cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
720
Views
0
Helpful
19
Replies

Cannot manage Guest users as root after upgrade from 4.2.110.0 to 5.2.110.0

generaljoe
Beginner
Beginner

As title (refers, of course, to WCS). Everything else works, guest users are still present on both 4404 controllers, lobby ambassadors can log in and manage their own users, but members of root cannot - they receive the following error:

----------------8<--------------

HTTP Status 500 -

--------------------------------------------------------------------------------

type Exception report

message

description The server encountered an internal error () that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Servlet execution threw an exception

org.apache.struts.action.RequestProcessor.doForward(RequestProcessor.java:1033)

org.apache.struts.tiles.TilesRequestProcessor.doForward(TilesRequestProcessor.java:269)

org.apache.struts.action.RequestProcessor.processForwardConfig(RequestProcessor.java:436)

org.apache.struts.tiles.TilesRequestProcessor.processForwardConfig(TilesRequestProcessor.java:312)

org.apache.struts.action.RequestProcessor.processActionForward(RequestProcessor.java:401)

org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:279)

org.apache.struts.action.ActionServlet.process(ActionServlet.java:1422)

org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:505)

javax.servlet.http.HttpServlet.service(HttpServlet.java:690)

javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

----------------8<--------------

Thanks for any pointers towards fixing this - full logs can be posted on request...

19 Replies 19

sschmidt
Cisco Employee
Cisco Employee

When you say members of root cannot do you mean that users of root can not manage guest users or log in?

Do you mean the root users or the root virtual domain?

Go ahead and go to Administration > Logging and change the message level to TRACE and click submit. Try the action again and when done go back to the above area and download the logs and attach the logs starting with wcs-.

We have users that are members of the "root" group, they are authenticated by RADIUS (ACS 4.1) and RADIUS sends back the vsa-pairs to WCS to allow the users to log on. We only have one virtual domain called "root".

It is when users that are logged in to the web console via their RADIUS usernames, and they navigate to Configure - Controller Templates - Security - Guest Users, that the error appears.

I have created the logs as you stated and attached the "wcs-" logs (attached as a RAR file).

Are the users that are trying to navigate to that area superusers? It looks very similar to this bug:

CSCsw42942

Externally found moderate defect: More (M)

SuperUser cannot see guest users created by admin users

If the users are able to login using their radius credentials but are unable to get to a specific area it is either this bug or maybe a problem with the authorization for the user configured on the radius server.

Can the same user that can not get to the above area get to netusers in the same area? Can they get to an area outside the security config area? Make sure that all of the customer attributes for the specific user group have been entered into the radius server.

I'm not sure it's that bug. They're members of root, not superusers.

All other areas are accessible to those users (inc netusers within the same set of templates - I've successfully created new lobbyambassadors after the upgrade).

The VSA pairs returned by the ACS server are copied from the "root" group within WCS. I've reproduced them below for clarity. I wouldn't have expected a security deny to result in an Apache exception though; usually an Access Denied message is displayed.

Only thing I can think is that maybe it's caused by them being members of "root" rather than "superusers" which has effectively the same permissions - is it worth changing that within ACS?

