I have a problem with a certain user authenticating to the WLC. I have IAS setup and it is working based on the AD group that I have specified for administrator access. However one user cannot authenticate who is in the group. Here is the WLC error message.....
Jul 07 21:14:10.549 ews_auth.c:2092 EMWEB-1-LOGIN_FAILED: Login failed. User:xxxx.xxxx. Service-Type is not present or it doesn't allow READ/WRITE permission..
IAS is saying that it granted access to that user and it is matching the correct policy that I setup to administer the WLC. I was even able to create a new user add them to the group and the authentication succeeded. The only thing that I could find out about this is the "Excessive Web Authentication Exclusion Blacklist"...so I unchecked that option and had the user try again with the same result. I'm not really sure where to go from here...any suggestions?
Here is the URL with Wireless LAN Controller Web Authentication Configuration Example and troubleshooting guide which will help you :
Double check the other policies you have in IAS. See if that user is associated to another poilicy before the wlc policy. Also, have the user log in again and post the screen shot of the event viewer in the IAS box.
You need to set the RADIUS "Login Type" message on the IAS to "Administrative", and make sure the RADIUS Server in the RADIUS Servers list on the WLC has the "Management" check-box ticked.
All of the authentication and IAS policies are working correctly for everyone but a single user. When the user in question tries to connect they correctly match the IAS policy and in the event viewer of the server it shows that the authentication was accepted and access was granted but on the WLC login page it just keeps returning the login screen and the error on the WLC is as follows.
ul 07 21:14:10.549 ews_auth.c:2092 EMWEB-1-LOGIN_FAILED: Login failed. User:xxxx.xxxx. Service-Type is not present or it doesn't allow READ/WRITE permission.
The only time I had that issue is when on a new machine, I had to either add the site to th epop-up blocker in IE or add the IP to the trusted site in IE for some reason. Try that.
I have the same problem, but instead IAS a I have Cisco ACS 4.2. ACS log shows that authenifitaion passed OK, but WLC return me login window again, and in WLC logs there is message:
ews_auth.c:2092 EMWEB-1-LOGIN_FAILED: Login failed. User:xxxx. Service-Type is not present or it doesn't allow READ/WRITE permission.
Did you find anything out ? What WLC software version do you have ? I have 18.104.22.168 and I have used tacasc+.
Do you have an accounting server configured on the wlan. Even if the authentication passes, if the accounting fails, the wlc will show a failure. Disable any accounting first and see if your issue goes away. If it does, then redo your accounting info on your wlc and in ACS. Shared secret can be wrong.
Actually I figured this problem out, the problem was that for some reason those certain users(even though it wasnt setup like that in AD) were asking for a callback server in the radius request. So there is an option under advanced in the IAS policy that you can add that says "Ignore User Callback Settings". I added that setting and the users worked correctly....it was a strange one. Thanks for the attempted help though! :)
I have the same setup as you, WLC and ACS Server.
If you go to the Interface Configuration page on the ACS and then select RADIUS IETF there is a Service-Type attribute. Enable this for Group or User and then go to the particular group or user and set this to Admnistrative on the account.
the user should now be able to login as an administrator.