Buy or Renew
Buy or Renew
Notice: The file download function is disabled. We apologize for the inconvenience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5012
Views
0
Helpful
8
Replies

TACACS+ Issue with WLC 5508 & ACS 5.1

goudier2001
Level 1
Level 1

‎04-02-2012 06:47 AM - edited ‎03-10-2019 06:57 PM

Hi

I am trying to implement TACACS authentication against our internal database on the ACS 5.1 for access to our wlc 5508. I have configured the WLC 5508 to use the TACACS which is configured to point our ACS. In the ACS I have configured the relevant shell profile such as Role1, Mandatory & ALL.

When looking into the ACS log it actually shows you that the TACACS access was passed. But when I have tried to login it comes back to the same login box.

I have attached a screen shot of the ACS log.

Any ideas?

2 people had this problem
Labels:
Preview file
2262 KB
0 Helpful
8 Replies 8

goudier2001
Level 1
Level 1

‎04-02-2012 06:57 AM

Forgot to mention the ACS version 5.1.0.11 & the WLC 5508 is 7-0-220-0

0 Helpful

jrabinow
Level 7
Level 7

‎04-02-2012 07:42 AM

Have you installed any patches for ACS 5.1 or are you on the base release

There were in total 6 cumulative patches for ACS 5.1 and at least some of these were applicable to TACACS+ and WLC

I don't remember them all off the top of my head and the release is a bit old but may include the following:

CSCtd24949 - Tacacs authorization failure when authen_type=0

CSCte81150 - ACS 5.x reports key mismatch for unknown authen type

CSCte70900 - ACS 5.1 rejects AP to join WDS domain by "LEAP packet validation failed"

CSCte16911 - ACS 5 doesn't support the PPP tacacs service type for authentication

Not sure I have pointed to a specific oen but I do strongly recommend installing patch 6 for ACS 5.1. Can be downloaded from CCO

0 Helpful

goudier2001
Level 1
Level 1
In response to jrabinow

‎04-02-2012 09:32 AM

Sorry My mistake. The version on the ACS is 5-1-0-44-6

0 Helpful

Nicolas Darchis
Cisco Employee
Cisco Employee
In response to goudier2001

‎04-02-2012 11:40 AM

Please post a screenshot of your shell profile. Authentication can pass but if the right attributes are not sent precisely, then nothing will happen on WLC.

0 Helpful

goudier2001
Level 1
Level 1
In response to Nicolas Darchis

‎04-02-2012 03:01 PM

0 Helpful

goudier2001
Level 1
Level 1
In response to goudier2001

‎04-05-2012 03:12 PM

It turns out that the attribute entry that I entered had space characters in it which are there by default. This seems to be an undocumented bug. When you enter role1, mandatory then ALL. The ALL field has spaces in it which must be deleted first before entering your command.

0 Helpful

bmarms
Level 1
Level 1
In response to goudier2001

‎05-15-2013 10:45 AM

thanks for posting.  i had this issue as well.  there were 22 spaces in the "empty" valuse field that were appended to my entered value.  once removed, i was able to login.

0 Helpful

Imran Mirzanaik
Level 1
Level 1

‎03-03-2014 11:40 AM

Hi All,

I am facing the same issue. I removed blank spaces in the attribute filed but still facing the issues.

Any idea, what could be causing the issue??

thanks

Imran

0 Helpful
Customers Also Viewed These Support Documents