I checked the config guide for the 6.x WLC code and it still shows the older version of ACS in the guide. I would assume the 7.x versions will get the new screenshots. If you can open a ticket the folks in AAA should be able to assist though. I have not done a 5.1 config or I'd be happy to help.
I worked with TAC on this yesterday, we were able to get my WLCs working with ACS 5.1 using Radius....NOT Tacacs,
this only remaining issue i have is with WCS, trying to match the correct Auth policy, if i match to enable priv 15 , all cisco hardware authenicates
fine, but cant auth to my WCS, if i move the WCS policy up with its custom attributes i can get into the WCS, but the cisco hardware fails.
Almost there, any ideas, so far i really like acs 5.1, big improvement from my MCS 7800's running 4.0 acs.
GOT IT, i added another match condtion (NDG) in the Device Administration Authorization Policy, and then for my rule-1 which enabled Priv 15, i added
not in NDG device type WCS, this way everything matched on it except my WCS server, so it used the custom attibutes i created for it.
Starting on the WCS server, Administration/TACACS, i added a server,
AAA mode was then set to TACACS.
On my ACS server i added the WCS server under network devices and AAA clients, using the same shared tacacs key.
Next under Policy elements/Authorization and permissions/Device Administration/Shell Profile i created a new shell profile
called WCS Custom, open the custom attributes tab.
the following needs to be added exactly in this order
task0=Users and Groups
task6=Scheduled Tasks and Data Collection
task9=View Alerts and Events
task11=Delete and Clear Alerts
task12=Pick and Unpick Alerts
task13=Ack and Unack Alerts
task16=Configure Config Groups
task17=Configure Access Points
task18=Configure Access Point Templates
task20=Configure Choke Points
task21=Configure Spectrum Experts
task24=Monitor Access Points
task29=Monitor Spectrum Experts
task35=Voice Audit Report
task36=Maps Read Only
task37=Maps Read Write
task41=Virtual Domain Management
task42=High Availability Configuration
task43=Health Monitor Details
task44=Configure WIPS Profiles
task45=Global SSID Groups
task47=Configure Lightweight Access Point Templates
task48=Configure Autonomous Access Point Templates
task49=Scheduled Configuration Tasks
task50=Configure Location Sensors
task51=Configure ACS View Servers
task52=Monitor Location Sensors
task54=Compliance Assistance Reports
task55=Config Audit Dashboard
task57=Configure Ethernet Switch Ports
task58=Configure Ethernet Switches
task60=Network Summary Reports
task62=Report Launch Pad
task63=Run Reports List
task64=Saved Reports List
task65=Report Run History
Finally under Access policies/Default device admin/authorization i created a new rule called WCS, matching on tacacs as the protocol and under results i called the new WCS Custom profile we created earlier, under command sets i selected Allow ALL.
If you move this rule up it will work, i got around having to move it by excluding WCS as i stating in my earlier post,
I've added some screenshots to support my ramblings
Thanks for your response, actually I have done exactly as what you have suggested, the only difference being I have created the Root Group. Every time i try to login an error gets reported regarding Groups not being defined.
I currently have no access to the ACS, however will send more snapshots tomorrow.
Got it working..
Seems to be a BUG, had to follow a crazy procedure.
Before adding any attributes i had to add the Virtual Domain attribute even though i have only the root domain and than follow it up with the role and tasks list. Once saved, I had to go back and delete the Virtual Domain attribute and than it works fine. Tested this by creating different roles and it only worked by first creating the virtual domain attribute and than deleting it.
Hope someone else facing a similar issue finds this useful. The versions i am using are..
WCS - 184.108.40.206
ACS - 5-1-0-44-2
Thank you for the details on the bug find!! I had the same issue and was able to resolve by adding the virtual domain attribute and then removing it. Funny how it doesn't even work with that attribute set, but you need to do it to get the rest working.
Thx Heaps for your comment. I was fiddling around with the attributes for about 4 hours before I found this post. I followed your tip and it worked perfectly! Now I've got to do the same for the WLCs!
"If you move this rule up it will work, i got around having to move it by excluding WCS as i stating in my earlier post"
I got TACACS on WLC tpo work but only by moving it up to the top. However when I do this it breaks TACACS for my switches, firewalls e.t.c. Can you elaborate on how you got it to work by "exluding the WCS" ?
I had this same issue with WCS 220.127.116.11 and ACS 18.104.22.168.3, added task41=Virtual Domain Management but
had to leave it there for Lobby access to work.
Is there a Cisco Bug id for this?
So WCS 22.214.171.124 has been out awhile, have there been any improvements for using WCS 7.x with ACS 5.2 ? Or do I still need to setup all these taskx= in the ACS server?
CSCsy77385 TACACS and RADIUS custom attribute for Virtual Domain not documented
CSCtc20592 AW: TACACS AAA failing, TACACS users not in Virtual Domain
Documentation does not detail how to add a TACACS+ user into the virtual domain.