02-27-2017 12:22 AM - edited 07-05-2021 06:37 AM
hi,
i tried to add TACACS+ to a WLC 2504 but can't seem to get it work.
below is what i did:
security > authentication > new > add TACACS+ server IP and shared secret
security > priority order > put first order for TACACS+
below is a debug output. anything i'm missing?
(Cisco Controller) >debug aaa tacacs enable
(Cisco Controller) >*emWeb: Feb 27 08:01:21.230:
Log to TACACS server(if online): aaa auth mgmt tacacs local
*tplusTransportThread: Feb 27 08:02:05.906: Conecting to tacacs server 66.5.3.1 on port=49
*tplusTransportThread: Feb 27 08:02:08.358: Received tplus auth response: type=1 seq_no=2 session_id=ad61aa00 length=16 encrypted=0
*tplusTransportThread: Feb 27 08:02:08.358: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Feb 27 08:02:08.358: auth_cont get_pass reply: pkt_length=25
*tplusTransportThread: Feb 27 08:02:08.358: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Feb 27 08:02:10.561: Received tplus auth response: type=1 seq_no=4 session_id=ad61aa00 length=6 encrypted=0
*tplusTransportThread: Feb 27 08:02:10.562: Created tacacs author request payload(rc=0)
*tplusTransportThread: Feb 27 08:02:10.562: TPLUS_AUTHEN_STATUS_PASS: username=[John]
*tplusTransportThread: Feb 27 08:02:10.562: Conecting to tacacs server 89.2.2.1 on port=49
*tplusTransportThread: Feb 27 08:02:12.886: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Feb 27 08:02:12.886: arg[0] = [11][priv-lvl=15]
*tplusTransportThread: Feb 27 08:02:12.886: Incorrectly formatted authorization message
*tplusTransportThread: Feb 27 08:02:17.698: Conecting to tacacs server 66.5.3.1 on port=49
*tplusTransportThread: Feb 27 08:02:20.138: Received tplus auth response: type=1 seq_no=2 session_id=e7261774 length=16 encrypted=0
*tplusTransportThread: Feb 27 08:02:20.138: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Feb 27 08:02:20.138: auth_cont get_pass reply: pkt_length=25
*tplusTransportThread: Feb 27 08:02:20.138: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Feb 27 08:02:22.342: Received tplus auth response: type=1 seq_no=4 session_id=e7261774 length=6 encrypted=0
*tplusTransportThread: Feb 27 08:02:22.342: Created tacacs author request payload(rc=0)
*tplusTransportThread: Feb 27 08:02:22.342: TPLUS_AUTHEN_STATUS_PASS: username=[John]
*tplusTransportThread: Feb 27 08:02:22.342: Conecting to tacacs server 89.2.2.1 on port=49
*tplusTransportThread: Feb 27 08:02:24.834: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Feb 27 08:02:24.834: arg[0] = [11][priv-lvl=15]
Solved! Go to Solution.
02-27-2017 02:36 AM
You can return
role1=ALL
instead of the privilege-level:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01010.html#setting-up-tacacs
02-27-2017 02:36 AM
You can return
role1=ALL
instead of the privilege-level:
http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01010.html#setting-up-tacacs
02-27-2017 06:33 AM
hi karsten,
i had a feeling this was a problem on the ACS server.
i'll have the attribute added and test again as i don't have write access to our ACS.
02-28-2017 10:40 PM
ACS attribute was tweaked and WLC can authenticate via TACACS+
11-06-2019 09:35 AM
11-05-2019 02:58 PM
11-06-2019 09:40 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide