Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

TACACS on Cisco WLC Issue

I just installed a Cisco 5508 WLC on our network.  I have the Management IP in the management VLAN and on the controller I set it up "untagged".  WLC has two ports connected to a Cisco 4507 switch in the port-channel config.

I can ping the controller from the network fine, I can ping the TACACS server from the controller.  I have the priority setup as "TACACS+, LOCAL".  However when I try to log into the WLC and look at the debug it shows that I am Authenticating and that is about it, For some reason Authorization traffic is not passing.  Using wireshark I have confirmed that the request is coming from the Management IP Interface.

I have followed the instructions from this link:

http://www.cisco.com/en/US/customer/docs/wireless/controller/5.0/configuration/guide/c5sol.html

Any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: TACACS on Cisco WLC Issue

Hi,

It looks like you did not configure the ACS properly.

The ACS should be returning the required attributes.

Please follow the document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

5 REPLIES
Cisco Employee

Re: TACACS on Cisco WLC Issue

Hi,

What is the TACACS+ server hardware/software?

Can you login to the WLC CLI and type "debug aaa all enable", and then try to connect via GUI. Please save the output and share with us.

Also, could you share your wlc "show run-config"?

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Re: TACACS on Cisco WLC Issue

Its running on Windows, Cisco Secure ACS 3.3


Here is the debug:

(Cisco Controller) >*aaaQueueReader: Nov 22 23:43:15.157: AuthenticationRequest: 0x2bc328e8


*aaaQueueReader: Nov 22 23:43:15.157:   Callback.....................................0x108a6808

*aaaQueueReader: Nov 22 23:43:15.157:   protocolType.................................0x00020030

*aaaQueueReader: Nov 22 23:43:15.157:   proxyState...................................00:00:00:7E:00:00-00:00

*aaaQueueReader: Nov 22 23:43:15.157:   Packet contains 5 AVPs (not shown)

*aaaQueueReader: Nov 22 23:43:15.157: Forwarding request to 10.10.10.10 port=49

*tplusTransportThread: Nov 22 23:43:16.315: 00000000: c0 01 02 00 0f b1 0a f4    .............`2.
*tplusTransportThread: Nov 22 23:43:16.315: 00000010: 16 28 0b e4 58 be bd 9f  9f f8 58 60              .(..X.....X`
*tplusTransportThread: Nov 22 23:43:16.315: tplus response: type=1 seq_no=2 session_id=0fb10af4 length=16 encrypted=0

*tplusTransportThread: Nov 22 23:43:16.315: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Nov 22 23:43:16.315: auth_cont get_pass reply: pkt_length=26

*tplusTransportThread: Nov 22 23:43:16.315: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Nov 22 23:43:16.353: 00000000: c0 01 04 00 0f b1 0a f4  .......... ............d...
*tplusTransportThread: Nov 22 23:43:16.353: 00000010: ac 51                                             .Q
*tplusTransportThread: Nov 22 23:43:16.353: tplus response: type=1 seq_no=4 session_id=0fb10af4 length=6 encrypted=0

*tplusTransportThread: Nov 22 23:43:16.353: tplus_make_author_request() from tplus_authen_passed returns rc=0

*tplusTransportThread: Nov 22 23:43:16.353: Forwarding request to 10.10.10.10 port=49

*tplusTransportThread: Nov 22 23:43:16.356: 00000000: c0 02 02 00 18 d3 91 67  00 00 00 06 cc e5 c2 af  .......g........
*tplusTransportThread: Nov 22 23:43:16.356: 00000010: 32 69                                             2i
*tplusTransportThread: Nov 22 23:43:16.356: author response body: status=1 arg_cnt=0 msg_len=0 data_len=0

*tplusTransportThread: Nov 22 23:43:16.356:
User has the following mgmtRole 0
*tplusTransportThread: Nov 22 23:43:16.356: 00:00:00:7e:00:00 Returning AAA Success for mobile 00:00:00:7e:00:00
*tplusTransportThread: Nov 22 23:43:16.356: AuthorizationResponse: 0x2d2e5678


*tplusTransportThread: Nov 22 23:43:16.356:     structureSize................................74

*tplusTransportThread: Nov 22 23:43:16.356:     resultCode...................................0

*tplusTransportThread: Nov 22 23:43:16.356:     protocolUsed.................................0x00000010

*tplusTransportThread: Nov 22 23:43:16.356:     proxyState...................................00:00:00:7E:00:00-00:00

*tplusTransportThread: Nov 22 23:43:16.356:     Packet contains 2 AVPs:

*tplusTransportThread: Nov 22 23:43:16.356:         AVP[01] Service-Type.............................0x00000000 (0) (4 bytes)

*tplusTransportThread: Nov 22 23:43:16.356:         AVP[02] Unknown Attribute 243....................0x00000001 (1) (4 bytes)

New Member

Re: TACACS on Cisco WLC Issue

Authentication is succcesful and you are also receceving authorization but

"User has the following mgmtRole 0"

We should get something like,

author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
arg[0] = [9][role1=ALL]

User has the following mgmtRole fffffff8

Or,

author response body: status=1 arg_cnt=4 msg_len=0 data_len=0
arg[0] = [11][role1=WLAN]
arg[1] = [16][role2=CONTROLLER]
arg[2] = [14][role3=SECURITY]
arg[3] = [14][role4=COMMANDS]
User has the following mgmtRole 150

Increase TACACS server timeout on WLC and also follow below guide

http://www.cisco.com/en/US/docs/wireless/controller/4.1/configuration/guide/c41sol.html#wp
1208657

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

Note: Please rate the answer if it was helpful

Cisco Employee

Re: TACACS on Cisco WLC Issue

Hi,

It looks like you did not configure the ACS properly.

The ACS should be returning the required attributes.

Please follow the document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Re: TACACS on Cisco WLC Issue

Thank you I have the WLC working now.  Just gotta finish the rest now.

1262
Views
10
Helpful
5
Replies
CreatePlease login to create content