07-29-2010 05:47 PM - edited 07-03-2021 07:02 PM
Hi,
I have followed this -
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#debug3
When I log into the WCS it says username and password incorrect, although in the ACS it says Authentication Passed.
Do I need to create the usernames in the WCS as well?
Thanks
08-16-2010 10:57 AM
Hi Bradley:
First, let's clarify the difference between AUTHENTICation and AUTHORIZation. Who are you versus what are you allowed to do.
WCS' login errors aren't real clear on whether the problem is with AUTHENTICation or AUTHORIZation. Usually, the problem is with AUTHORIZation, particularly when ACS says that AUTHENTICation passed successfully. Trace level logging of a failed attempt will show definitively.
With AUTHORIZation problems, it's usually with getting the services, roles and tasks set up correctly for the group, or since 5.2, if the virtual-domain attribute isn't included. Once virtual-domains came in, they're on whether you think you're using them or not.
The only scenario where local usernames/passwords need to be configured is for Lobby Ambassadors and when Lobby Ambassador Defaults are involved. The Lobby Ambassador Defaults can't be passed down from an authentication server.
Sincerely,
Rollin Kibbe
Network Management Systems Team
08-16-2010 03:56 PM
You are missing configuration steps.
Once you follow all the steps and have auth / authorization configured you will login.
Have a local user is good for fallback when there are issues or misconfiguration on your AAA server. I recommend you to enable the fallback.
http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0admin.html#wpmkr1064288
08-17-2010 07:43 AM
Lucien:
Where did you find Bradley's configuration? What exactly was wrong? Why don't you show those "...missing configuration steps..." so that everybody can learn?
Rollin
09-01-2010 07:39 PM
I have a feeling that my ACS is not configured correctly.
According to the documentation my Authentication has passed, but the attributes that I have placed into the ACS to determine what level of access don't seem to be getting through. Possibly because the same group is used to control shell commands on routers and switches.
Is it possible that the response to WCS is sending the shell commmands instead of the attributes?
P.S Where are the debug logs...on the WCS?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide