cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

847
Views
19
Helpful
11
Replies
Sam Jesberg
Beginner

ACS 4.2.1.15 + WLC 4402 + TACACS+ (Solved)

I followed this guide:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3

and am unable to get my wlc4402 to accept TACACS+ credentials.

When I telnet to the 4402 and apply the command "debug aaa all enable" and then attempt to login, I get the following output:

__________________________________________________________________________

(Cisco Controller) >*aaaQueueReader: Jun 05 16:50:31.764: AuthenticationRequest:

0x3118a8e0

*aaaQueueReader: Jun 05 16:50:31.764:   Callback................................

.....0x10733b2c

*aaaQueueReader: Jun 05 16:50:31.764:   protocolType............................

.....0x00020030

*aaaQueueReader: Jun 05 16:50:31.764:   proxyState..............................

.....00:00:00:2A:00:00-00:00

*aaaQueueReader: Jun 05 16:50:31.764:   Packet contains 5 AVPs (not shown)

*aaaQueueReader: Jun 05 16:50:31.764: Forwarding request to 10.60.1.7 port=49

*tplusTransportThread: Jun 05 16:50:41.768: Exhausted all available servers

*tplusTransportThread: Jun 05 16:50:41.768: ReProcessAuthentication previous pro

to 30, next proto 20008

*tplusTransportThread: Jun 05 16:50:41.768: Unable to find requested user entry

for user

*tplusTransportThread: Jun 05 16:50:41.768: 00:00:00:2a:00:00 Returning AAA Erro

r 'Authentication Failed' (-4) for mobile 00:00:00:2a:00:00

*tplusTransportThread: Jun 05 16:50:41.768: AuthorizationResponse: 0x3186eb80

*tplusTransportThread: Jun 05 16:50:41.768:     structureSize...................

.............32

*tplusTransportThread: Jun 05 16:50:41.768:     resultCode......................

.............-4

*tplusTransportThread: Jun 05 16:50:41.768:     protocolUsed....................

.............0x00000008

*tplusTransportThread: Jun 05 16:50:41.768:     proxyState......................

.............00:00:00:2A:00:00-00:00

*tplusTransportThread: Jun 05 16:50:41.768:     Packet contains 0 AVPs:

__________________________________________________________________________

I see in the debug it says "Unable to find requested user entry for user" the user I created literally being named "user". Although it does not make sense, that user is created, and has all the right peramaters.

Any help is greatly appreciated !!

11 REPLIES 11
Jatin Katyal
Cisco Employee

Please check the shared secret being used on ACS and WLC for tacacs communication. You also need to check keys on the NDG level (if any) because the NDG keys overides the key of AAA client.

What did you see in the ACS > reports and activity > failed attempts?

In case the above suggestion doesn't work, please provide the following outputs:

debug aaa tacacs enable

show aaa auth

show tacacs auth stat

Jatin Katyal


- Do rate helpful posts -

~Jatin

Sam, did you get a chance to work on the issue lately. Let us know if you need some assistance or you were able to fis this issue.

Jatin Katyal
- Do rate helpful posts -

~Jatin

I took the day off yesterday. I will get this thread updated with the relivent information you wanted today (hopefully sooner then later).

Hope you had a nice stay. No worries. anytime

Jatin Katyal
- Do rate helpful posts -

~Jatin

Let me preface this as saying, I am building out Cisco Labs, so everything I'm doing is pretty fresh / non prod.

I have a fresh install of ACS 4.2, and I upgraded it to 4.2.1.15. I have no NDG, so no keys there.

Below is the link for "ACS > reports and activity > failed attempts"

https://dl.dropboxusercontent.com/u/486946/Random/Failed.csv

debug aaa tacacs enable

______________________________________________________________________

(Cisco Controller) >*emWeb: Jun 05 16:50:41.769: Authentication failed for user

*aaaQueueReader: Jun 07 09:42:19.391: AuthenticationRequest: 0x31151fcc

*aaaQueueReader: Jun 07 09:42:19.391:   Callback................................

.....0x10733b2c

*aaaQueueReader: Jun 07 09:42:19.391:   protocolType............................

.....0x00020030

*aaaQueueReader: Jun 07 09:42:19.392:   proxyState..............................

