Thx for your comment Scott. I had looked into the DOC already and checked my settings to make sure it matched with the ones suggested in the DOC. Today, I turned on debug for tacacs events on the WLC to see any failed messages and suddenly the web login started working. I doubt if turning on debug would get it working. Anyway, I need to turn on web auth in two more WLCs. I'll let you know how I go.

Keep me posted!

Thanks,

Scott Fella

Sent from my iPhone

I've turned on TACACS on all three WLCs in my network. It works fine on two but not on the third. The logs on the one which fails are as below

(Cisco Controller) debug>*tplusTransportThread: Apr 26 19:01:57.449: Forwarding request to 172.20.0.122 port=49

*tplusTransportThread: Apr 26 19:01:57.451: tplus auth response: type=1 seq_no=2 session_id=871c2905 length=15 encrypted=0

*tplusTransportThread: Apr 26 19:01:57.451: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Apr 26 19:01:57.451: auth_cont get_pass reply: pkt_length=26

*tplusTransportThread: Apr 26 19:01:57.451: processTplusAuthResponse: Continue auth transaction

*tplusTransportThread: Apr 26 19:01:57.455: tplus auth response: type=1 seq_no=4 session_id=871c2905 length=6 encrypted=0

*tplusTransportThread: Apr 26 19:01:57.455: tplus_make_author_request() from tplus_authen_passed returns rc=0

*tplusTransportThread: Apr 26 19:01:57.455: Forwarding request to 172.20.0.122 port=49

*tplusTransportThread: Apr 26 19:01:57.457: ATHR Socket closed underneath

*tplusTransportThread: Apr 26 19:02:02.660: No auth response from: 172.20.0.122, retrying with next server

*tplusTransportThread: Apr 26 19:02:02.660: Preparing message for retransmit. Decrypting first

*tplusTransportThread: Apr 26 19:02:02.660: Forwarding request to 172.22.0.122 port=49

*tplusTransportThread: Apr 26 19:02:02.663: ATHR Socket closed underneath

*tplusTransportThread: Apr 26 19:02:07.866: No auth response from: 172.22.0.122, retrying with next server

*tplusTransportThread: Apr 26 19:02:07.866: Preparing message for retransmit. Decrypting first

*tplusTransportThread: Apr 26 19:02:07.866: Forwarding request to 172.20.0.122 port=49

*tplusTransportThread: Apr 26 19:02:07.868: ATHR Socket closed underneath

*tplusTransportThread: Apr 26 19:02:13.072: Exhausted all available servers for Auth/Author packet

The one which works fine has the logs below

(Cisco Controller) debug>aaa tacacs enable

(Cisco Controller) debug>*radiusTransportThread: Apr 26 08:51:04.741: 40:a6:d9:b0:97:b2 Accounting-Response received from RADIUS server 172.22.0.122 for mobile 40:a6:d9:b0:97:b2 receiveId = 0

*tplusTransportThread: Apr 26 09:07:47.441: Forwarding request to 172.20.0.122 port=49

*tplusTransportThread: Apr 26 09:07:47.443: tplus auth response: type=1 seq_no=2 session_id=b0eeb9b9 length=15 encrypted=0

*tplusTransportThread: Apr 26 09:07:47.443: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Apr 26 09:07:47.443: auth_cont get_pass reply: pkt_length=26

*tplusTransportThread: Apr 26 09:07:47.443: processTplusAuthResponse: Continue auth transaction

*tplusTransportThread: Apr 26 09:07:47.447: tplus auth response: type=1 seq_no=4 session_id=b0eeb9b9 length=6 encrypted=0

*tplusTransportThread: Apr 26 09:07:47.448: tplus_make_author_request() from tplus_authen_passed returns rc=0

*tplusTransportThread: Apr 26 09:07:47.448: Forwarding request to 172.20.0.122 port=49

*tplusTransportThread: Apr 26 09:07:47.453: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0

*tplusTransportThread: Apr 26 09:07:47.453: arg[0] = [9][role1=ALL]

*tplusTransportThread: Apr 26 09:07:47.453:

                                            User has the following mgmtRole fffffff8

*tplusTransportThread: Apr 26 09:07:47.453: 00:00:00:2a:00:00 Returning AAA Success for mobile 00:00:00:2a:00:00

*emWeb: Apr 26 09:07:47.453: Authentication succeeded for rparasur

They've been set up exactly the same way. I've rechecked the setttings a number of times. And needless to say, both show up in the passed auth report on the ACS. Dunno what I am doing wrong!

I was having this same issue on two WLC 5508s with 7.2.103.0 software and just figured out the solution.  From the debug messages, it appeared that the WLC wasn't waiting long enough for the ACS server to reply.  I found a command in the CLI that I can't find an equivalent for in the GUI: config tacacs auth mgmt-server-timeout.  This command required my TACACS+ servers to be disabled in the configuration.  I did that via the GUI and then issued config tacacs auth mgmt-server-timeout 1 5 (server number 1, 5 seconds) and config tacacs auth mgmt-server-timeout 2 5 (I have two TACACS+ servers).  I then re-enabled the TACACS+ servers through the GUI and am now able to log in to the management GUI successfully using TACACS+ authentication and authorization.

Thanks for the reply. I am unable to change the timeout settings through the CLI. Please find the error message as below. I disabled the tacacs servers on the GUI before trying the command as suggested by you.

(Cisco Controller) >config tacacs auth server-timeout 1 5

Unable to set the retransmission timeout.

(Cisco Controller) >config tacacs auth server-timeout 2 5

Unable to set the retransmission timeout.