So we have been running tacacs.net for a while and I have all my granular control I need for Switches, Routers and ASAs but we want to add WLCs to the list of devices we are using this for. I know it has to do with <Services> section of the authorization config but I just can't nail down the commands. Here is what I have now and it Passes authorization on the tacacs.net side but the WLC is having issues with what tacacs.net actually sends it.
Unfortunately I never did make any progress on this. I am still using Radius to log into the WLC itself. I just set up NPS on the same server Im running Tacacs.net so I still consolidated but I still need radius for a couple things.
I've spent some time on debugging on the WLC to try to solve this.
Believe I have found the issue, but the fix I think would need to be done in the Tacacs.net code.
When this is working via ACS (4.2) the debug outlook looks like this:
*tplusTransportThread: Jun 25 11:42:28.042: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Jun 25 11:42:28.042: arg = [role1=ALL]
A non working go using Tacacs.net looks like this:
*tplusTransportThread: Jun 25 11:04:26.200: author response body: status=1 arg_cnt=2 msg_len=0 data_len=0
*tplusTransportThread: Jun 25 11:04:26.200: arg = [protocol=common]
*tplusTransportThread: Jun 25 11:04:26.200: arg = [role1=ALL?]
I've tried lots of modification on the service config, even adding the individual roles instead of ALL.
My theory is that the WLC expect a roleX attribute in the ARG position.
Tacacs.net always puts protocol=common in that slot (even if you move it lower down).
If you don't specify protocol=common it does not get any args.
Oh Well ..... ill mail tacacs.net and see if they want to experiment and fix in a new release.
I've not done any more on this however I do note that Tacacs.net have just released a newer version of their app (v1.3.1).
We are running v1.3 here.
Unfortunately I cannot find a change log on their website so no idea what this new version has.
Bug-fixes I would guess so there is an outside chance it may address the issue I mention above .....
Once I get some time ill test the new version and let you know how I get on.
I am from TACACS.net and wanted to give an update.
We are aware of the problem and a fix will be available soon (no ETA yet). We will prioritize it based on the demand and available resources.
We would love to hear from you and appreciate your inputs here: http://tacacs.uservoice.com
I have upgraded to the new 2.0.1 version that specified a WLC fix, but still a no go. I have the same setup that @bounser01 originally posted. Anyone have any luck getting a working configuration?