----------------8<------------------

Wireless-WCS:role0=Root

Wireless-WCS:task0=Users and Groups

Wireless-WCS:task1=Audit Trails

Wireless-WCS:task2=TACACS+ Servers

Wireless-WCS:task3=RADIUS Servers

Wireless-WCS:task4=Logging

Wireless-WCS:task5=Licensing

Wireless-WCS:task6=Scheduled Tasks and Data Collection

Wireless-WCS:task7=User Preferences

Wireless-WCS:task8=System Settings

Wireless-WCS:task9=Diagnostic Information

Wireless-WCS:task10=View Alerts and Events

Wireless-WCS:task11=Email Notification

Wireless-WCS:task12=Delete and Clear Alerts

Wireless-WCS:task13=Pick and Unpick Alerts

Wireless-WCS:task14=Configure Controllers

Wireless-WCS:task15=Configure Templates

Wireless-WCS:task16=Configure Config Groups

Wireless-WCS:task17=Configure Access Points

Wireless-WCS:task18=Configure Access Point Templates

Wireless-WCS:task19=Configure Choke Points

Wireless-WCS:task20=Monitor Controllers

Wireless-WCS:task21=Monitor Access Points

Wireless-WCS:task22=Monitor Clients

Wireless-WCS:task23=Monitor Tags

Wireless-WCS:task24=Monitor Security

Wireless-WCS:task25=Monitor Chokepoints

Wireless-WCS:task26=Access Point Reports

Wireless-WCS:task27=Mesh Reports

Wireless-WCS:task28=Client Reports

Wireless-WCS:task29=Inventory Reports

Wireless-WCS:task30=Performance Reports

Wireless-WCS:task31=Security Reports

Wireless-WCS:task32=Location Server Management

Wireless-WCS:task33=View Location Notifications

Wireless-WCS:task34=Maps Read Only

Wireless-WCS:task35=Maps Read Write

Wireless-WCS:task36=Client Location

Wireless-WCS:task37=Rogue Location

Wireless-WCS:task38=Planning Mode

Wireless-WCS:task39=Ack and Unack Alerts

Wireless-WCS:task40=Migration Templates

Wireless-WCS:task41=Configure Spectrum Experts

Wireless-WCS:task42=Monitor Spectrum Experts

Wireless-WCS:task43=Interferers Search

Wireless-WCS:task44=Audit Reports

Wireless-WCS:task45=802.11n Scaling Reports

Wireless-WCS:task46=802.11n Scaling Reports

Wireless-WCS:task47=802.11n Scaling Reports

Wireless-WCS:task48=Virtual Domain Management

Wireless-WCS:task49=High Availability Configuration

Wireless-WCS:task50=Health Monitor Details

Wireless-WCS:task51=Configure WIPS Profiles

Wireless-WCS:task52=Global SSID Groups

Wireless-WCS:task53=Configure Lightweight Access Point Templates

Wireless-WCS:task54=Configure Autonomous Access Point Templates

Wireless-WCS:task55=Scheduled Configuration Tasks

Wireless-WCS:task56=Configure Location Sensors

Wireless-WCS:task57=Configure ACS View Servers

Wireless-WCS:task58=Configure Switches

Wireless-WCS:task59=Auto Provisioning

Wireless-WCS:task60=Monitor Location Sensors

Wireless-WCS:task61=RRM Dashboard

Wireless-WCS:task62=Compliance Assistance Reports

Wireless-WCS:task63=Voice Audit Report

Wireless-WCS:task64=Config Audit Dashboard

Wireless-WCS:task65=Handover Server Management

Wireless-WCS:task66=Monitor Handover Server

Have you added the virtual domain to ACS:

Wireless-WCS:virtual-domain0=root

The underlying problem with that bug is the check that goes on for the virtual domain which is causing issues with login and accessibility to certain areas.

I hadn't done so, but have now updated the vsa-pairs in ACS so they read as below, and have restarted ACS and WCS. However, the Guest Users section still produces the same error.

Is it possible that the Guests section of the database is in some way corrupt?

