09-14-2011 09:51 AM - edited 03-10-2019 06:24 PM
Greetings all,
I an currently running Cisco (ACS 5.2.0.26.3) and attempting to get my Cisco 5508 WLC's (7.0.98.0) loaded into ACS for TACACS+ authentication for managment users.
However I keep getting the following error:
*emWeb: Sep 14 14:44:45.931: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2104 Login failed for the user:test_tac. Service-Type is not present or it doesn't allow READ/WRITE permission.
Now I've attempted the step-by-step using the following URL but to no avail.( there are some slight differences in ACS 5.2)
https://supportforums.cisco.com/docs/DOC-14908
Latest WLC configuration guide I could find (Software Release 7.0 June 2010) isn't much help either.
Does anybody out there have any suggestions or know of any caveats trying to get these two platforms to operate together.
Thanks in advance !
09-16-2011 04:06 AM
09-19-2011 09:58 AM
Barry,
Thanks for this reply and attachment.
If I get time today I'll give it a shot
Thanks again!
Sent from Cisco Technical Support iPhone App
11-04-2011 11:03 AM
Did you ever get this working? I'm having the same issue that you are having now.
11-04-2011 11:55 AM
Actually I fond out what the issue was.
You have to setup the Authentication and Authorization on the TACACS+ tab in the WLC.
I just setup them both up with the same settings.
Also as described earlier you need to setup Policy Elements-->Authorization and Permissions->Device Amdinistration->Shell Profiles
Create new -
name:WLC
Custom attributes: role1 - Mandatory - ALL
and Cap's does matter.
11-04-2011 12:38 PM
Bobby,
Thanks for the reply, and no I haven't got this working as it's been a low priority compared to like 10 other projects I have and haven't spent much time since my original post
The last time I checked I thought I had both Authentication/Authorization provisioned , but I still need to double-check the ACS server to ensure that attempts to login to this device are not matching on other profiles provisioned on this server.
I'll let you know what I find out.
Thanks again !
11-23-2011 12:49 PM
Well, I finally had some time to focus on this issue today and was able to resolve this issue (tenative).
1st - My initial problem was the user account created for managing these devices were matching on other rules predefined in my ACS.
2nd - Once that issue was resolved I still received the same error , except I was matching on all approprate polices using
Custom attributes: role1 - Mandatory - ALL
I performed a debug aaa tacacs enable from the WLC CLI and received the following messages:
*tplusTransportThread: Nov 23 18:36:01.357: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Nov 23 18:36:01.370: tplus response: type=1 seq_no=4 session_id=f009b840 length=6 encrypted=0
*tplusTransportThread: Nov 23 18:36:01.371: tplus_make_author_request() from tplus_authen_passed returns rc=
*tplusTransportThread: Nov 23 18:36:01.371: Forwarding request to xxx.xxx.xxx.xxx port=49
*tplusTransportThread: Nov 23 18:36:01.391: author response body: status=1 arg_cnt=0 msg_len=0 data_len=0
*tplusTransportThread: Nov 23 18:36:01.391:
User has the following mgmtRole 0
mgmtRole 0 did not appear to be a valid option so I starting adding in other roles in place "ALL" i.e MANAGEMENT,WIRELESS,COMMANDS, etc..
Will all roles defined in ACS with the exception of LOBBY, I am now able to login and admistrate the WLC and debugs return the following:
*tplusTransportThread: Nov 23 19:14:48.312: Forwarding request to xxx.xxx.xxx.xxx port=49
*tplusTransportThread: Nov 23 19:14:48.330: author response body: status=1 arg_cnt=6 msg_len=0 data_len=0
*tplusTransportThread: Nov 23 19:14:48.330: arg[0] = [16][role1=MANAGEMENT]
*tplusTransportThread: Nov 23 19:14:48.330: arg[1] = [36][role2=WIRELESS ]
*tplusTransportThread: Nov 23 19:14:48.330: arg[2] = [10][role3=WLAN]
*tplusTransportThread: Nov 23 19:14:48.330: arg[3] = [16][role4=CONTROLLER]
*tplusTransportThread: Nov 23 19:14:48.330: arg[4] = [14][role5=SECURITY]
*tplusTransportThread: Nov 23 19:14:48.330: arg[5] = [14][role6=COMMANDS]
I've performed all the admistrative tasks I've done since I've been in control of these devices and have had not issue.
I think I'll open up a TAC case when I return from the holiday weekend and see if the role "ALL" is still being used in the versions of ACS and WLC that I am running or if there is something else causing me not to be able to use that role as it's been previously documented.
A big thanks to those who replied to this discussion !!
04-20-2020 12:53 PM
Hi. Related to Policy elements.. Do I need to created it in ACS?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide