Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2853
Views
11
Helpful
4
Replies

Issue with TACACS+ on 9800 WLC

Slabre
Level 1
Level 1

‎07-30-2021 06:11 AM

Hello,

We are trying to correctly configure TACACS+ on our 9800 WLCs, so that we can manage CLI and GUI rights.

Device details :

  • AAA Server : Cisco ISE 2.6.0.156
  • WLC for testing : 9800-L 16.12.4a

 

Here's the story :

  • When we use a Policy Set like one we use for Switches, it works well for CLI, no problem. But for GUI, there's absolutely no access control. An account that have read-only access through CLI will have Full read and write access through GUI.
  • Then we try to see on ISE why and I saw something very strange : with a read and write account, I can see on ISE logs what is configured on 9800 through CLI, but through GUI, I can only see the "show" commands generated by GUI browsing, but absolutely no configuring commands are logged. It just hit our Shell Profile Priv 15, but absolutely no TACACS Command Set, which is a non-sense because we have a shell profile AND a TACACS command set attached to every Authorization Rule on ISE.

 

My questions :

  • Do we have to create another custom Policy Set, Auth Profiles, Command Sets... that are not mentioned by Cisco ? If yes, what should be their content (like some Custom attributes) and how can we differentiate CLI traffic from GUI traffic on ISE ?
  • Do I miss a part or should we reconsider our Policy/Auth Rules designs (I can tell you the details) so that we can make it work ?
  • Is there a ongoing bug (didn't find any) for our versions ?

 

To anticipate one of your questions : I understand that these 9800 are working like switches (from TACACS point of view) because they are running IOS XE. So no problem we do not use again the same Policy Sets, Auth profiles, etc. as we use for AireOS WLC.

Every time we try to reach Cisco TAC, they directly close the case and share to us the official guide for configuring TACACS and RADIUS on 9800 : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

Of course we followed this guide many times and it just don't work as expected.

Thank you for your help !

0 Helpful
4 Replies 4

Amine ZAKARIA
Spotlight
Spotlight

‎07-30-2021 09:27 AM

Hello,

 I never had a chance to play with 9800 series but, under the read only shell profile can you add this to your existing attributes and test?

 

vdc.jpg

0 Helpful

Slabre
Level 1
Level 1
In response to Amine ZAKARIA

‎07-30-2021 09:42 AM

Hello,

Thank you for your help.

Already tested (because we have this attribute for AireOS WLC) and it just doesn't work, we still have full read and write access thourgh GUI.

0 Helpful

Amine ZAKARIA
Spotlight
Spotlight
In response to Slabre

‎07-30-2021 10:48 AM

Hello,

Are you using the shell priv for  level 15 ? did you try the level 7 ?

0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee

‎08-02-2021 08:18 PM

If you're looking for full read-only access to the WLC 9800 GUI, this does not currently exist.

See this enhancement bug for info - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu91616

 

Customers Also Viewed These Support Documents