Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Issues with WLC 7.x and Cisco ACS 5.1 Web Auth

I am trying to authenticate WLC7.x using TACACS. I have set up my ACS 5.1 (shell profile, access policies) but still unable  to login to the WLC using my TACACS+ credentials. I can see the hit  count going up in the ACS and can see my login in the passed  authentication report. Any assistance in resolving the issue would be  much appreciated.

6 REPLIES
Hall of Fame Super Silver

Re: Issues with WLC 7.x and Cisco ACS 5.1 Web Auth

I don't know how your ACS is configured, but one thing is to make sure on the WLC you have Authentication and Authorization defined. Your shell should be role1=ALL for admin access. Here is a brief description on 4.2 which is similar you just don't need the ciscowlc stuff anymore.

http://cciew.blogspot.com/2011/02/tacacs-wlc-user-authentication.html?m=1

https://supportforums.cisco.com/docs/DOC-14908

Link to an older post

https://supportforums.cisco.com/message/3214033#3214033

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Issues with WLC 7.x and Cisco ACS 5.1 Web Auth

Thx for your comment Scott. I had looked into the DOC already and checked my settings to make sure it matched with the ones suggested in the DOC. Today, I turned on debug for tacacs events on the WLC to see any failed messages and suddenly the web login started working. I doubt if turning on debug would get it working. Anyway, I need to turn on web auth in two more WLCs. I'll let you know how I go.

Hall of Fame Super Silver

Re: Issues with WLC 7.x and Cisco ACS 5.1 Web Auth

Keep me posted!

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: Issues with WLC 7.x and Cisco ACS 5.1 Web Auth

I've turned on TACACS on all three WLCs in my network. It works fine on two but not on the third. The logs on the one which fails are as below

(Cisco Controller) debug>*tplusTransportThread: Apr 26 19:01:57.449: Forwarding request to 172.20.0.122 port=49

*tplusTransportThread: Apr 26 19:01:57.451: tplus auth response: type=1 seq_no=2 session_id=871c2905 length=15 encrypted=0

*tplusTransportThread: Apr 26 19:01:57.451: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Apr 26 19:01:57.451: auth_cont get_pass reply: pkt_length=26

*tplusTransportThread: Apr 26 19:01:57.451: processTplusAuthResponse: Continue auth transaction

*tplusTransportThread: Apr 26 19:01:57.455: tplus auth response: type=1 seq_no=4 session_id=871c2905 length=6 encrypted=0

*tplusTransportThread: Apr 26 19:01:57.455: tplus_make_author_request() from tplus_authen_passed returns rc=0

*tplusTransportThread: Apr 26 19:01:57.455: Forwarding request to 172.20.0.122 port=49

*tplusTransportThread: Apr 26 19:01:57.457: ATHR Socket closed underneath

*tplusTransportThread: Apr 26 19:02:02.660: No auth response from: 172.20.0.122, retrying with next server

*tplusTransportThread: Apr 26 19:02:02.660: Preparing message for retransmit. Decrypting first

*tplusTransportThread: Apr 26 19:02:02.660: Forwarding request to 172.22.0.122 port=49

*tplusTransportThread: Apr 26 19:02:02.663: ATHR Socket closed underneath

*tplusTransportThread: Apr 26 19:02:07.866: No auth response from: 172.22.0.122, retrying with next server

*tplusTransportThread: Apr 26 19:02:07.866: Preparing message for retransmit. Decrypting first

*tplusTransportThread: Apr 26 19:02:07.866: Forwarding request to 172.20.0.122 port=49

*tplusTransportThread: Apr 26 19:02:07.868: ATHR Socket closed underneath

*tplusTransportThread: Apr 26 19:02:13.072: Exhausted all available servers for Auth/Author packet

The one which works fine has the logs below

(Cisco Controller) debug>aaa tacacs enable

(Cisco Controller) debug>*radiusTransportThread: Apr 26 08:51:04.741: 40:a6:d9:b0:97:b2 Accounting-Response received from RADIUS server 172.22.0.122 for mobile 40:a6:d9:b0:97:b2 receiveId = 0

*tplusTransportThread: Apr 26 09:07:47.441: Forwarding request to 172.20.0.122 port=49

*tplusTransportThread: Apr 26 09:07:47.443: tplus auth response: type=1 seq_no=2 session_id=b0eeb9b9 length=15 encrypted=0

*tplusTransportThread: Apr 26 09:07:47.443: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Apr 26 09:07:47.443: auth_cont get_pass reply: pkt_length=26

*tplusTransportThread: Apr 26 09:07:47.443: processTplusAuthResponse: Continue auth transaction

*tplusTransportThread: Apr 26 09:07:47.447: tplus auth response: type=1 seq_no=4 session_id=b0eeb9b9 length=6 encrypted=0

*tplusTransportThread: Apr 26 09:07:47.448: tplus_make_author_request() from tplus_authen_passed returns rc=0

*tplusTransportThread: Apr 26 09:07:47.448: Forwarding request to 172.20.0.122 port=49

*tplusTransportThread: Apr 26 09:07:47.453: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0

*tplusTransportThread: Apr 26 09:07:47.453: arg[0] = [9][role1=ALL]

*tplusTransportThread: Apr 26 09:07:47.453:

                                            User has the following mgmtRole fffffff8

*tplusTransportThread: Apr 26 09:07:47.453: 00:00:00:2a:00:00 Returning AAA Success for mobile 00:00:00:2a:00:00

*emWeb: Apr 26 09:07:47.453: Authentication succeeded for rparasur

They've been set up exactly the same way. I've rechecked the setttings a number of times. And needless to say, both show up in the passed auth report on the ACS. Dunno what I am doing wrong!

New Member

Issues with WLC 7.x and Cisco ACS 5.1 Web Auth

I was having this same issue on two WLC 5508s with 7.2.103.0 software and just figured out the solution.  From the debug messages, it appeared that the WLC wasn't waiting long enough for the ACS server to reply.  I found a command in the CLI that I can't find an equivalent for in the GUI: config tacacs auth mgmt-server-timeout.  This command required my TACACS+ servers to be disabled in the configuration.  I did that via the GUI and then issued config tacacs auth mgmt-server-timeout 1 5 (server number 1, 5 seconds) and config tacacs auth mgmt-server-timeout 2 5 (I have two TACACS+ servers).  I then re-enabled the TACACS+ servers through the GUI and am now able to log in to the management GUI successfully using TACACS+ authentication and authorization.

New Member

Re: Issues with WLC 7.x and Cisco ACS 5.1 Web Auth

Thanks for the reply. I am unable to change the timeout settings through the CLI. Please find the error message as below. I disabled the tacacs servers on the GUI before trying the command as suggested by you.

(Cisco Controller) >config tacacs auth server-timeout 1 5

Unable to set the retransmission timeout.

(Cisco Controller) >config tacacs auth server-timeout 2 5

Unable to set the retransmission timeout.

1454
Views
5
Helpful
6
Replies
CreatePlease to create content