Introduction
Getting WLC login screen again and again when using ACS credentials and log shows "Privilege Level" is only 1.
Scenario
I was wondering if anyone has successfully managed to configure ACS 5.1 to accept login request from a 5500 WLC?
I've managed to get it configured following the follow link Cisco Wireless LAN Controller (WLC) and Cisco ACS 5.x (TACACS+) Configuration Example for Web Authentication but when I try to login to the WLC using my ACS credentials I just get the login screen again. I've checked the ACS logs and it says my username has passed the authentication process and it matches all the rules I've set. The only thing I've noticed is my "Privilege Level" is only 1 but I'm not sure if thats correct for a http login.
Hardware
Cisco 5500 Series Wireless Controller
Software
Cisco Secure Access Control System 5.1
More Details
As directed in the above mentioned document Cisco Wireless LAN Controller (WLC) and Cisco ACS 5.x (TACACS+) Configuration Example for Web Authentication, user tried to configure role defined as "ALL", even then he is getting "Privilege Level 1".
ACS Shell Profile
ACS Authentication Logs
Troubleshooting
Login to the CLI with the local credentials and run
debug aaa tacacs enable
then try GUI with TACACS+ credentials. this will show what is coming back from the TACACS server.
Debugs
(Cisco Controller) >config *tplusTransportThread: Jan 24 11:29:41.519: Forwarding request to 10.10.11.12 port=49 *tplusTransportThread: Jan 24 11:29:41.520: tplus auth response: type=1 seq_no=2 session_id=f432fef2 length=16 encrypted=0 *tplusTransportThread: Jan 24 11:29:41.520: TPLUS_AUTHEN_STATUS_GETPASS *tplusTransportThread: Jan 24 11:29:41.520: auth_cont get_pass reply: pkt_length=26 *tplusTransportThread: Jan 24 11:29:41.520: processTplusAuthResponse: Continue auth transaction *tplusTransportThread: Jan 24 11:29:41.526: tplus auth response: type=1 seq_no=4 session_id=f432fef2 length=6 encrypted=0 *tplusTransportThread: Jan 24 11:29:41.526: tplus_make_author_request() from tplus_authen_passed returns rc=0 *tplusTransportThread: Jan 24 11:29:41.526: Forwarding request to 10.10.11.12 port=49 *tplusTransportThread: Jan 24 11:29:41.531: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0 *tplusTransportThread: Jan 24 11:29:41.531: arg[0] = [28][role1=ALL
Also
When user logged into WLC with TACACS+ account then Local, he can't login using any credentials (local or otherwise) unless he disable the switch port that the ACS is on.
Here is another debug log.
(Cisco Controller) >*emWeb: Jan 24 11:38:36.782: Log to TACACS server(if online): aaa auth mgmt tacacs local *aaaQueueReader: Jan 24 11:38:36.783: cmd_buff=[aaa auth mgmt tacacs local] cmd_buff_len=[27] *aaaQueueReader: Jan 24 11:38:36.783: tplus_make_acct_request: pkt->length=116 acct_len=116 arg_total_len=83 *tplusTransportThread: Jan 24 11:38:36.835: Forwarding request to 10.10.11.12 port=49 *tplusTransportThread: Jan 24 11:38:36.841: ACCT response length = 5, buffer len = 17 *tplusTransportThread: Jan 24 11:38:36.841: ACCT response body: status=1 msg_len=0 data_len=0 *tplusTransportThread: Jan 24 11:38:36.841: ACCT Socket closed underneath *tplusTransportThread: Jan 24 11:38:45.967: Forwarding request to 10.10.11.12 port=49 *tplusTransportThread: Jan 24 11:38:45.968: tplus auth response: type=1 seq_no=2 session_id=d443ded8 length=16 encrypted=0 *tplusTransportThread: Jan 24 11:38:45.968: TPLUS_AUTHEN_STATUS_GETPASS *tplusTransportThread: Jan 24 11:38:45.968: auth_cont get_pass reply: pkt_length=26 *tplusTransportThread: Jan 24 11:38:45.968: processTplusAuthResponse: Continue auth transaction *tplusTransportThread: Jan 24 11:38:45.974: tplus auth response: type=1 seq_no=4 session_id=d443ded8 length=6 encrypted=0 *tplusTransportThread: Jan 24 11:38:45.974: tplus_make_author_request() from tplus_authen_passed returns rc=0 *tplusTransportThread: Jan 24 11:38:45.974: Forwarding request to 10.10.11.12 port=49 *tplusTransportThread: Jan 24 11:38:45.980: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0 *tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL] *tplusTransportThread: Jan 24 11:38:45.980: User has the following mgmtRole 0 *tplusTransportThread: Jan 24 11:39:09.451: Forwarding request to 10.10.11.12 port=49 *tplusTransportThread: Jan 24 11:39:09.452: tplus auth response: type=1 seq_no=2 session_id=23510ed4 length=16 encrypted=0 *tplusTransportThread: Jan 24 11:39:09.452: TPLUS_AUTHEN_STATUS_GETPASS *tplusTransportThread: Jan 24 11:39:09.452: auth_cont get_pass reply: pkt_length=28 *tplusTransportThread: Jan 24 11:39:09.452: processTplusAuthResponse: Continue auth transaction *tplusTransportThread: Jan 24 11:39:09.457: tplus auth response: type=1 seq_no=4 session_id=23510ed4 length=6 encrypted=0
Solution
it looks like there is a space or a carriage return after the ALL
*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL]
Can you rebuild that attribute and click apply, you might just be able to put the cursor behind the ALL and hit delete.
More Information
You can setup multiple roles for a user instead of using ALL. See step 5
In the text box below Custom attributes, enter this text if the user created needs access only to WLAN, SECURITY and CONTROLLER: role1=WLAN role2=SECURITY role3=CONTROLLER.If the user needs access only to the SECURITY tab, enter this text: role1=SECURITY.The role corresponds to the seven menu bar items in the controller web GUI. The menu bar items are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT and COMMAND.
Enter the role that a user needs for role1, role2 and so on. If a user needs all the roles, then the keyword ALL should be used. For the lobby admin role, the keyword LOBBY should be used.