WLC 9800 Error in authentication

lizochkanovichenko · ‎02-05-2024

Hello, dear Colleagues!

I've set up TACACS in WLC 9800 but when I connect from SSH I see the error:

WLC9800>en
Password:
% Error in authentication.

And when I login in GUI I see only two menus - Dashboard and Monitoring.

My config:

WLC9800#sh run aaa
!
aaa authentication login default local
aaa authentication login TACAC-AUTH group ISE_TACACS local
aaa authentication enable default group ISE_TACACS enable
aaa authorization exec default local
aaa authorization exec TACAC-AUTHOR group ISE_TACACS local if-authenticated
aaa authorization commands 0 TACAC-AUTHOR local if-authenticated
aaa authorization commands 1 TACAC-AUTHOR local if-authenticated
aaa authorization commands 15 TACAC-AUTHOR local if-authenticated
aaa authorization config-commands
aaa accounting exec default start-stop group ISE_TACACS
aaa accounting commands 1 default start-stop group ISE_TACACS
aaa accounting commands 15 default start-stop group ISE_TACACS

aaa server radius dynamic-author
!
tacacs server TACACS-1
address ipv4 x.x.x.x
key password
tacacs server TACACS-2
address ipv4 x.x.x.x
key 7 password
!
aaa group server tacacs+ ISE_TACACS
server name TACACS-1
server name TACACS-2
!
aaa local authentication TACAC-AUTH authorization TACAC-AUTHOR
aaa new-model
aaa session-id common
!

line vty 5 15
exec-timeout 60 0
authorization commands 0 TACAC-AUTHOR
authorization commands 1 TACAC-AUTHOR
authorization commands 15 TACAC-AUTHOR
authorization exec TACAC-AUTHOR
logging synchronous
login authentication TACAC-AUTH
transport input ssh
transport output all

Can you tell me what's wrong or what settings are incorrect?
thank you in advance

Mark Elsen · ‎02-05-2024

>...% Error in authentication.
- Check TACACS (radius) server logs for the particular authentication attempt

>And when I login in GUI I see only two menus - Dashboard and Monitoring.
- Presumably the authenticated user does not have sufficient privilege's allocated (returned) , hence the restricted GUI view.

Review this documentation : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

Also have a checkup of the WLC 9800 controller configuration with the CLI command show tech wireless and feed the output into Wireless Config Analyzer

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

jagan.chowdam · ‎02-05-2024

What is the admin access level?

You can do the debug and get the user access level.

LC-9800# terminal monitor
WLC-9800# debug tacacs
TACACS access control debugging is on
WLC-9800#

Then look for "AV priv-lvl=15".

If you are using ISE, make sure to verify the Privilege level set for admin user

Read-Only User Restrictions

When TACACS+ or RADIUS is used for 9800 WebUI authentication, these restrictions exist:

Users with privilege level 0 exist but have no access to the GUI
Users with privilege levels 1-14 can only view the Monitor tab (this is equivalent to the privilege level of a read-only locally authenticated user)
Users with privilege level 15 have full access
Users with privilege level 15 and a command set that allows specific commands only are not supported. The user can still be able to execute configuration changes through the WebUI

Jagan Chowdam

/**Please rate helpful responses **/

lizochkanovichenko · ‎08-06-2024

hello!

Tacacs did not work because of the wrong group:

I fixed it and TACACS worked.

Thank you for your time and help!