12-18-2014 11:13 AM - edited 07-05-2021 02:09 AM
Scenario:
Standing up new WLC. Local auth works for getting into the box. TACACS does not.
TACACS config on WLC appears to be correct, matching other known-good systems.
The owner of the ACS box states, "ACS reports show pass auth, but it routes your session back to prompt" after trying to login via SSH.
Anyone have an idea?
Thanks in advance!
12-18-2014 12:06 PM
how does "show tacacs summary" looks like on your WLC ?
Rasika
12-18-2014 12:25 PM
Authentication Servers
Idx Server Address Port State Tout MgmtTout
--- ---------------- ------ -------- ---- --------
1 10.155.20.36 49 Enabled 10 2
2 10.11.119.19 49 Enabled 10 2
Authorization Servers
Idx Server Address Port State Tout MgmtTout
--- ---------------- ------ -------- ---- --------
1 10.155.20.36 49 Enabled 10 2
2 10.11.119.19 49 Enabled 10 2
Accounting Servers
Idx Server Address Port State Tout MgmtTout
--- ---------------- ------ -------- ---- --------
1 10.155.20.36 49 Enabled 10 10
2 10.11.119.19 49 Enabled 10 10
12-18-2014 12:38 PM
can you do a debug aaa tacacs enable when someone is trying to authenticate and capture the output?
--
Steve
12-18-2014 02:17 PM
(jkn001-011-wc04) >debug aaa tacacs enable
(jkn001-011-wc04) >*tplusTransportThread: Dec 18 22:16:15.646: Forwarding request to 10.155.20.36 port=49
*tplusTransportThread: Dec 18 22:16:15.659: tplus auth response: type=1 seq_no=2 session_id=8c5f3dd9 length=16 encrypted=0
*tplusTransportThread: Dec 18 22:16:15.659: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Dec 18 22:16:15.659: auth_cont get_pass reply: pkt_length=29
*tplusTransportThread: Dec 18 22:16:15.659: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Dec 18 22:16:15.985: tplus auth response: type=1 seq_no=4 session_id=8c5f3dd9 length=6 encrypted=0
*tplusTransportThread: Dec 18 22:16:15.986: tplus_make_author_request() from tplus_authen_passed returns rc=0
*tplusTransportThread: Dec 18 22:16:16.286: Forwarding request to 10.155.20.36 port=49
*tplusTransportThread: Dec 18 22:16:16.300: ATHR Socket closed underneath
*tplusTransportThread: Dec 18 22:16:18.906: No auth response from: 10.155.20.36, retrying with next server
*tplusTransportThread: Dec 18 22:16:18.906: Preparing message for retransmit. Decrypting first
*tplusTransportThread: Dec 18 22:16:18.906: Forwarding request to 10.11.119.19 port=49
*tplusTransportThread: Dec 18 22:16:18.925: ATHR Socket closed underneath
*tplusTransportThread: Dec 18 22:16:21.530: No auth response from: 10.11.119.19, retrying with next server
*tplusTransportThread: Dec 18 22:16:21.530: Preparing message for retransmit. Decrypting first
*tplusTransportThread: Dec 18 22:16:21.530: Forwarding request to 10.155.20.36 port=49
*tplusTransportThread: Dec 18 22:16:21.544: ATHR Socket closed underneath
*tplusTransportThread: Dec 18 22:16:24.150: Exhausted all available servers for Auth/Author packet
12-18-2014 04:17 PM
As you can see clearly WLC trying all configured servers, but no response coming from TACACS server.
Check port TCP/UDP port 49 is open between WLC & this server.
HTH
Rasika
12-18-2014 07:18 PM
Rasika, we both agree, as usual. There is no response from the servers. Either the port is blocked or the servers are not configured. I have usually come to this conclusion before I post, just to see if everyone agrees with me. Since our CWNE community is very small, I go here for confirmation.
Congrats, by the way.
12-18-2014 07:33 PM
Hi
Thanks for congrats (I hope it is for CWNP stuff)
Regarding your issue, try to increase timeout value & see if that helps. Below post mentioned something similar
https://supportforums.cisco.com/discussion/11480676/issues-wlc-7x-and-cisco-acs-51-web-auth
If you can take a packet capture where your TACACS server connected while you are doing a test, that will show us what's going on at that end.
I believe you have full reachability between WLC management & all these servers
HTH
Rasika
*** Pls rate all useful responses ****
12-19-2014 10:46 AM
Yep... I follow all your posts. Thanks for putting that out there.
In the GUI I could change the timeout to ten seconds. Had no effect. I even turned them off and used the CLI, then turned back on. Still no effect.
02-17-2016 09:56 AM
Sir,
Was this ever resolved? I'm having the same tacacs+ issue and haven't been able to resolve.
Thanks,
Jeff
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide