Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

WLC login using ACS 5.1

Hello,

I was wondering if anyone has successfully managed to configure ACS 5.1 to accept login request from a 5500 WLC?

I've managed to get it configured following the follow link https://supportforums.cisco.com/docs/DOC-14908
but when I try to login to the WLC using my ACS credentials I just get the login screen again.  I've checked the ACS logs and it says my username has passed the authentication process and it matches all the rules I've set.  The only thing I've noticed is my "Privilege Level" is only 1 but I'm not sure if thats correct for a http login. 

Any help would be appreciated.

1 ACCEPTED SOLUTION

Accepted Solutions

WLC login using ACS 5.1

ok, so it looks like there is a space or a carriage return after the ALL

*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL                   ]

Can you rebuild that attribute and click apply, you might just be able to put the cursor behind teh ALL and hit delete.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
22 REPLIES

WLC login using ACS 5.1

when you defined the role is should be ALL  And make sure you do not hit enter behind it.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Community Member

WLC login using ACS 5.1

I did that already, here is the print screen.

WLC login using ACS 5.1

Edit that attribute and see where the cursor will go to.  it should be right behind the ALL.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Community Member

WLC login using ACS 5.1

I checked and its right next to ALL.

WLC login using ACS 5.1

and on the WLC you defined all three servers?

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Community Member

WLC login using ACS 5.1

Yes, and I double checked the shared secret.  Here is a screen shot of the AAA authentication log.

Community Member

WLC login using ACS 5.1

What "command set" should I have configured for this rule?

WLC login using ACS 5.1

on the WLC, can you login to the CLI with the local credentials and run

debug aaa tacacs enable

then try to hit the GUI with TACACS credentials

this will show what is coming back from the TACACS server

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Community Member

WLC login using ACS 5.1


As requested,

(Cisco Controller) >config  *tplusTransportThread: Jan 24 11:29:41.519: Forwardi                       ng request to 10.10.11.12 port=49

*tplusTransportThread: Jan 24 11:29:41.520: tplus auth response: type=1 seq_no=2                        session_id=f432fef2 length=16 encrypted=0

*tplusTransportThread: Jan 24 11:29:41.520: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Jan 24 11:29:41.520: auth_cont get_pass reply: pkt_length                       =26

*tplusTransportThread: Jan 24 11:29:41.520: processTplusAuthResponse: Continue a                       uth transaction

*tplusTransportThread: Jan 24 11:29:41.526: tplus auth response: type=1 seq_no=4                        session_id=f432fef2 length=6 encrypted=0

*tplusTransportThread: Jan 24 11:29:41.526: tplus_make_author_request() from tpl                       us_authen_passed returns rc=0

*tplusTransportThread: Jan 24 11:29:41.526: Forwarding request to 10.10.11.12 po                       rt=49

*tplusTransportThread: Jan 24 11:29:41.531: author response body: status=1 arg_c                       nt=1 msg_len=0 data_len=0

*tplusTransportThread: Jan 24 11:29:41.531: arg[0] = [28][role1=ALL

WLC login using ACS 5.1

can you post the rest of the config?  and might be best if you did two login attempts.  that way I can see more of the data

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Community Member

WLC login using ACS 5.1

Ok,

I did notice something strange.  If I set the priority order of the login on the WLC to TACACS+ then Local, I can't login using any creditals (local or otherwise) unless I disable the switch port that the ACS is on.

Here is another debug log.

Did you want the running-config?

(Cisco Controller) >*emWeb: Jan 24 11:38:36.782:

                                                 Log to TACACS server(if online): aaa auth mgmt  tacacs local

*aaaQueueReader: Jan 24 11:38:36.783: cmd_buff=[aaa auth mgmt  tacacs local] cmd_buff_len=[27]

*aaaQueueReader: Jan 24 11:38:36.783: tplus_make_acct_request: pkt->length=116 acct_len=116 arg_total_len=83

*tplusTransportThread: Jan 24 11:38:36.835: Forwarding request to 10.10.11.12 port=49

*tplusTransportThread: Jan 24 11:38:36.841: ACCT response length = 5, buffer len = 17

*tplusTransportThread: Jan 24 11:38:36.841: ACCT response body: status=1 msg_len=0 data_len=0

*tplusTransportThread: Jan 24 11:38:36.841: ACCT Socket closed underneath

*tplusTransportThread: Jan 24 11:38:45.967: Forwarding request to 10.10.11.12 port=49

*tplusTransportThread: Jan 24 11:38:45.968: tplus auth response: type=1 seq_no=2 session_id=d443ded8 length=16 encrypted=0

*tplusTransportThread: Jan 24 11:38:45.968: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Jan 24 11:38:45.968: auth_cont get_pass reply: pkt_length=26

*tplusTransportThread: Jan 24 11:38:45.968: processTplusAuthResponse: Continue auth transaction

*tplusTransportThread: Jan 24 11:38:45.974: tplus auth response: type=1 seq_no=4 session_id=d443ded8 length=6 encrypted=0

*tplusTransportThread: Jan 24 11:38:45.974: tplus_make_author_request() from tplus_authen_passed returns rc=0

*tplusTransportThread: Jan 24 11:38:45.974: Forwarding request to 10.10.11.12 port=49

*tplusTransportThread: Jan 24 11:38:45.980: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0

*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL                   ]

*tplusTransportThread: Jan 24 11:38:45.980:

                                            User has the following mgmtRole 0

*tplusTransportThread: Jan 24 11:39:09.451: Forwarding request to 10.10.11.12 port=49

*tplusTransportThread: Jan 24 11:39:09.452: tplus auth response: type=1 seq_no=2 session_id=23510ed4 length=16 encrypted=0

*tplusTransportThread: Jan 24 11:39:09.452: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Jan 24 11:39:09.452: auth_cont get_pass reply: pkt_length=28

*tplusTransportThread: Jan 24 11:39:09.452: processTplusAuthResponse: Continue auth transaction

*tplusTransportThread: Jan 24 11:39:09.457: tplus auth response: type=1 seq_no=4 session_id=23510ed4 length=6 encrypted=0

WLC login using ACS 5.1

ok, so it looks like there is a space or a carriage return after the ALL

*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL                   ]

Can you rebuild that attribute and click apply, you might just be able to put the cursor behind teh ALL and hit delete.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Community Member

WLC login using ACS 5.1

Stephen,

That did it!  I can now login with ACS to the WLC... Thanks for the help.

WLC login using ACS 5.1

no worries, glad I could help!

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
1118
Views
5
Helpful
22
Replies
CreatePlease to create content