cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

9029
Views
0
Helpful
6
Replies
Beginner

Service-Type is not present Error When Attempting to Authenticate WLC Managment Users to ACS 5.2.0.26.3

Greetings all,

I an currently running Cisco (ACS 5.2.0.26.3) and attempting to get my Cisco 5508 WLC's (7.0.98.0) loaded into ACS for TACACS+ authentication for managment users.

However I keep getting the following error:

*emWeb: Sep 14 14:44:45.931: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2104 Login failed for the user:test_tac. Service-Type is not present or it doesn't allow READ/WRITE permission.

Now I've attempted the step-by-step using the following URL but to no avail.( there are some slight differences in ACS 5.2)

https://supportforums.cisco.com/docs/DOC-14908

Latest WLC configuration guide I could find (Software Release 7.0 June 2010) isn't much help either.

Does anybody out there have any suggestions or know of any caveats trying to get these two platforms to operate together.

Thanks in advance !

6 REPLIES 6
Beginner

Re: Service-Type is not present Error When Attempting to Authent

Hi,

Try following the instructionsin the attached file. I used this again yesterday on an ACS with 5.2.0.26.6 code and a WLC 5508 with 7.0.116.0 and all is well.

Regards

Barry

Beginner

Re: Service-Type is not present Error When Attempting to Authent

Barry,

Thanks for this reply and attachment.

If I get time today I'll give it a shot

Thanks again!

Sent from Cisco Technical Support iPhone App

Highlighted
Beginner

Service-Type is not present Error When Attempting to Authenticat

Did you ever get this working?  I'm having the same issue that you are having now.

Beginner

Service-Type is not present Error When Attempting to Authenticat

Actually I fond out what the issue was. 

You have to setup the Authentication and Authorization on the TACACS+ tab in the WLC.

I just setup them both up with the same settings.

Also as described earlier you need to setup Policy Elements-->Authorization and Permissions->Device Amdinistration->Shell Profiles

Create new -

name:WLC

Custom attributes:  role1 - Mandatory - ALL

and Cap's does matter.

Beginner

Service-Type is not present Error When Attempting to Authenticat

Bobby,

Thanks for the reply, and no I haven't got this working as it's been a low priority compared to like 10 other projects I have and haven't spent much time since my original post

The last time I checked I thought I had both Authentication/Authorization provisioned , but I still need to double-check the ACS server to ensure that attempts to login to this device are not matching on other profiles provisioned on this server.

I'll let you know what I find out.

Thanks again !

Beginner

Service-Type is not present Error When Attempting to Authenticat

Well, I finally had some time to focus on this issue today and was able to resolve this issue (tenative).

1st - My initial problem was the user account created for managing these devices were matching on other rules predefined in my ACS.

2nd - Once that issue was resolved I still received the same error , except I was matching on all approprate polices using

Custom attributes:  role1 - Mandatory - ALL

I performed a debug aaa tacacs enable from the WLC CLI and received the following messages:

*tplusTransportThread: Nov 23 18:36:01.357: processTplusAuthResponse: Continue auth transaction

*tplusTransportThread: Nov 23 18:36:01.370: tplus response: type=1 seq_no=4 session_id=f009b840 length=6 encrypted=0

*tplusTransportThread: Nov 23 18:36:01.371: tplus_make_author_request() from tplus_authen_passed returns rc=

*tplusTransportThread: Nov 23 18:36:01.371: Forwarding request to xxx.xxx.xxx.xxx port=49

*tplusTransportThread: Nov 23 18:36:01.391: author response body: status=1 arg_cnt=0 msg_len=0 data_len=0

*tplusTransportThread: Nov 23 18:36:01.391:

                                            User has the following mgmtRole 0

mgmtRole 0 did not appear to be a valid option so I starting adding in other roles in place "ALL" i.e MANAGEMENT,WIRELESS,COMMANDS, etc..

Will all roles defined in ACS with the exception of LOBBY, I am now able to login and admistrate the WLC and debugs return the following:

*tplusTransportThread: Nov 23 19:14:48.312: Forwarding request to xxx.xxx.xxx.xxx port=49

*tplusTransportThread: Nov 23 19:14:48.330: author response body: status=1 arg_cnt=6 msg_len=0 data_len=0

*tplusTransportThread: Nov 23 19:14:48.330: arg[0] = [16][role1=MANAGEMENT]

*tplusTransportThread: Nov 23 19:14:48.330: arg[1] = [36][role2=WIRELESS                      ]

*tplusTransportThread: Nov 23 19:14:48.330: arg[2] = [10][role3=WLAN]

*tplusTransportThread: Nov 23 19:14:48.330: arg[3] = [16][role4=CONTROLLER]

*tplusTransportThread: Nov 23 19:14:48.330: arg[4] = [14][role5=SECURITY]

*tplusTransportThread: Nov 23 19:14:48.330: arg[5] = [14][role6=COMMANDS]

I've performed all the admistrative tasks I've done since I've been in control of these devices and have had not issue.

I think I'll open up a TAC case when I return from the holiday weekend and see if the role "ALL" is still being used in the versions of ACS and WLC that I am running  or if there is something else causing me not to be able to use that role as it's been previously documented.

A big thanks to those who replied to this discussion !!