cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1687
Views
0
Helpful
6
Replies
johnlloyd_13
Engager

Add TACACS+ to WLC 2504

hi,

i tried to add TACACS+ to a WLC 2504 but can't seem to get it work.

below is what i did:

security > authentication > new > add TACACS+ server IP and shared secret

security > priority order > put first order for TACACS+

below is a debug output. anything i'm missing?

(Cisco Controller) >debug aaa tacacs enable

(Cisco Controller) >*emWeb: Feb 27 08:01:21.230:
Log to TACACS server(if online): aaa auth mgmt  tacacs local
*tplusTransportThread: Feb 27 08:02:05.906: Conecting to tacacs server 66.5.3.1 on port=49
*tplusTransportThread: Feb 27 08:02:08.358: Received tplus auth response: type=1 seq_no=2 session_id=ad61aa00 length=16 encrypted=0
*tplusTransportThread: Feb 27 08:02:08.358: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Feb 27 08:02:08.358: auth_cont get_pass reply: pkt_length=25
*tplusTransportThread: Feb 27 08:02:08.358: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Feb 27 08:02:10.561: Received tplus auth response: type=1 seq_no=4 session_id=ad61aa00 length=6 encrypted=0
*tplusTransportThread: Feb 27 08:02:10.562: Created tacacs author request payload(rc=0)
*tplusTransportThread: Feb 27 08:02:10.562: TPLUS_AUTHEN_STATUS_PASS: username=[John]
*tplusTransportThread: Feb 27 08:02:10.562: Conecting to tacacs server 89.2.2.1 on port=49
*tplusTransportThread: Feb 27 08:02:12.886: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Feb 27 08:02:12.886: arg[0] = [11][priv-lvl=15]
*tplusTransportThread: Feb 27 08:02:12.886: Incorrectly formatted authorization message                                      
*tplusTransportThread: Feb 27 08:02:17.698: Conecting to tacacs server 66.5.3.1 on port=49
*tplusTransportThread: Feb 27 08:02:20.138: Received tplus auth response: type=1 seq_no=2 session_id=e7261774 length=16 encrypted=0
*tplusTransportThread: Feb 27 08:02:20.138: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Feb 27 08:02:20.138: auth_cont get_pass reply: pkt_length=25
*tplusTransportThread: Feb 27 08:02:20.138: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Feb 27 08:02:22.342: Received tplus auth response: type=1 seq_no=4 session_id=e7261774 length=6 encrypted=0
*tplusTransportThread: Feb 27 08:02:22.342: Created tacacs author request payload(rc=0)
*tplusTransportThread: Feb 27 08:02:22.342: TPLUS_AUTHEN_STATUS_PASS: username=[John]
*tplusTransportThread: Feb 27 08:02:22.342: Conecting to tacacs server 89.2.2.1 on port=49
*tplusTransportThread: Feb 27 08:02:24.834: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Feb 27 08:02:24.834: arg[0] = [11][priv-lvl=15]

1 ACCEPTED SOLUTION

Accepted Solutions
Karsten Iwen
VIP Mentor

You can return

role1=ALL

instead of the privilege-level:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01010.html#setting-up-tacacs

View solution in original post

6 REPLIES 6
Karsten Iwen
VIP Mentor

You can return

role1=ALL

instead of the privilege-level:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01010.html#setting-up-tacacs

View solution in original post

hi karsten,

i had a feeling this was a problem on the ACS server.

i'll have the attribute added and test again as i don't have write access to our ACS.

ACS attribute was tweaked and WLC can authenticate via TACACS+

Changing the shell:roles=to ALL doesn't work. I just did on ISE since. I have the issue. Thanks.

iroperto1
Beginner

but what's the solution? I don't see anything indicating how to fix it. the link provided is standard troubleshooting.
iroperto1
Beginner

How do you fix this issue? Please can you post the steps or process you did to fix it.
Content for Community-Ad