topic ACS 5.3 + WLC not working in Network Access Control

ACS 5.3 + WLC not working

bbsemearnu — Mon, 11 Mar 2019 02:36:31 GMT

I got a question about ACS 5.3 and WLC

We have now the ACS 5.3 running for MAB (good working, thanks for your help) and TACAS for device AAA.

But now our WLC’s will not work.

I have created already a special “custom attribute” => role1 / mandatory / ALL

Already changed to the combinations Role1=ALL / Role1=All / Role1=all / role1=ALL / role1=All / role1=all

But still not working. I get a wrong response.

I followed the guideline in attach, PDF file.

Debug dump from WLC

ACS 5.2 / ACS 5.3

-------------------

*tplusTransportThread: Sep 28 15:07:59.222: auth_cont get_pass reply: pkt_length=24

*tplusTransportThread: Sep 28 15:07:59.222: processTplusAuthResponse: Continue auth transaction

*tplusTransportThread: Sep 28 15:07:59.388: tplus response: type=1 seq_no=4 session_id=b1fddbfc length=6 encrypted=0

*tplusTransportThread: Sep 28 15:07:59.388: tplus_make_author_request() from tplus_authen_passed returns rc=0

*tplusTransportThread: Sep 28 15:07:59.388: Forwarding request to 10.23.113.222 port=49

*tplusTransportThread: Sep 28 15:07:59.544: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0

*tplusTransportThread: Sep 28 15:07:59.544: arg[0] = [11][priv-lvl=15]

ACS 4.1

---------

*tplusTransportThread: Sep 28 15:10:39.171: auth_cont get_pass reply: pkt_length=26

*tplusTransportThread: Sep 28 15:10:39.171: processTplusAuthResponse: Continue auth transaction

*tplusTransportThread: Sep 28 15:10:39.171: ACCT Socket closed underneath

*tplusTransportThread: Sep 28 15:10:39.173: tplus response: type=1 seq_no=4 session_id=63f25d84 length=6 encrypted=0

*tplusTransportThread: Sep 28 15:10:39.173: tplus_make_author_request() from tplus_authen_passed returns rc=0

*tplusTransportThread: Sep 28 15:10:39.173: Forwarding request to 10.23.11.247 port=49

*tplusTransportThread: Sep 28 15:10:39.175: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0

*tplusTransportThread: Sep 28 15:10:39.175: arg[0] = [9][role1=ALL]

*tplusTransportThread: Sep 28 15:10:39.175:

User has the following mgmtRole fffffff8

*tplusTransportThread: Sep 28 15:10:40.622: No response from:10.23.11.247, retrying with next server

*tplusTransportThread: Sep 28 15:10:40.622: Preparing message for retransmit. Decrypting first

ACS 5.3 + WLC not working

Tarik Admani — Fri, 28 Sep 2012 14:41:50 GMT

Hi,

Can you check the authentication logs and see which shell-profile you are mapping against, it looks like you are hitting the shell profile which is assigned for IOS devices since the arg shell:prv-lvl=15 is being sent back.

You may want to consider creating a network device group for your WLC and set the authorization to map this NDG to your shell profile which has the role1=ALL attribute being sent back.

thanks,

Tarik Admani
*Please rate helpful posts*

Re: ACS 5.3 + WLC not working

bbsemearnu — Mon, 01 Oct 2012 07:47:05 GMT

Problem solved.

I had in the authorization a level 15 as 1st hitting rule.

I have moved now the "WLC" rule with the assigned shell profile towards the 1st rule for hitting.

Then it start working.

So I guess ACS 5.3 is following authorization rule 1 then rule 2 then rule 3 then rule 4

So my WLC rule was before on place 4, now move to place 1

See my picture for more info.

ACS 5.3 + WLC not working

Tarik Admani — Mon, 01 Oct 2012 18:37:00 GMT

Yes ACS works from top to bottom and a first match rule.

I am glad you were able to get this resolved, when you get some time please remember to rate and mark this thread as resolved.

Thanks,

Tarik Admani
*Please rate helpful posts*