Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

TACACS on WCS - ACS says authentication passed


I have followed this -

When I log into the WCS it says username and password incorrect, although in the ACS it says Authentication Passed.

Do I need to create the usernames in the WCS as well?


Cisco Employee

Re: TACACS on WCS - ACS says authentication passed

Hi Bradley:

First, let's clarify the difference between AUTHENTICation and AUTHORIZation.  Who are you versus what are you allowed to do.

WCS' login errors aren't real clear on whether the problem is with AUTHENTICation or AUTHORIZation.  Usually, the problem is with AUTHORIZation, particularly when ACS says that AUTHENTICation passed successfully.  Trace level logging of a failed attempt will show definitively.

With AUTHORIZation problems, it's usually with getting the services, roles and tasks set up correctly for the group, or since 5.2, if the virtual-domain attribute isn't included.  Once virtual-domains came in, they're on whether you think you're using them or not.

The only scenario where local usernames/passwords need to be configured is for Lobby Ambassadors and when Lobby Ambassador Defaults are involved.  The Lobby Ambassador Defaults can't be passed down from an authentication server.


Rollin Kibbe

Network Management Systems Team

Re: TACACS on WCS - ACS says authentication passed

You are missing configuration steps.

Once you follow all the steps and have auth / authorization configured you will login.

Have a local user is good for fallback when there are issues or misconfiguration on your AAA server. I recommend you to enable the fallback.

Cisco Employee

Re: TACACS on WCS - ACS says authentication passed


Where did you find Bradley's configuration?  What exactly was wrong?  Why don't you show those "...missing configuration steps..." so that everybody can learn?


Community Member

Re: TACACS on WCS - ACS says authentication passed

I have a feeling that my ACS is not configured correctly.

According to the documentation my Authentication has passed, but the attributes that I have placed into the ACS to determine what level of access don't seem to be getting through. Possibly because the same group is used to control shell commands on routers and switches.

Is it possible that the response to WCS is sending the shell commmands instead of the attributes?

P.S Where are the debug logs...on the WCS?


CreatePlease to create content