09-28-2012 06:38 AM - edited 03-10-2019 07:36 PM
I got a question about ACS 5.3 and WLC
We have now the ACS 5.3 running for MAB (good working, thanks for your help) and TACAS for device AAA.
But now our WLC’s will not work.
I have created already a special “custom attribute” => role1 / mandatory / ALL
Already changed to the combinations Role1=ALL / Role1=All / Role1=all / role1=ALL / role1=All / role1=all
But still not working. I get a wrong response.
I followed the guideline in attach, PDF file.
Debug dump from WLC
ACS 5.2 / ACS 5.3
-------------------
*tplusTransportThread: Sep 28 15:07:59.222: auth_cont get_pass reply: pkt_length=24
*tplusTransportThread: Sep 28 15:07:59.222: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Sep 28 15:07:59.388: tplus response: type=1 seq_no=4 session_id=b1fddbfc length=6 encrypted=0
*tplusTransportThread: Sep 28 15:07:59.388: tplus_make_author_request() from tplus_authen_passed returns rc=0
*tplusTransportThread: Sep 28 15:07:59.388: Forwarding request to 10.23.113.222 port=49
*tplusTransportThread: Sep 28 15:07:59.544: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Sep 28 15:07:59.544: arg[0] = [11][priv-lvl=15]
ACS 4.1
---------
*tplusTransportThread: Sep 28 15:10:39.171: auth_cont get_pass reply: pkt_length=26
*tplusTransportThread: Sep 28 15:10:39.171: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Sep 28 15:10:39.171: ACCT Socket closed underneath
*tplusTransportThread: Sep 28 15:10:39.173: tplus response: type=1 seq_no=4 session_id=63f25d84 length=6 encrypted=0
*tplusTransportThread: Sep 28 15:10:39.173: tplus_make_author_request() from tplus_authen_passed returns rc=0
*tplusTransportThread: Sep 28 15:10:39.173: Forwarding request to 10.23.11.247 port=49
*tplusTransportThread: Sep 28 15:10:39.175: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Sep 28 15:10:39.175: arg[0] = [9][role1=ALL]
*tplusTransportThread: Sep 28 15:10:39.175:
User has the following mgmtRole fffffff8
*tplusTransportThread: Sep 28 15:10:40.622: No response from:10.23.11.247, retrying with next server
*tplusTransportThread: Sep 28 15:10:40.622: Preparing message for retransmit. Decrypting first
Solved! Go to Solution.
10-01-2012 11:37 AM
Yes ACS works from top to bottom and a first match rule.
I am glad you were able to get this resolved, when you get some time please remember to rate and mark this thread as resolved.
Thanks,
Tarik Admani
*Please rate helpful posts*
09-28-2012 07:41 AM
Hi,
Can you check the authentication logs and see which shell-profile you are mapping against, it looks like you are hitting the shell profile which is assigned for IOS devices since the arg shell:prv-lvl=15 is being sent back.
You may want to consider creating a network device group for your WLC and set the authorization to map this NDG to your shell profile which has the role1=ALL attribute being sent back.
thanks,
Tarik Admani
*Please rate helpful posts*
10-01-2012 12:47 AM
Problem solved.
I had in the authorization a level 15 as 1st hitting rule.
I have moved now the "WLC" rule with the assigned shell profile towards the 1st rule for hitting.
Then it start working.
So I guess ACS 5.3 is following authorization rule 1 then rule 2 then rule 3 then rule 4
So my WLC rule was before on place 4, now move to place 1
See my picture for more info.
10-01-2012 11:37 AM
Yes ACS works from top to bottom and a first match rule.
I am glad you were able to get this resolved, when you get some time please remember to rate and mark this thread as resolved.
Thanks,
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide