Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Configuring WLC 4402 TACACS+ authentication using Cisco ACS 5.0

Hello,

We added AAA client in the Cisco ACS 5.0 for WLC 4402 (TACACS+ Authentication) and configured WLC 4402 to use TACACS+ authentication for the management access.

We can't get this work for some reasons.

Other Cisco routers and switches all worked fine with TACACS+ authentication.

This is a TACACS debug output from the WLC;

Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=2 session_id=f59bbf0b length=15 encrypted=0

Sun Aug 23 16:19:06 2009: TPLUS_AUTHEN_STATUS_GETPASS

Sun Aug 23 16:19:06 2009: auth_cont get_pass reply: pkt_length=28

Sun Aug 23 16:19:06 2009: processTplusAuthResponse: Continue auth transaction

Sun Aug 23 16:19:06 2009: tplus response: type=1 seq_no=4 session_id=f59bbf0b length=6 encrypted=0

Sun Aug 23 16:19:06 2009: tplus_make_author_request() from tplus_authen_passed returns rc=0

Sun Aug 23 16:19:06 2009: Forwarding request to 192.168.0.5 port=49

Sun Aug 23 16:19:11 2009: sendTplusMessage: connect timeout: 115:Operation now in progress

Sun Aug 23 16:19:16 2009: Exhausted all available servers

Please review and let me know if I missed anything. Thanks.

  • AAA Identity and NAC
25 REPLIES
New Member

Re: Configuring WLC 4402 TACACS+ authentication using Cisco ACS

Hi,

For WLC tacacs authentication the ACS requires a special configuration.

Unfortunately there is no documentation yet for ACS 5.0 but you can use the following documentation as a reference.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

Hope it helps

New Member

Re: Configuring WLC 4402 TACACS+ authentication using Cisco ACS

Where do you add the custom attributes in ACS 5.X? I can not find where to apply these settings.

New Member

Re: Configuring WLC 4402 TACACS+ authentication using Cisco ACS

Hello,

Please see the attach document that I have created for this matter.

Please let me know if this helps.

New Member

Re: Configuring WLC 4402 TACACS+ authentication using Cisco ACS

I tried your guide and it hits the rules when I try to authenticate. I also see authentication pass but never get access to the webgui, or the CLI.

The following is the error I get when trying to login.

*Oct 21 12:17:47.069: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2104 Login failed. User:testuser. Service-Type is not present or it doesn't allow READ/WRITE permission..

New Member

Re: Configuring WLC 4402 TACACS+ authentication using Cisco ACS

I am sorry I forget to change something. under the shell profile it is Role1=ALL. Please change that to role1=ALL. The WLC is very case sensitive.

Hope this helps.

You can call me directly if you have any more issues.

New Member

Re: Configuring WLC 4402 TACACS+ authentication using Cisco ACS

First, thanks for your screen shots, they helped very much.

Particulars:

ACS 5.2.0.26

WLC 4400 - 6.0.196.0

RADIUS server running on an RSA SecurID appliance.

We are in the process of upgrading our ACS infrastructure to 5.x.  We are using the appliances and are testing in our lab.  Following the provided screen shots, I am able to successfully log in to the WLC as an administrator via the web interface or SSH.

However, as soon as I change the authentication to use the RADIUS server, I am unable to log in to the WLC.  Looking at the aaa debug on the WLC, it is clear that the ACS is not sending the role1=ALL statement to the WLC.  However, as far as the ACS is concerned, I successfully authenticated against the RADIUS server.

Has anybody gotten this to work when using an external identity store, particularly RADIUS.  I am hoping I just need to tweak an attribute setting somewhere.

Thanks.

Jim

New Member

Re: Configuring WLC 4402 TACACS+ authentication using Cisco ACS

Jim,

I am having the same Issue. I will be working with TAC on this and will update as I find anything out.

Cory

New Member

Re: Configuring WLC 4402 TACACS+ authentication using Cisco ACS

For authorization attributes only TACACS supports it, you cannot use Radius

New Member

Re: Configuring WLC 4402 TACACS+ authentication using Cisco ACS

I am using Tacacs, And having the same issue.

8094
Views
5
Helpful
25
Replies
This widget could not be displayed.