Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
753
Views
1
Helpful
9
Replies

logon to wlc for authentication and authorization

Go to solution
Leftz
Level 4
Level 4

‎05-04-2023 11:35 AM

Hi c9800 wlc is using Radius for authentication and authorization , now we added TACACS to wlc and ise. The question is how to confirm my access to wlc is through tacacs? Thank you

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP
In response to Leftz

‎05-05-2023 06:16 AM

show tacacs

show aaa servers

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Flavio Miranda
VIP
VIP

‎05-04-2023 11:49 AM - edited ‎05-04-2023 11:51 AM

Hi

  You can check that by looking into the configuration of the WLC.

Go to SECURITY> Priority Order> Management User

You can see a small window with "Order used for Authentication" , there might ne TACACS+ in the first line.

FlavioMiranda_0-1683226308209.png

 

0 Helpful

Go to solution
Leftz
Level 4
Level 4

‎05-04-2023 11:57 AM - edited ‎05-04-2023 11:58 AM

Thank you Flavio for your reply. do you me mean the below "Configuration" . I cannot see "Priority Order"

zshowip_1-1683226717427.png

 

 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Leftz

‎05-04-2023 12:19 PM

oh sorry, you said WLC 9800 and I though AIROS WLC.

For 9800 you can check on the AAA, TACACS+ / AAA Method List, the default option must be reffering to your TACACS server.

Type login and type dot1x. The first is access to the WLC and second is for Wireless users

Go to solution
Leftz
Level 4
Level 4

‎05-04-2023 12:32 PM - edited ‎05-04-2023 12:46 PM

@Flavio Miranda Can we confirm this via something like logs? even if its with ise

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to Leftz

‎05-04-2023 12:54 PM

Sure, if you have access to the ISE, you can probably see the authentication sessions on the live logs. 

On the WLC via CLI you are going to see a log like this one

UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: xxxx ] [Source: xxxxx  [localport: 22] at xxxxxx

Via CLI you can also the this:

show run | i aaa

aaa authentication login default group "tacacs group"  local

which means first TACACS then local

 

0 Helpful

Go to solution
vmhoang2
Level 1
Level 1
In response to Flavio Miranda

‎01-18-2024 07:06 AM

hi

In AAA authentication, I selected login local Group radius. in AAA authorization, I selected exec local group radius. I have a question, if I have authenticated the above user based on the Radius response and how to authorize the user using only NPS.

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Leftz

‎05-05-2023 06:16 AM

show tacacs

show aaa servers

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Go to solution
Leftz
Level 4
Level 4

‎05-09-2023 08:35 AM - edited ‎05-09-2023 01:20 PM

Thanks! this looks like to work. The command can show something useful.

I tried to find a command to show radius like show tacacs, but I could not find it. Is there a command to show radius? this way we can know transferring from Radius to tacacs exactly

 

and not sure if there is a command to clear count

vWLC01#sh tacacs

Tacacs+ Server - public :
Server name: ISE-Lab
Server address: 10.1.2.2
Server port: 49
Socket opens: 5
Socket closes: 5
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 0
Total Packets Sent: 5
Total Packets Recv: 0
Server Status: Alive
Continous Authc fail count: 0
Continous Authz fail count: 0

 

 

 

 

 

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Leftz

‎05-09-2023 05:36 PM

I already gave you both commands above!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card