... Can anyone help????