Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1352
Views
0
Helpful
4
Replies

TACACS on WCS - ACS says authentication passed

bradleyordner
Level 3
Level 3

‎07-29-2010 05:47 PM - edited ‎07-03-2021 07:02 PM

Hi,

I have followed this -

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#debug3

When I log into the WCS it says username and password incorrect, although in the ACS it says Authentication Passed.

Do I need to create the usernames in the WCS as well?

Thanks

Labels:
0 Helpful
4 Replies 4

Rollin Kibbe
Cisco Employee
Cisco Employee

‎08-16-2010 10:57 AM

Hi Bradley:

First, let's clarify the difference between AUTHENTICation and AUTHORIZation.  Who are you versus what are you allowed to do.

WCS' login errors aren't real clear on whether the problem is with AUTHENTICation or AUTHORIZation.  Usually, the problem is with AUTHORIZation, particularly when ACS says that AUTHENTICation passed successfully.  Trace level logging of a failed attempt will show definitively.

With AUTHORIZation problems, it's usually with getting the services, roles and tasks set up correctly for the group, or since 5.2, if the virtual-domain attribute isn't included.  Once virtual-domains came in, they're on whether you think you're using them or not.

The only scenario where local usernames/passwords need to be configured is for Lobby Ambassadors and when Lobby Ambassador Defaults are involved.  The Lobby Ambassador Defaults can't be passed down from an authentication server.

Sincerely,

Rollin Kibbe

Network Management Systems Team

0 Helpful

Lucien Avramov
Level 10
Level 10

‎08-16-2010 03:56 PM

You are missing configuration steps.

Once you follow all the steps and have auth / authorization configured you will login.

Have a local user is good for fallback when there are issues or misconfiguration on your AAA server. I recommend you to enable the fallback.

http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0admin.html#wpmkr1064288

0 Helpful

Rollin Kibbe
Cisco Employee
Cisco Employee
In response to Lucien Avramov

‎08-17-2010 07:43 AM

Lucien:

Where did you find Bradley's configuration?  What exactly was wrong?  Why don't you show those "...missing configuration steps..." so that everybody can learn?

Rollin

0 Helpful

bradleyordner
Level 3
Level 3
In response to Rollin Kibbe

‎09-01-2010 07:39 PM

I have a feeling that my ACS is not configured correctly.

According to the documentation my Authentication has passed, but the attributes that I have placed into the ACS to determine what level of access don't seem to be getting through. Possibly because the same group is used to control shell commands on routers and switches.

Is it possible that the response to WCS is sending the shell commmands instead of the attributes?

P.S Where are the debug logs...on the WCS?

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card