Solved: TACACS on Cisco WLC Issue

ALIAOF_ · ‎11-21-2010

I just installed a Cisco 5508 WLC on our network. I have the Management IP in the management VLAN and on the controller I set it up "untagged". WLC has two ports connected to a Cisco 4507 switch in the port-channel config.

I can ping the controller from the network fine, I can ping the TACACS server from the controller. I have the priority setup as "TACACS+, LOCAL". However when I try to log into the WLC and look at the debug it shows that I am Authenticating and that is about it, For some reason Authorization traffic is not passing. Using wireshark I have confirmed that the request is coming from the Management IP Interface.

I have followed the instructions from this link:

http://www.cisco.com/en/US/customer/docs/wireless/controller/5.0/configuration/guide/c5sol.html

Any ideas?

Tiago Antunes · ‎11-23-2010

Hi,

It looks like you did not configure the ACS properly.

The ACS should be returning the required attributes.

Please follow the document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

View solution in original post

Tiago Antunes · ‎11-22-2010

Hi,

What is the TACACS+ server hardware/software?

Can you login to the WLC CLI and type "debug aaa all enable", and then try to connect via GUI. Please save the output and share with us.

Also, could you share your wlc "show run-config"?

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

ALIAOF_ · ‎11-22-2010

Its running on Windows, Cisco Secure ACS 3.3

Here is the debug:

(Cisco Controller) >*aaaQueueReader: Nov 22 23:43:15.157: AuthenticationRequest: 0x2bc328e8

*aaaQueueReader: Nov 22 23:43:15.157: Callback.....................................0x108a6808

*aaaQueueReader: Nov 22 23:43:15.157: protocolType.................................0x00020030

*aaaQueueReader: Nov 22 23:43:15.157: proxyState...................................00:00:00:7E:00:00-00:00

*aaaQueueReader: Nov 22 23:43:15.157: Packet contains 5 AVPs (not shown)

*aaaQueueReader: Nov 22 23:43:15.157: Forwarding request to 10.10.10.10 port=49

*tplusTransportThread: Nov 22 23:43:16.315: 00000000: c0 01 02 00 0f b1 0a f4 .............`2.
*tplusTransportThread: Nov 22 23:43:16.315: 00000010: 16 28 0b e4 58 be bd 9f 9f f8 58 60 .(..X.....X`
*tplusTransportThread: Nov 22 23:43:16.315: tplus response: type=1 seq_no=2 session_id=0fb10af4 length=16 encrypted=0

*tplusTransportThread: Nov 22 23:43:16.315: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Nov 22 23:43:16.315: auth_cont get_pass reply: pkt_length=26

*tplusTransportThread: Nov 22 23:43:16.315: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Nov 22 23:43:16.353: 00000000: c0 01 04 00 0f b1 0a f4 .......... ............d...
*tplusTransportThread: Nov 22 23:43:16.353: 00000010: ac 51 .Q
*tplusTransportThread: Nov 22 23:43:16.353: tplus response: type=1 seq_no=4 session_id=0fb10af4 length=6 encrypted=0

*tplusTransportThread: Nov 22 23:43:16.353: tplus_make_author_request() from tplus_authen_passed returns rc=0

*tplusTransportThread: Nov 22 23:43:16.353: Forwarding request to 10.10.10.10 port=49

*tplusTransportThread: Nov 22 23:43:16.356: 00000000: c0 02 02 00 18 d3 91 67 00 00 00 06 cc e5 c2 af .......g........
*tplusTransportThread: Nov 22 23:43:16.356: 00000010: 32 69 2i
*tplusTransportThread: Nov 22 23:43:16.356: author response body: status=1 arg_cnt=0 msg_len=0 data_len=0

*tplusTransportThread: Nov 22 23:43:16.356:
User has the following mgmtRole 0
*tplusTransportThread: Nov 22 23:43:16.356: 00:00:00:7e:00:00 Returning AAA Success for mobile 00:00:00:7e:00:00
*tplusTransportThread: Nov 22 23:43:16.356: AuthorizationResponse: 0x2d2e5678

*tplusTransportThread: Nov 22 23:43:16.356: structureSize................................74

*tplusTransportThread: Nov 22 23:43:16.356: resultCode...................................0

*tplusTransportThread: Nov 22 23:43:16.356: protocolUsed.................................0x00000010

*tplusTransportThread: Nov 22 23:43:16.356: proxyState...................................00:00:00:7E:00:00-00:00

*tplusTransportThread: Nov 22 23:43:16.356: Packet contains 2 AVPs:

*tplusTransportThread: Nov 22 23:43:16.356: AVP[01] Service-Type.............................0x00000000 (0) (4 bytes)

*tplusTransportThread: Nov 22 23:43:16.356: AVP[02] Unknown Attribute 243....................0x00000001 (1) (4 bytes)

aneelaka · ‎11-22-2010

Authentication is succcesful and you are also receceving authorization but

"User has the following mgmtRole 0"

We should get something like,

author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
arg[0] = [9][role1=ALL]

User has the following mgmtRole fffffff8

Or,

author response body: status=1 arg_cnt=4 msg_len=0 data_len=0
arg[0] = [11][role1=WLAN]
arg[1] = [16][role2=CONTROLLER]
arg[2] = [14][role3=SECURITY]
arg[3] = [14][role4=COMMANDS]
User has the following mgmtRole 150

Increase TACACS server timeout on WLC and also follow below guide

http://www.cisco.com/en/US/docs/wireless/controller/4.1/configuration/guide/c41sol.html#wp
1208657
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

Note: Please rate the answer if it was helpful

Tiago Antunes · ‎11-23-2010

Hi,

It looks like you did not configure the ACS properly.

The ACS should be returning the required attributes.

Please follow the document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

ALIAOF_ · ‎12-01-2010

Thank you I have the WLC working now. Just gotta finish the rest now.