11-21-2010 09:15 AM - edited 03-10-2019 05:35 PM
I just installed a Cisco 5508 WLC on our network. I have the Management IP in the management VLAN and on the controller I set it up "untagged". WLC has two ports connected to a Cisco 4507 switch in the port-channel config.
I can ping the controller from the network fine, I can ping the TACACS server from the controller. I have the priority setup as "TACACS+, LOCAL". However when I try to log into the WLC and look at the debug it shows that I am Authenticating and that is about it, For some reason Authorization traffic is not passing. Using wireshark I have confirmed that the request is coming from the Management IP Interface.
I have followed the instructions from this link:
http://www.cisco.com/en/US/customer/docs/wireless/controller/5.0/configuration/guide/c5sol.html
Any ideas?
Solved! Go to Solution.
11-23-2010 01:58 AM
Hi,
It looks like you did not configure the ACS properly.
The ACS should be returning the required attributes.
Please follow the document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
11-22-2010 01:39 AM
Hi,
What is the TACACS+ server hardware/software?
Can you login to the WLC CLI and type "debug aaa all enable", and then try to connect via GUI. Please save the output and share with us.
Also, could you share your wlc "show run-config"?
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
11-22-2010 03:47 PM
Its running on Windows, Cisco Secure ACS 3.3
Here is the debug:
(Cisco Controller) >*aaaQueueReader: Nov 22 23:43:15.157: AuthenticationRequest: 0x2bc328e8
*aaaQueueReader: Nov 22 23:43:15.157: Callback.....................................0x108a6808
*aaaQueueReader: Nov 22 23:43:15.157: protocolType.................................0x00020030
*aaaQueueReader: Nov 22 23:43:15.157: proxyState...................................00:00:00:7E:00:00-00:00
*aaaQueueReader: Nov 22 23:43:15.157: Packet contains 5 AVPs (not shown)
*aaaQueueReader: Nov 22 23:43:15.157: Forwarding request to 10.10.10.10 port=49
*tplusTransportThread: Nov 22 23:43:16.315: 00000000: c0 01 02 00 0f b1 0a f4 .............`2.
*tplusTransportThread: Nov 22 23:43:16.315: 00000010: 16 28 0b e4 58 be bd 9f 9f f8 58 60 .(..X.....X`
*tplusTransportThread: Nov 22 23:43:16.315: tplus response: type=1 seq_no=2 session_id=0fb10af4 length=16 encrypted=0
*tplusTransportThread: Nov 22 23:43:16.315: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Nov 22 23:43:16.315: auth_cont get_pass reply: pkt_length=26
*tplusTransportThread: Nov 22 23:43:16.315: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Nov 22 23:43:16.353: 00000000: c0 01 04 00 0f b1 0a f4 .......... ............d...
*tplusTransportThread: Nov 22 23:43:16.353: 00000010: ac 51 .Q
*tplusTransportThread: Nov 22 23:43:16.353: tplus response: type=1 seq_no=4 session_id=0fb10af4 length=6 encrypted=0
*tplusTransportThread: Nov 22 23:43:16.353: tplus_make_author_request() from tplus_authen_passed returns rc=0
*tplusTransportThread: Nov 22 23:43:16.353: Forwarding request to 10.10.10.10 port=49
*tplusTransportThread: Nov 22 23:43:16.356: 00000000: c0 02 02 00 18 d3 91 67 00 00 00 06 cc e5 c2 af .......g........
*tplusTransportThread: Nov 22 23:43:16.356: 00000010: 32 69 2i
*tplusTransportThread: Nov 22 23:43:16.356: author response body: status=1 arg_cnt=0 msg_len=0 data_len=0
*tplusTransportThread: Nov 22 23:43:16.356:
User has the following mgmtRole 0
*tplusTransportThread: Nov 22 23:43:16.356: 00:00:00:7e:00:00 Returning AAA Success for mobile 00:00:00:7e:00:00
*tplusTransportThread: Nov 22 23:43:16.356: AuthorizationResponse: 0x2d2e5678
*tplusTransportThread: Nov 22 23:43:16.356: structureSize................................74
*tplusTransportThread: Nov 22 23:43:16.356: resultCode...................................0
*tplusTransportThread: Nov 22 23:43:16.356: protocolUsed.................................0x00000010
*tplusTransportThread: Nov 22 23:43:16.356: proxyState...................................00:00:00:7E:00:00-00:00
*tplusTransportThread: Nov 22 23:43:16.356: Packet contains 2 AVPs:
*tplusTransportThread: Nov 22 23:43:16.356: AVP[01] Service-Type.............................0x00000000 (0) (4 bytes)
*tplusTransportThread: Nov 22 23:43:16.356: AVP[02] Unknown Attribute 243....................0x00000001 (1) (4 bytes)
11-22-2010 06:49 PM
Authentication is succcesful and you are also receceving authorization but
"User has the following mgmtRole 0"
We should get something like,
author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
arg[0] = [9][role1=ALL]
User has the following mgmtRole fffffff8
Or,
author response body: status=1 arg_cnt=4 msg_len=0 data_len=0
arg[0] = [11][role1=WLAN]
arg[1] = [16][role2=CONTROLLER]
arg[2] = [14][role3=SECURITY]
arg[3] = [14][role4=COMMANDS]
User has the following mgmtRole 150
Increase TACACS server timeout on WLC and also follow below guide
http://www.cisco.com/en/US/docs/wireless/controller/4.1/configuration/guide/c41sol.html#wp
1208657
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml
Note: Please rate the answer if it was helpful
11-23-2010 01:58 AM
Hi,
It looks like you did not configure the ACS properly.
The ACS should be returning the required attributes.
Please follow the document http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3.
HTH,
Tiago
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
12-01-2010 01:18 PM
Thank you I have the WLC working now. Just gotta finish the rest now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide