Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1609
Views
0
Helpful
2
Replies

TACACS issues with WLC 5508

Greg Dent
Level 1
Level 1

‎11-29-2013 02:42 AM - edited ‎03-10-2019 09:08 PM

Hi all

I'm trying to add TACACS configuration to two of our WLC's at one of our sites. Our ACS server is running v5.4.0.46.0a and my WLC 5508 is running code version 7.3.101.0.

I have added the TACACS server details to the WLC config (authentication, accounting, and authorisation), which is configured correctly. My ACS box has already been configured to allow the WLC's to authenticate (policy settings etc). We have 4 other identical WLC's on other sites which are already configured to use the same ACS server, which all work.

The problem I am seeing is that the ACS login is being accepted by the ACS box - I can see from the reports that it is accepting the login, but I keep getting re-prompted for a login when attempting to log in to the WLC I just configured. The same happens both on web and SSH console sessions. I am now unable to log in to the WLC with either local or AD credentials (which work on other WLC's on this same ACS box). I've had to hard reboot it to reload the old startup config and gain access again.

The priority order is set to TACACS+ then LOCAL, which is exactly how it's set on the other WLC's.

I followed this guide, to ensure I wasnt missing anything: https://supportforums.cisco.com/docs/DOC-14908

I also found this thread, which has the same symptoms, but the resolution doesnt apply to my config: https://supportforums.cisco.com/thread/2141173

Flat out of ideas. Any help appreciated!

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

‎12-01-2013 08:32 PM

I wanted to see the output of "debug aaa tacacs enable" but it looks you don't even have access to CLI. Can you see the authorization being passed in ACS logs.

~BR

Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

Javier Henderson
Level 4
Level 4

‎12-03-2013 12:32 PM

Consider that the WLC is expecting the user to have certain privilege level, and check the ACS configuration to make sure that the shell profile being hit grants the user the required privilege level.

Look at the authentication details for both a working and non-working authentication attempt, and compare the privilege level.

0 Helpful
Customers Also Viewed These Support Documents