This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I an currently running Cisco (ACS 220.127.116.11.3) and attempting to get my Cisco 5508 WLC's (18.104.22.168) loaded into ACS for TACACS+ authentication for managment users.
However I keep getting the following error:
*emWeb: Sep 14 14:44:45.931: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2104 Login failed for the user:test_tac. Service-Type is not present or it doesn't allow READ/WRITE permission.
Now I've attempted the step-by-step using the following URL but to no avail.( there are some slight differences in ACS 5.2)
Latest WLC configuration guide I could find (Software Release 7.0 June 2010) isn't much help either.
Does anybody out there have any suggestions or know of any caveats trying to get these two platforms to operate together.
Thanks in advance !
Thanks for this reply and attachment.
If I get time today I'll give it a shot
Sent from Cisco Technical Support iPhone App
Actually I fond out what the issue was.
You have to setup the Authentication and Authorization on the TACACS+ tab in the WLC.
I just setup them both up with the same settings.
Also as described earlier you need to setup Policy Elements-->Authorization and Permissions->Device Amdinistration->Shell Profiles
Create new -
Custom attributes: role1 - Mandatory - ALL
and Cap's does matter.
Thanks for the reply, and no I haven't got this working as it's been a low priority compared to like 10 other projects I have and haven't spent much time since my original post
The last time I checked I thought I had both Authentication/Authorization provisioned , but I still need to double-check the ACS server to ensure that attempts to login to this device are not matching on other profiles provisioned on this server.
I'll let you know what I find out.
Thanks again !
Well, I finally had some time to focus on this issue today and was able to resolve this issue (tenative).
1st - My initial problem was the user account created for managing these devices were matching on other rules predefined in my ACS.
2nd - Once that issue was resolved I still received the same error , except I was matching on all approprate polices using
Custom attributes: role1 - Mandatory - ALL
I performed a debug aaa tacacs enable from the WLC CLI and received the following messages:
*tplusTransportThread: Nov 23 18:36:01.357: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Nov 23 18:36:01.370: tplus response: type=1 seq_no=4 session_id=f009b840 length=6 encrypted=0
*tplusTransportThread: Nov 23 18:36:01.371: tplus_make_author_request() from tplus_authen_passed returns rc=
*tplusTransportThread: Nov 23 18:36:01.371: Forwarding request to xxx.xxx.xxx.xxx port=49
*tplusTransportThread: Nov 23 18:36:01.391: author response body: status=1 arg_cnt=0 msg_len=0 data_len=0
*tplusTransportThread: Nov 23 18:36:01.391:
User has the following mgmtRole 0
mgmtRole 0 did not appear to be a valid option so I starting adding in other roles in place "ALL" i.e MANAGEMENT,WIRELESS,COMMANDS, etc..
Will all roles defined in ACS with the exception of LOBBY, I am now able to login and admistrate the WLC and debugs return the following:
*tplusTransportThread: Nov 23 19:14:48.312: Forwarding request to xxx.xxx.xxx.xxx port=49
*tplusTransportThread: Nov 23 19:14:48.330: author response body: status=1 arg_cnt=6 msg_len=0 data_len=0
*tplusTransportThread: Nov 23 19:14:48.330: arg = [role1=MANAGEMENT]
*tplusTransportThread: Nov 23 19:14:48.330: arg = [role2=WIRELESS ]
*tplusTransportThread: Nov 23 19:14:48.330: arg = [role3=WLAN]
*tplusTransportThread: Nov 23 19:14:48.330: arg = [role4=CONTROLLER]
*tplusTransportThread: Nov 23 19:14:48.330: arg = [role5=SECURITY]
*tplusTransportThread: Nov 23 19:14:48.330: arg = [role6=COMMANDS]
I've performed all the admistrative tasks I've done since I've been in control of these devices and have had not issue.
I think I'll open up a TAC case when I return from the holiday weekend and see if the role "ALL" is still being used in the versions of ACS and WLC that I am running or if there is something else causing me not to be able to use that role as it's been previously documented.
A big thanks to those who replied to this discussion !!