Re: Can't get TACACS on WLC in ACS 5.1 to work???

Report Inappropriate Content · ‎09-10-2010

Can anyone help explain the step I'm missing to get this to work? Unfortunately there is no documentation on ACS 5.1 on how to get this to work....

So here is what I have tried...

Under "Policy Elements" -> Authorization & Permissions -> Devices Administration -> Shell Profiles

I created a new custom shell profile called "ciscowlc"... (I am pretty sure that is just a name & doesn't have to match anything in particular like in ACS 4.x but just to be consistent, that is what I called it)

Under the "Custom Attributes" tab, I created a new custom attribute

Attribute: role1

Requirement: Mandatory

Valle: ALL

To apply this custom attribute, i did the following:

"Access Policies" -> Created a custom policy called "TACACS WLC Administration" -> Service type = "Device Adiministration", Policy Structure: = Identitiy & Authorization. Allowed Protocols = PAP/ASCII, CHAP & MS-CHAPV2

My Identity is pointing to AD

Under Authorization, created a custom Policy with the following settings:

AD:ExternalGroups = "my ad group my user is contained"

Shell Profile: = "ciscowlc" (same as custom shell profile above)

When I look at the the logs for ACS, it shows successful Authentication & Authorization & that I am hitting the correct policy "TACACS WLC Administration"

When I run a "debug aaa tacacs enable" from CLI on the WLC, here is what I receive...

Password:********
(Cisco Controller) >debug aaa tacacs enable

(Cisco Controller) >*Sep 10 18:24:43.350: Forwarding request to <removed> port=49

*Sep 10 18:59:09.601: Forwarding request to <removed> port=49

*Sep 10 18:59:10.411: tplus response: type=1 seq_no=2 session_id=51a14953 length=16 encrypted=0

*Sep 10 18:59:10.411: TPLUS_AUTHEN_STATUS_GETPASS

*Sep 10 18:59:10.411: auth_cont get_pass reply: pkt_length=25

*Sep 10 18:59:10.411: processTplusAuthResponse: Continue auth transaction
*Sep 10 18:59:10.664: tplus response: type=1 seq_no=4 session_id=51a14953 length=6 encrypted=0

*Sep 10 18:59:10.664: tplus_make_author_request() from tplus_authen_passed returns rc=0

*Sep 10 18:59:10.664: Forwarding request to 170.126.246.248 port=49

*Sep 10 18:59:11.030: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0

*Sep 10 18:59:11.030: arg[0] = [20][role1=ALL ]

*Sep 10 18:59:11.030:
User has the following mgmtRole 0

So it looks like it worked... however it just comes back & keeps prompting me with the username & password again... Can anyone help????

Report Inappropriate Content · ‎09-10-2010

All is working now... if you look closely at my debug above... there was a tab getting in the end of the word [role1=ALL ] (notice the space in the bracket)..

Sep 10 18:59:11.030: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0

*Sep 10 18:59:11.030: arg[0] = [20][role1=ALL ]

*Sep 10 18:59:11.030:
User has the following mgmtRole 0

Once I removed those spaces, all is working... Next up. TACACS on WCS...

theeaglelb · ‎10-21-2011

I had the same problem and i found the issue with some space that is being added by default when you enter the word" "ALL" when you create the role1 , Mandatory , ALL under custom shell Profile.

(Cisco Controller) >debug aaa all enable

tplusTransportThread: Oct 21 17:25:05.384: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0

*tplusTransportThread: Oct 21 17:25:05.384: arg[0] = [9][role1=ALL] before it was [role1=ALL ]

*tplusTransportThread: Oct 21 17:25:05.384:

User has the following mgmtRole fffffff8

*tplusTransportThread: Oct 21 17:25:05.384: 00:00:00:48:00:00 Returning AAA Success for mobile 00:00:00:48:00:00