cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2567
Views
0
Helpful
6
Replies

Add TACACS+ to WLC 2504

johnlloyd_13
Engager
Engager

hi,

i tried to add TACACS+ to a WLC 2504 but can't seem to get it work.

below is what i did:

security > authentication > new > add TACACS+ server IP and shared secret

security > priority order > put first order for TACACS+

below is a debug output. anything i'm missing?

(Cisco Controller) >debug aaa tacacs enable

(Cisco Controller) >*emWeb: Feb 27 08:01:21.230:
Log to TACACS server(if online): aaa auth mgmt  tacacs local
*tplusTransportThread: Feb 27 08:02:05.906: Conecting to tacacs server 66.5.3.1 on port=49
*tplusTransportThread: Feb 27 08:02:08.358: Received tplus auth response: type=1 seq_no=2 session_id=ad61aa00 length=16 encrypted=0
*tplusTransportThread: Feb 27 08:02:08.358: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Feb 27 08:02:08.358: auth_cont get_pass reply: pkt_length=25
*tplusTransportThread: Feb 27 08:02:08.358: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Feb 27 08:02:10.561: Received tplus auth response: type=1 seq_no=4 session_id=ad61aa00 length=6 encrypted=0
*tplusTransportThread: Feb 27 08:02:10.562: Created tacacs author request payload(rc=0)
*tplusTransportThread: Feb 27 08:02:10.562: TPLUS_AUTHEN_STATUS_PASS: username=[John]
*tplusTransportThread: Feb 27 08:02:10.562: Conecting to tacacs server 89.2.2.1 on port=49
*tplusTransportThread: Feb 27 08:02:12.886: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Feb 27 08:02:12.886: arg[0] = [11][priv-lvl=15]
*tplusTransportThread: Feb 27 08:02:12.886: Incorrectly formatted authorization message                                      
*tplusTransportThread: Feb 27 08:02:17.698: Conecting to tacacs server 66.5.3.1 on port=49
*tplusTransportThread: Feb 27 08:02:20.138: Received tplus auth response: type=1 seq_no=2 session_id=e7261774 length=16 encrypted=0
*tplusTransportThread: Feb 27 08:02:20.138: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Feb 27 08:02:20.138: auth_cont get_pass reply: pkt_length=25
*tplusTransportThread: Feb 27 08:02:20.138: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Feb 27 08:02:22.342: Received tplus auth response: type=1 seq_no=4 session_id=e7261774 length=6 encrypted=0
*tplusTransportThread: Feb 27 08:02:22.342: Created tacacs author request payload(rc=0)
*tplusTransportThread: Feb 27 08:02:22.342: TPLUS_AUTHEN_STATUS_PASS: username=[John]
*tplusTransportThread: Feb 27 08:02:22.342: Conecting to tacacs server 89.2.2.1 on port=49
*tplusTransportThread: Feb 27 08:02:24.834: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Feb 27 08:02:24.834: arg[0] = [11][priv-lvl=15]

1 Accepted Solution

Accepted Solutions

You can return

role1=ALL

instead of the privilege-level:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01010.html#setting-up-tacacs

View solution in original post

6 Replies 6

You can return

role1=ALL

instead of the privilege-level:

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01010.html#setting-up-tacacs

hi karsten,

i had a feeling this was a problem on the ACS server.

i'll have the attribute added and test again as i don't have write access to our ACS.

ACS attribute was tweaked and WLC can authenticate via TACACS+

Changing the shell:roles=to ALL doesn't work. I just did on ISE since. I have the issue. Thanks.

iroperto1
Beginner
Beginner
but what's the solution? I don't see anything indicating how to fix it. the link provided is standard troubleshooting.

iroperto1
Beginner
Beginner
How do you fix this issue? Please can you post the steps or process you did to fix it.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: