06-05-2013 03:11 PM - edited 03-10-2019 08:30 PM
I followed this guide:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3
and am unable to get my wlc4402 to accept TACACS+ credentials.
When I telnet to the 4402 and apply the command "debug aaa all enable" and then attempt to login, I get the following output:
__________________________________________________________________________
(Cisco Controller) >*aaaQueueReader: Jun 05 16:50:31.764: AuthenticationRequest:
0x3118a8e0
*aaaQueueReader: Jun 05 16:50:31.764: Callback................................
.....0x10733b2c
*aaaQueueReader: Jun 05 16:50:31.764: protocolType............................
.....0x00020030
*aaaQueueReader: Jun 05 16:50:31.764: proxyState..............................
.....00:00:00:2A:00:00-00:00
*aaaQueueReader: Jun 05 16:50:31.764: Packet contains 5 AVPs (not shown)
*aaaQueueReader: Jun 05 16:50:31.764: Forwarding request to 10.60.1.7 port=49
*tplusTransportThread: Jun 05 16:50:41.768: Exhausted all available servers
*tplusTransportThread: Jun 05 16:50:41.768: ReProcessAuthentication previous pro
to 30, next proto 20008
*tplusTransportThread: Jun 05 16:50:41.768: Unable to find requested user entry
for user
*tplusTransportThread: Jun 05 16:50:41.768: 00:00:00:2a:00:00 Returning AAA Erro
r 'Authentication Failed' (-4) for mobile 00:00:00:2a:00:00
*tplusTransportThread: Jun 05 16:50:41.768: AuthorizationResponse: 0x3186eb80
*tplusTransportThread: Jun 05 16:50:41.768: structureSize...................
.............32
*tplusTransportThread: Jun 05 16:50:41.768: resultCode......................
.............-4
*tplusTransportThread: Jun 05 16:50:41.768: protocolUsed....................
.............0x00000008
*tplusTransportThread: Jun 05 16:50:41.768: proxyState......................
.............00:00:00:2A:00:00-00:00
*tplusTransportThread: Jun 05 16:50:41.768: Packet contains 0 AVPs:
__________________________________________________________________________
I see in the debug it says "Unable to find requested user entry for user" the user I created literally being named "user". Although it does not make sense, that user is created, and has all the right peramaters.
Any help is greatly appreciated !!
06-05-2013 03:56 PM
Please check the shared secret being used on ACS and WLC for tacacs communication. You also need to check keys on the NDG level (if any) because the NDG keys overides the key of AAA client.
What did you see in the ACS > reports and activity > failed attempts?
In case the above suggestion doesn't work, please provide the following outputs:
debug aaa tacacs enable
show aaa auth
show tacacs auth stat
Jatin Katyal
- Do rate helpful posts -
06-06-2013 04:08 PM
Sam, did you get a chance to work on the issue lately. Let us know if you need some assistance or you were able to fis this issue.
Jatin Katyal
- Do rate helpful posts -
06-07-2013 07:26 AM
I took the day off yesterday. I will get this thread updated with the relivent information you wanted today (hopefully sooner then later).
06-07-2013 07:34 AM
Hope you had a nice stay. No worries. anytime
Jatin Katyal
- Do rate helpful posts -
06-07-2013 07:46 AM
Let me preface this as saying, I am building out Cisco Labs, so everything I'm doing is pretty fresh / non prod.
I have a fresh install of ACS 4.2, and I upgraded it to 4.2.1.15. I have no NDG, so no keys there.
Below is the link for "ACS > reports and activity > failed attempts"
https://dl.dropboxusercontent.com/u/486946/Random/Failed.csv
debug aaa tacacs enable
______________________________________________________________________
(Cisco Controller) >*emWeb: Jun 05 16:50:41.769: Authentication failed for user
*aaaQueueReader: Jun 07 09:42:19.391: AuthenticationRequest: 0x31151fcc
*aaaQueueReader: Jun 07 09:42:19.391: Callback................................
.....0x10733b2c
*aaaQueueReader: Jun 07 09:42:19.391: protocolType............................
.....0x00020030
*aaaQueueReader: Jun 07 09:42:19.392: proxyState..............................
