Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

TACACS issues with WLC 5508

Hi all

I'm trying to add TACACS configuration to two of our WLC's at one of our sites. Our ACS server is running v5. and my WLC 5508 is running code version

I have added the TACACS server details to the WLC config (authentication, accounting, and authorisation), which is configured correctly. My ACS box has already been configured to allow the WLC's to authenticate (policy settings etc). We have 4 other identical WLC's on other sites which are already configured to use the same ACS server, which all work.

The problem I am seeing is that the ACS login is being accepted by the ACS box - I can see from the reports that it is accepting the login, but I keep getting re-prompted for a login when attempting to log in to the WLC I just configured. The same happens both on web and SSH console sessions. I am now unable to log in to the WLC with either local or AD credentials (which work on other WLC's on this same ACS box). I've had to hard reboot it to reload the old startup config and gain access again.

The priority order is set to TACACS+ then LOCAL, which is exactly how it's set on the other WLC's.

I followed this guide, to ensure I wasnt missing anything:

I also found this thread, which has the same symptoms, but the resolution doesnt apply to my config:

Flat out of ideas. Any help appreciated!

Cisco Employee

TACACS issues with WLC 5508

I wanted to see the output of "debug aaa tacacs enable" but it looks you don't even have access to CLI. Can you see the authorization being passed in ACS logs.


Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

TACACS issues with WLC 5508

Consider that the WLC is expecting the user to have certain privilege level, and check the ACS configuration to make sure that the shell profile being hit grants the user the required privilege level.

Look at the authentication details for both a working and non-working authentication attempt, and compare the privilege level.