Solved: Re: Add TACACS+ to WLC 2504

johnlloyd_13 · ‎02-27-2017

hi,

i tried to add TACACS+ to a WLC 2504 but can't seem to get it work.

below is what i did:

security > authentication > new > add TACACS+ server IP and shared secret

security > priority order > put first order for TACACS+

below is a debug output. anything i'm missing?

(Cisco Controller) >debug aaa tacacs enable

(Cisco Controller) >*emWeb: Feb 27 08:01:21.230:
Log to TACACS server(if online): aaa auth mgmt tacacs local
*tplusTransportThread: Feb 27 08:02:05.906: Conecting to tacacs server 66.5.3.1 on port=49
*tplusTransportThread: Feb 27 08:02:08.358: Received tplus auth response: type=1 seq_no=2 session_id=ad61aa00 length=16 encrypted=0
*tplusTransportThread: Feb 27 08:02:08.358: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Feb 27 08:02:08.358: auth_cont get_pass reply: pkt_length=25
*tplusTransportThread: Feb 27 08:02:08.358: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Feb 27 08:02:10.561: Received tplus auth response: type=1 seq_no=4 session_id=ad61aa00 length=6 encrypted=0
*tplusTransportThread: Feb 27 08:02:10.562: Created tacacs author request payload(rc=0)
*tplusTransportThread: Feb 27 08:02:10.562: TPLUS_AUTHEN_STATUS_PASS: username=[John]
*tplusTransportThread: Feb 27 08:02:10.562: Conecting to tacacs server 89.2.2.1 on port=49
*tplusTransportThread: Feb 27 08:02:12.886: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Feb 27 08:02:12.886: arg[0] = [11][priv-lvl=15]
*tplusTransportThread: Feb 27 08:02:12.886: Incorrectly formatted authorization message
*tplusTransportThread: Feb 27 08:02:17.698: Conecting to tacacs server 66.5.3.1 on port=49
*tplusTransportThread: Feb 27 08:02:20.138: Received tplus auth response: type=1 seq_no=2 session_id=e7261774 length=16 encrypted=0
*tplusTransportThread: Feb 27 08:02:20.138: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Feb 27 08:02:20.138: auth_cont get_pass reply: pkt_length=25
*tplusTransportThread: Feb 27 08:02:20.138: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Feb 27 08:02:22.342: Received tplus auth response: type=1 seq_no=4 session_id=e7261774 length=6 encrypted=0
*tplusTransportThread: Feb 27 08:02:22.342: Created tacacs author request payload(rc=0)
*tplusTransportThread: Feb 27 08:02:22.342: TPLUS_AUTHEN_STATUS_PASS: username=[John]
*tplusTransportThread: Feb 27 08:02:22.342: Conecting to tacacs server 89.2.2.1 on port=49
*tplusTransportThread: Feb 27 08:02:24.834: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Feb 27 08:02:24.834: arg[0] = [11][priv-lvl=15]

Karsten Iwen · ‎02-27-2017

You can return

role1=ALL

instead of the privilege-level:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01010.html#setting-up-tacacs

View solution in original post

Karsten Iwen · ‎02-27-2017

You can return

role1=ALL

instead of the privilege-level:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01010.html#setting-up-tacacs

johnlloyd_13 · ‎02-27-2017

hi karsten,

i had a feeling this was a problem on the ACS server.

i'll have the attribute added and test again as i don't have write access to our ACS.

johnlloyd_13 · ‎02-28-2017

ACS attribute was tweaked and WLC can authenticate via TACACS+

iroperto1 · ‎11-06-2019

Changing the shell:roles=to ALL doesn't work. I just did on ISE since. I have the issue. Thanks.

iroperto1 · ‎11-05-2019

but what's the solution? I don't see anything indicating how to fix it. the link provided is standard troubleshooting.

iroperto1 · ‎11-06-2019

How do you fix this issue? Please can you post the steps or process you did to fix it.