We added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access.
We can't get this work for some reasons.
Other Cisco routers and switches all worked fine with TACACS+ authentication.
This is a TACACS debug output from the WLC;
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0
Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS
Sun Aug 23 16:19:06 2009: auth_cont get_pass reply: pkt_length=28
Sun Aug 23 16:19:06 2009: processTplusAuthResponse: Continue auth transaction
Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=4 session_id=f59bbf0b length=6 encrypted=0
Sun Aug 23 16:19:06 2009: tplus_make_author_request() from tplus_authen_passed returns rc=0
Sun Aug 23 16:19:06 2009: Forwarding request to 192.168.0.5 port=49
Sun Aug 23 16:19:11 2009: sendTplusMessage: connect timeout: 115:Operation now in progress
Sun Aug 23 16:19:16 2009: Exhausted all available servers
Please review and let me know if I missed anything. Thanks.
For WLC tacacs authentication the ACS requires a special configuration.
Unfortunately there is no documentation yet for ACS 5.0 but you can use the following documentation as a reference.
Hope it helps
Where do you add the custom attributes in ACS 5.X? I can not find where to apply these settings.
I tried your guide and it hits the rules when I try to authenticate. I also see authentication pass but never get access to the webgui, or the CLI.
The following is the error I get when trying to login.
*Oct 21 12:17:47.069: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2104 Login failed. User:testuser. Service-Type is not present or it doesn't allow READ/WRITE permission..
I am sorry I forget to change something. under the shell profile it is Role1=ALL. Please change that to role1=ALL. The WLC is very case sensitive.
Hope this helps.
You can call me directly if you have any more issues.
First, thanks for your screen shots, they helped very much.
WLC 4400 - 22.214.171.124
RADIUS server running on an RSA SecurID appliance.
We are in the process of upgrading our ACS infrastructure to 5.x. We are using the appliances and are testing in our lab. Following the provided screen shots, I am able to successfully log in to the WLC as an administrator via the web interface or SSH.
However, as soon as I change the authentication to use the RADIUS server, I am unable to log in to the WLC. Looking at the aaa debug on the WLC, it is clear that the ACS is not sending the role1=ALL statement to the WLC. However, as far as the ACS is concerned, I successfully authenticated against the RADIUS server.
Has anybody gotten this to work when using an external identity store, particularly RADIUS. I am hoping I just need to tweak an attribute setting somewhere.
I am having the same Issue. I will be working with TAC on this and will update as I find anything out.