.....00:00:00:2D:00:00-00:00

*aaaQueueReader: Jun 07 09:42:19.392:   Packet contains 5 AVPs (not shown)

*aaaQueueReader: Jun 07 09:42:19.392: Forwarding request to 10.60.1.7 port=49

*tplusTransportThread: Jun 07 09:42:29.396: Exhausted all available servers

*tplusTransportThread: Jun 07 09:42:29.396: ReProcessAuthentication previous pro

to 30, next proto 20008

*tplusTransportThread: Jun 07 09:42:29.396: Unable to find requested user entry

for user

*tplusTransportThread: Jun 07 09:42:29.396: 00:00:00:2d:00:00 Returning AAA Erro

r 'Authentication Failed' (-4) for mobile 00:00:00:2d:00:00

*tplusTransportThread: Jun 07 09:42:29.396: AuthorizationResponse: 0x3186ecec

*tplusTransportThread: Jun 07 09:42:29.396:     structureSize...................

.............32

*tplusTransportThread: Jun 07 09:42:29.396:     resultCode......................

.............-4

*tplusTransportThread: Jun 07 09:42:29.396:     protocolUsed....................

.............0x00000008

*tplusTransportThread: Jun 07 09:42:29.396:     proxyState......................

.............00:00:00:2D:00:00-00:00

*tplusTransportThread: Jun 07 09:42:29.396:     Packet contains 0 AVPs:

*emWeb: Jun 07 09:42:29.397: Authentication failed for user

______________________________________________________________________

show aaa auth

______________________________________________________________________

Management authentication server order:

    1............................................ tacacs

    2............................................ local

______________________________________________________________________

show tacacs auth stat

______________________________________________________________________

Authentication Servers:

Server Index..................................... 1

Server Address................................... 10.60.1.7

Msg Round Trip Time.............................. 0 (msec)

First Requests................................... 34

Retry Requests................................... 0

Accept Responses................................. 0

Reject Responses................................. 0

Error Responses.................................. 0

Restart Responses................................ 0

Follow Responses................................. 0

GetData Responses................................ 0

Encrypt no secret Responses...................... 0

Challenge Responses.............................. 0

Malformed Msgs................................... 0

Bad Authenticator Msgs........................... 0

Timeout Requests................................. 102

Unknowntype Msgs................................. 0

Other Drops...................................... 0

______________________________________________________________________

debugs suggest that WLC is not getting Tacacs response from the ACS and request is getting timed out.

aaaQueueReader: Jun 07 09:42:19.392: Forwarding request to 10.60.1.7 port=49

tplusTransportThread: Jun 07 09:42:29.396: Exhausted all available servers

It seems the WLC ip address is x.x.x.4.  The ACS logs says that WLC is unknown to the server. Have you added

Controller IP address x.x.x.4 as AAA client with Authentication mechanism as TACACS+ (Cisco IOS) as shown here: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3

If that's been done on the ACS then reset the shared secret key on the ACS and WLC side.

Jatin Katyal
- Do rate helpful posts -

~Jatin

Odd, yes I put both shared secrets as "cisco" and reset them to that to make sure I didn't fat finger it.

Here are some pictures that varify my claims

http://imgur.com/a/oM1pw

Don't worry about IPs / Hostname's showing, this is strictly a Lab environment that does not mirror any production network.

Any other ideas or troubleshooting I can do ?

The list of screen shots doesn't show up if you have added your ACS on WLC as a authorization server as well.

Would like to see the debugs again if issue persist.

Jatin Katyal
- Do rate helpful posts -

~Jatin

I found the solution to my problem. I origonally had the server IP as 10.40.1.7 for some previous ACS labs, when I swapped the server to a new IP of 10.60.1.7, it appeared ACS was still functioning, but was not. I had to unintstall ACS and install it fresh with the new IP.

For future reference, is there a way with ACS4.2 to overcome an obsticle like this?

If not, do future versions of ACS overcome this problem?

Jatin Katyal
Cisco Employee

I guess you were not getting an option to delete the old server entry. You will find the same behaviour in all codes of acs 4. There is a work around.
Edit the sever entry you want to delete with some random ip address > save. Go to services.msc > restart csadmin > login back to acs and now you will see a tab to delete + apply tab for the server entry. Make sure we have the correct server ip address in the proxy distribution under the forward to column.

Jatin katyal
*do rate helpful posts*

Sent from Cisco Technical Support Android App

~Jatin

In case it answered all your quries, would appreciate if you mark this thread resolved so other community members take benefits out of it.

Jatin Katyal
- Do rate helpful posts -

~Jatin
Content for Community-Ad