.....00:00:00:2D:00:00-00:00
*aaaQueueReader: Jun 07 09:42:19.392: Packet contains 5 AVPs (not shown)
*aaaQueueReader: Jun 07 09:42:19.392: Forwarding request to 10.60.1.7 port=49
*tplusTransportThread: Jun 07 09:42:29.396: Exhausted all available servers
*tplusTransportThread: Jun 07 09:42:29.396: ReProcessAuthentication previous pro
to 30, next proto 20008
*tplusTransportThread: Jun 07 09:42:29.396: Unable to find requested user entry
for user
*tplusTransportThread: Jun 07 09:42:29.396: 00:00:00:2d:00:00 Returning AAA Erro
r 'Authentication Failed' (-4) for mobile 00:00:00:2d:00:00
*tplusTransportThread: Jun 07 09:42:29.396: AuthorizationResponse: 0x3186ecec
*tplusTransportThread: Jun 07 09:42:29.396: structureSize...................
.............32
*tplusTransportThread: Jun 07 09:42:29.396: resultCode......................
.............-4
*tplusTransportThread: Jun 07 09:42:29.396: protocolUsed....................
.............0x00000008
*tplusTransportThread: Jun 07 09:42:29.396: proxyState......................
.............00:00:00:2D:00:00-00:00
*tplusTransportThread: Jun 07 09:42:29.396: Packet contains 0 AVPs:
*emWeb: Jun 07 09:42:29.397: Authentication failed for user
______________________________________________________________________
show aaa auth
______________________________________________________________________
Management authentication server order:
1............................................ tacacs
2............................................ local
______________________________________________________________________
show tacacs auth stat
______________________________________________________________________
Authentication Servers:
Server Index..................................... 1
Server Address................................... 10.60.1.7
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 34
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
Error Responses.................................. 0
Restart Responses................................ 0
Follow Responses................................. 0
GetData Responses................................ 0
Encrypt no secret Responses...................... 0
Challenge Responses.............................. 0
Malformed Msgs................................... 0
Bad Authenticator Msgs........................... 0
Timeout Requests................................. 102
Unknowntype Msgs................................. 0
Other Drops...................................... 0
______________________________________________________________________
06-07-2013 08:01 AM
debugs suggest that WLC is not getting Tacacs response from the ACS and request is getting timed out.
aaaQueueReader: Jun 07 09:42:19.392: Forwarding request to 10.60.1.7 port=49
tplusTransportThread: Jun 07 09:42:29.396: Exhausted all available servers
It seems the WLC ip address is x.x.x.4. The ACS logs says that WLC is unknown to the server. Have you added
Controller IP address x.x.x.4 as AAA client with Authentication mechanism as TACACS+ (Cisco IOS) as shown here: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3
If that's been done on the ACS then reset the shared secret key on the ACS and WLC side.
Jatin Katyal
- Do rate helpful posts -
06-07-2013 08:18 AM
Odd, yes I put both shared secrets as "cisco" and reset them to that to make sure I didn't fat finger it.
Here are some pictures that varify my claims
Don't worry about IPs / Hostname's showing, this is strictly a Lab environment that does not mirror any production network.
Any other ideas or troubleshooting I can do ?
06-07-2013 08:35 AM
The list of screen shots doesn't show up if you have added your ACS on WLC as a authorization server as well.
Would like to see the debugs again if issue persist.
Jatin Katyal
- Do rate helpful posts -
06-07-2013 02:40 PM
I found the solution to my problem. I origonally had the server IP as 10.40.1.7 for some previous ACS labs, when I swapped the server to a new IP of 10.60.1.7, it appeared ACS was still functioning, but was not. I had to unintstall ACS and install it fresh with the new IP.
For future reference, is there a way with ACS4.2 to overcome an obsticle like this?
If not, do future versions of ACS overcome this problem?
06-08-2013 12:13 AM
I guess you were not getting an option to delete the old server entry. You will find the same behaviour in all codes of acs 4. There is a work around.
Edit the sever entry you want to delete with some random ip address > save. Go to services.msc > restart csadmin > login back to acs and now you will see a tab to delete + apply tab for the server entry. Make sure we have the correct server ip address in the proxy distribution under the forward to column.
Jatin katyal
*do rate helpful posts*
Sent from Cisco Technical Support Android App
06-08-2013 02:07 AM
In case it answered all your quries, would appreciate if you mark this thread resolved so other community members take benefits out of it.
Jatin Katyal
- Do rate helpful posts -
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide