×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

WLC login using ACS 5.1 for Shell Profile role "ALL"

Document

Tue, 05/27/2014 - 23:10
May 27th, 2014
User Badges:
  • Gold, 750 points or more


 

Introduction

Getting WLC login screen again and again when using ACS credentials and log shows "Privilege Level" is only 1.

Scenario

I was wondering if anyone has successfully managed to configure ACS 5.1 to accept login request from a 5500 WLC?

I've managed to get it configured following the follow link Cisco Wireless LAN Controller (WLC) and Cisco ACS 5.x (TACACS+) Configuration Example for Web Authentication but when I try to login to the WLC using my ACS credentials I just get the login screen again. I've checked the ACS logs and it says my username has passed the authentication process and it matches all the rules I've set. The only thing I've noticed is my "Privilege Level" is only 1 but I'm not sure if thats correct for a http login.

Hardware

Cisco 5500 Series Wireless Controller

Software

 

Cisco Secure Access Control System 5.1

More Details

As directed in the above mentioned document Cisco Wireless LAN Controller (WLC) and Cisco ACS 5.x (TACACS+) Configuration Example for Web Authentication, user tried to configure role defined as "ALL", even then he is getting "Privilege Level 1".

ACS Shell Profile

ACS Authentication Logs

Troubleshooting

Login to the CLI with the local credentials and run

debug aaa tacacs enable

then try GUI with TACACS+ credentials. this will show what is coming back from the TACACS server.

Debugs

(Cisco Controller) >config  *tplusTransportThread: Jan 24 11:29:41.519: Forwarding request to 10.10.11.12 port=49
*tplusTransportThread: Jan 24 11:29:41.520: tplus auth response: type=1 seq_no=2 session_id=f432fef2 length=16 encrypted=0
*tplusTransportThread: Jan 24 11:29:41.520: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Jan 24 11:29:41.520: auth_cont get_pass reply: pkt_length=26
*tplusTransportThread: Jan 24 11:29:41.520: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Jan 24 11:29:41.526: tplus auth response: type=1 seq_no=4 session_id=f432fef2 length=6 encrypted=0
*tplusTransportThread: Jan 24 11:29:41.526: tplus_make_author_request() from tplus_authen_passed returns rc=0
*tplusTransportThread: Jan 24 11:29:41.526: Forwarding request to 10.10.11.12 port=49
*tplusTransportThread: Jan 24 11:29:41.531: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Jan 24 11:29:41.531: arg[0] = [28][role1=ALL

Also

When user logged into WLC with TACACS+ account then Local, he can't login using any credentials (local or otherwise) unless he disable the switch port that the ACS is on.

Here is another debug log.

(Cisco Controller) >*emWeb: Jan 24 11:38:36.782:
Log to TACACS server(if online): aaa auth mgmt  tacacs local
*aaaQueueReader: Jan 24 11:38:36.783: cmd_buff=[aaa auth mgmt tacacs local] cmd_buff_len=[27]
*aaaQueueReader: Jan 24 11:38:36.783: tplus_make_acct_request: pkt->length=116 acct_len=116 arg_total_len=83
*tplusTransportThread: Jan 24 11:38:36.835: Forwarding request to 10.10.11.12 port=49
*tplusTransportThread: Jan 24 11:38:36.841: ACCT response length = 5, buffer len = 17
*tplusTransportThread: Jan 24 11:38:36.841: ACCT response body: status=1 msg_len=0 data_len=0
*tplusTransportThread: Jan 24 11:38:36.841: ACCT Socket closed underneath
*tplusTransportThread: Jan 24 11:38:45.967: Forwarding request to 10.10.11.12 port=49
*tplusTransportThread: Jan 24 11:38:45.968: tplus auth response: type=1 seq_no=2 session_id=d443ded8 length=16 encrypted=0
*tplusTransportThread: Jan 24 11:38:45.968: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Jan 24 11:38:45.968: auth_cont get_pass reply: pkt_length=26
*tplusTransportThread: Jan 24 11:38:45.968: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Jan 24 11:38:45.974: tplus auth response: type=1 seq_no=4 session_id=d443ded8 length=6 encrypted=0
*tplusTransportThread: Jan 24 11:38:45.974: tplus_make_author_request() from tplus_authen_passed returns rc=0
*tplusTransportThread: Jan 24 11:38:45.974: Forwarding request to 10.10.11.12 port=49
*tplusTransportThread: Jan 24 11:38:45.980: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL]
*tplusTransportThread: Jan 24 11:38:45.980:

User has the following mgmtRole 0
*tplusTransportThread: Jan 24 11:39:09.451: Forwarding request to 10.10.11.12 port=49
*tplusTransportThread: Jan 24 11:39:09.452: tplus auth response: type=1 seq_no=2 session_id=23510ed4 length=16 encrypted=0
*tplusTransportThread: Jan 24 11:39:09.452: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Jan 24 11:39:09.452: auth_cont get_pass reply: pkt_length=28
*tplusTransportThread: Jan 24 11:39:09.452: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Jan 24 11:39:09.457: tplus auth response: type=1 seq_no=4 session_id=23510ed4 length=6 encrypted=0

Solution

it looks like there is a space or a carriage return after the ALL

*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL]

Can you rebuild that attribute and click apply, you might just be able to put the cursor behind the ALL and hit delete.

More Information

You can setup multiple roles for a user instead of using ALL. See step 5

  • In the text box below Custom attributes, enter this text if the user created needs access only to WLAN, SECURITY and CONTROLLER: role1=WLAN role2=SECURITY role3=CONTROLLER.If the user needs access only to the SECURITY tab, enter this text: role1=SECURITY.The role corresponds to the seven menu bar items in the controller web GUI. The menu bar items are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT and COMMAND.

  • Enter the role that a user needs for role1, role2 and so on. If a user needs all the roles, then the keyword ALL should be used. For the lobby admin role, the keyword LOBBY should be used.

Source

WLC login using ACS 5.1

Reference

Cisco Unified Wireless Network TACACS+ Configuration

Loading.

Actions

This Document

 

 

Trending Topics - Security & Network