Solved: WLC 4402 unable to authenticate correctly with ACS 5.2

isoyewale · ‎06-09-2011

For unknown reason I cannot get WLC to authenticate correctly with ACS 5.2. it's very strange in the sense that when I checked the log. ACS authenticates and authorized the WLC 4402 but I cannot log to the WLC. login screen appeared, if I typed user name it jumped to

Controller>

user:

password:

No matter what I typed (internal or external users) nothing seems to work.

This is my frustration, I have no problem authenticating routers and switches except WLC 4402.

andamani · ‎06-16-2011

Hi,

Please remove the privilege level settings on the ACS.

Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Common Tasks

Default Privilege -- Not in Use.

Maximum Privilege -- Not in use

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts

View solution in original post

andamani · ‎06-12-2011

Hi,

Please do the following:

-Create a Shell Profile called PermitWLC under Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles.

-Under Custom Attributes add the Roles manually with attribute "Role1", requirement "Mandatory" and the value "ALL".

-Finally under Access Policies, edit the Authorization section of the Access Policy that they should be hitting, and Add a rule that matches Protocol TACACS and NDG:Device Type , on that rule under Results set the Shell Profile to be PermitWLC.

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

isoyewale · ‎06-12-2011

Thanks very much Anisha, I have already done this process two days ago. If I apply the WLC rule above other rules created, nobody including admin rule with full access was able to login to routers or switches.

Regards

Isaac

andamani · ‎06-12-2011

Hi,

Please undo the steps mentioned in the previous posts. Can you try this option:

-Create a Shell Profile called PermitWLC under Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles

-Under Custom Attributes add the Roles manually with attribute "Role1", requirement "Mandatory" and the value "ALL".

-Under Policy Elements > Session Conditions > Custom, create a new condition called customtacacs, select dictionary TACACS+ and attribute Service-Argument.

-Under Access Policies, edit the Authorization section of the Access Policy they should be hitting, and Add a rule (don't edit existing rule, and put this one at the top) that matches Protocol TACACS and customtacacs contains ciscowlc, on that rule under Results set the Shell Profile to be Permit WLC

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

isoyewale · ‎06-16-2011

Hi Anisha,

Thanks for your help I have followed as you mentioned but unfortunately one issue after the implementation.

see my debug on the WLC. " Incorrectly formatted authorization message" I couldn't find any information on Cisco site.

(Cisco Controller) >

(Cisco Controller) >debug aaa all enable

(Cisco Controller) >*Jun 16 16:03:13.313: AuthenticationRequest: 0x18864594

*Jun 16 16:03:13.314: Callback.....................................0x10634554

*Jun 16 16:03:13.314: protocolType.................................0x00020030

*Jun 16 16:03:13.314: proxyState...................................00:00:00:67:00:00-00:00

*Jun 16 16:03:13.314: Packet contains 5 AVPs (not shown)

*Jun 16 16:03:13.314: Forwarding request to 10.204.67.65 port=49

*Jun 16 16:03:15.111: 00000000: c0 01 02 00 9d 90 24 e9 00 00 00 10 b0 c9 a1 36 ......$........6

*Jun 16 16:03:15.111: 00000010: dc e5 4c 82 77 94 a8 f1 4f 1d cb 77 ..L.w...O..w

*Jun 16 16:03:15.111: tplus response: type=1 seq_no=2 session_id=9d9024e9 length=16 encrypted=0

*Jun 16 16:03:15.111: TPLUS_AUTHEN_STATUS_GETPASS

*Jun 16 16:03:15.111: auth_cont get_pass reply: pkt_length=26

*Jun 16 16:03:15.111: processTplusAuthResponse: Continue auth transaction

*Jun 16 16:03:15.115: 00000000: c0 01 04 00 9d 90 24 e9 00 00 00 06 6d a0 b7 49 ......$.....m..I

*Jun 16 16:03:15.115: 00000010: 12 aa ..

*Jun 16 16:03:15.115: tplus response: type=1 seq_no=4 session_id=9d9024e9 length=6 encrypted=0

*Jun 16 16:03:15.115: tplus_make_author_request() from tplus_authen_passed returns rc=0

*Jun 16 16:03:15.115: Forwarding request to 10.204.67.65 port=49

*Jun 16 16:03:15.119: 00000000: c0 02 02 00 3a de 8c ed 00 00 00 12 20 80 06 e7 ....:...........

*Jun 16 16:03:15.119: 00000010: 86 15 bd 20 99 ba d3 87 79 b2 70 b8 0c ce ........y.p...

*Jun 16 16:03:15.119: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0

*Jun 16 16:03:15.119: arg[0] = [11][priv-lvl=15]

*Jun 16 16:03:15.119:

Incorrectly formatted authorization message

*Jun 16 16:03:15.119: 00:00:00:67:00:00 Returning AAA Success for mobile 00:00:00:67:00:00

*Jun 16 16:03:15.119: AuthorizationResponse: 0x18b992b4

*Jun 16 16:03:15.119: structureSize................................74

*Jun 16 16:03:15.119: resultCode...................................0

*Jun 16 16:03:15.119: protocolUsed.................................0x00000010

*Jun 16 16:03:15.119: proxyState...................................00:00:00:67:00:00-00:00

*Jun 16 16:03:15.119: Packet contains 2 AVPs:

*Jun 16 16:03:15.119: AVP[01] Service-Type.............................0x00000000 (0) (4 bytes)

*Jun 16 16:03:15.119: AVP[02] Unknown Attribute 243....................0x00000001 (1) (4 bytes)

*Jun 16 16:03:15.120: Authentication failed for isaac, Service Type: 0

Thanks again for your input....

Regards

Isaac

andamani · ‎06-16-2011

Hi,

Please remove the privilege level settings on the ACS.

Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Common Tasks

Default Privilege -- Not in Use.

Maximum Privilege -- Not in use

Hope this helps.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts

isoyewale · ‎06-21-2011

Hi Anisha,

Thanks for your support I finally got around the monster. I upgraded the WLC image and it works as you suggested.

Best regards

Isaac

ROBBY HARRELL · ‎10-06-2011

I had a similar problem. I setup the custom shell attributes as role 1 Mandatory ALL.

I could not get in the WLC4402.

I decided to change the shell attribute to just one feature, such as role1 Mandatory WIRELESS

and the WLC let me in, but was restricted to modifying items under the WIRELESS dropdown menu of the GUI.

I kept adding different menu items as separate roles, one at a time till I could not login. It broke when I added a role with the value of MANAGEMENT.

So, for now, I have added 6 roles under the shell profile:

WLAN

WIRELESS

CONTROLLER

GUI:MONITOR

SECURITY

COMMANDS

I can log into the WLCs, and change any item except those under the MANAGEMENT menu on the GUI.

WLC4402 version 7.098, ACS server 5.2

antero · ‎10-13-2011

I have the same problem.

could be a bug?

Antero