Wireless-WCS:virtual-domain0=root

Wireless-WCS:role0=Root

Wireless-WCS:task0=Users and Groups

Wireless-WCS:task1=Audit Trails

Wireless-WCS:task2=TACACS+ Servers

Wireless-WCS:task3=RADIUS Servers

Wireless-WCS:task4=Logging

Wireless-WCS:task5=Licensing

Wireless-WCS:task6=Scheduled Tasks and Data Collection

Wireless-WCS:task7=User Preferences

Wireless-WCS:task8=System Settings

Wireless-WCS:task9=Diagnostic Information

Wireless-WCS:task10=View Alerts and Events

Wireless-WCS:task11=Email Notification

Wireless-WCS:task12=Delete and Clear Alerts

Wireless-WCS:task13=Pick and Unpick Alerts

Wireless-WCS:task14=Configure Controllers

Wireless-WCS:task15=Configure Templates

Wireless-WCS:task16=Configure Config Groups

Wireless-WCS:task17=Configure Access Points

Wireless-WCS:task18=Configure Access Point Templates

Wireless-WCS:task19=Configure Choke Points

Wireless-WCS:task20=Monitor Controllers

Wireless-WCS:task21=Monitor Access Points

Wireless-WCS:task22=Monitor Clients

Wireless-WCS:task23=Monitor Tags

Wireless-WCS:task24=Monitor Security

Wireless-WCS:task25=Monitor Chokepoints

Wireless-WCS:task26=Access Point Reports

Wireless-WCS:task27=Mesh Reports

Wireless-WCS:task28=Client Reports

Wireless-WCS:task29=Inventory Reports

Wireless-WCS:task30=Performance Reports

Wireless-WCS:task31=Security Reports

Wireless-WCS:task32=Location Server Management

Wireless-WCS:task33=View Location Notifications

Wireless-WCS:task34=Maps Read Only

Wireless-WCS:task35=Maps Read Write

Wireless-WCS:task36=Client Location

Wireless-WCS:task37=Rogue Location

Wireless-WCS:task38=Planning Mode

Wireless-WCS:task39=Ack and Unack Alerts

Wireless-WCS:task40=Migration Templates

Wireless-WCS:task41=Configure Spectrum Experts

Wireless-WCS:task42=Monitor Spectrum Experts

Wireless-WCS:task43=Interferers Search

Wireless-WCS:task44=Audit Reports

Wireless-WCS:task45=802.11n Scaling Reports

Wireless-WCS:task46=802.11n Scaling Reports

Wireless-WCS:task47=802.11n Scaling Reports

Wireless-WCS:task48=Virtual Domain Management

Wireless-WCS:task49=High Availability Configuration

Wireless-WCS:task50=Health Monitor Details

Wireless-WCS:task51=Configure WIPS Profiles

Wireless-WCS:task52=Global SSID Groups

Wireless-WCS:task53=Configure Lightweight Access Point Templates

Wireless-WCS:task54=Configure Autonomous Access Point Templates

Wireless-WCS:task55=Scheduled Configuration Tasks

Wireless-WCS:task56=Configure Location Sensors

Wireless-WCS:task57=Configure ACS View Servers

Wireless-WCS:task58=Configure Switches

Wireless-WCS:task59=Auto Provisioning

Wireless-WCS:task60=Monitor Location Sensors

Wireless-WCS:task61=RRM Dashboard

Wireless-WCS:task62=Compliance Assistance Reports

Wireless-WCS:task63=Voice Audit Report

Wireless-WCS:task64=Config Audit Dashboard

Wireless-WCS:task65=Handover Server Management

Wireless-WCS:task66=Monitor Handover Server

I have not been able to recreate the issue in my lab. Would you be able to upload a backup to ftp-sj.cisco.com. You can cd to incoming and drop it there. You will not be able to get a directory listing or verify it has uploaded. If it fails change the name slightly and start again. Use passive ftp and label it 12209-sschmidt-wcs. I'd like to see if your db causes the same issue in my lab.

On its way. File size is 136,998 (Windows) KB, and file is named as you requested: 12209-sschmidt-wcs.zip. I'm leaving for the day but will be online tomorrow at 07:00 - if the upload failed please let me know. Thanks for looking into this! Of course, this is the time when the Guest users need most management... :)

I was able to recreate the issue both with you db and in my lab with mine. I have written this bug on it and it should appear for customers in a few days:

CSCsx21459

WCS: Unable to navigate to Guest Users under controller templates

Customer is unable to navigate to Configure > Controller Templates >

Security > Guest Users when logging in using TACACS/Radius as user

configured as Superuser. Attempts to get to this page generate an

HTTP 500 error.

Ah, glad it's re-createable. Any workaround for the moment, or do we just live with it till an update? I still have the pre-upgrade backups from 4.2.110.0.

Try this workaround even though it mentions lobby ambassador:

You have to add both the virtual domain attribute to the ACS group and create a lobby ambassador account locally with the same name as the lobby ambassador account in ACS.

Further Problem Description:

Issue is that WCS requires virtual domains to exist and the code is checking to see if the user exists locally as a lobby ambassador after authenticating. It should factor in that TACACS could cause the lobby ambassador to not exist locally.

Hmm, I tried this (substituting SuperUsers for LobbyAmbassador) and it did get round the HTTP 500 error - however there were no guest users visible.

Is it the case that even Superusers cannot see guest users created by others?

Hello all,

I have similar problem to yours.

I've updated WCS from 4.2.62.0 to 5.2.110.0, now have results as you have... additionally:

- only root can see all guest accounts

- even user with lobby administrator rights receive error HTTP 500 after loging when authenticated by RADIUS

- after disabling RADIUS and using only local accounts everything works fine

- even SuperUser can see only guest accounts created by himself

I have no access to RADIUS right now but I'll try to find out where is the problem.

regards

Marcin

It should be fixed in 5.2.116.0, which I've been waiting for for about a week and a half now. :) Keep checking the download links, it's not RADIUS, it's an issue within WCS.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers