can you do a debug aaa tacacs enable when someone is trying to authenticate and capture the output?

--

Steve

(jkn001-011-wc04) >debug aaa tacacs enable

(jkn001-011-wc04) >*tplusTransportThread: Dec 18 22:16:15.646: Forwarding request to 10.155.20.36 port=49

*tplusTransportThread: Dec 18 22:16:15.659: tplus auth response: type=1 seq_no=2 session_id=8c5f3dd9 length=16 encrypted=0

*tplusTransportThread: Dec 18 22:16:15.659: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Dec 18 22:16:15.659: auth_cont get_pass reply: pkt_length=29

*tplusTransportThread: Dec 18 22:16:15.659: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Dec 18 22:16:15.985: tplus auth response: type=1 seq_no=4 session_id=8c5f3dd9 length=6 encrypted=0

*tplusTransportThread: Dec 18 22:16:15.986: tplus_make_author_request() from tplus_authen_passed returns rc=0

*tplusTransportThread: Dec 18 22:16:16.286: Forwarding request to 10.155.20.36 port=49

*tplusTransportThread: Dec 18 22:16:16.300: ATHR Socket closed underneath
*tplusTransportThread: Dec 18 22:16:18.906: No auth response from: 10.155.20.36, retrying with next server
*tplusTransportThread: Dec 18 22:16:18.906: Preparing message for retransmit. Decrypting first
*tplusTransportThread: Dec 18 22:16:18.906: Forwarding request to 10.11.119.19 port=49

*tplusTransportThread: Dec 18 22:16:18.925: ATHR Socket closed underneath
*tplusTransportThread: Dec 18 22:16:21.530: No auth response from: 10.11.119.19, retrying with next server
*tplusTransportThread: Dec 18 22:16:21.530: Preparing message for retransmit. Decrypting first
*tplusTransportThread: Dec 18 22:16:21.530: Forwarding request to 10.155.20.36 port=49

*tplusTransportThread: Dec 18 22:16:21.544: ATHR Socket closed underneath
*tplusTransportThread: Dec 18 22:16:24.150: Exhausted all available servers for Auth/Author packet

As you can see clearly WLC trying all configured servers, but no response coming from TACACS server.

Check port TCP/UDP port 49 is open between WLC & this server.

HTH

Rasika

Rasika, we both agree, as usual.  There is no response from the servers.  Either the port is blocked or the servers are not configured.  I have usually come to this conclusion before I post, just to see if everyone agrees with me.  Since our CWNE community is very small, I go here for confirmation. 

Congrats, by the way.

Hi

Thanks for congrats (I hope it is for CWNP stuff)

Regarding your issue, try to increase timeout value & see if that helps. Below post mentioned something similar

https://supportforums.cisco.com/discussion/11480676/issues-wlc-7x-and-cisco-acs-51-web-auth

If you can take a packet capture where your TACACS server connected while you are doing a test, that will show us what's going on at that end.

I believe you have full reachability between WLC management & all these servers

HTH

Rasika

*** Pls rate all useful responses ****

Yep... I follow all your posts.  Thanks for putting that out there.

In the GUI I could change the timeout to ten seconds.  Had no effect.  I even turned them off and used the CLI, then turned back on.  Still no effect.

Sir,

Was this ever resolved? I'm having the same tacacs+ issue and haven't been able to resolve.

Thanks,

Jeff