ā01-24-2012 07:18 AM - edited ā07-03-2021 09:26 PM
Hello,
I was wondering if anyone has successfully managed to configure ACS 5.1 to accept login request from a 5500 WLC?
I've managed to get it configured following the follow link https://supportforums.cisco.com/docs/DOC-14908
but when I try to login to the WLC using my ACS credentials I just get the login screen again. I've checked the ACS logs and it says my username has passed the authentication process and it matches all the rules I've set. The only thing I've noticed is my "Privilege Level" is only 1 but I'm not sure if thats correct for a http login.
Any help would be appreciated.
Solved! Go to Solution.
ā01-24-2012 08:55 AM
ok, so it looks like there is a space or a carriage return after the ALL
*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL ]
Can you rebuild that attribute and click apply, you might just be able to put the cursor behind teh ALL and hit delete.
Steve
ā01-24-2012 07:24 AM
when you defined the role is should be ALL And make sure you do not hit enter behind it.
Steve
ā01-24-2012 07:28 AM
I did that already, here is the print screen.
ā01-24-2012 07:42 AM
Edit that attribute and see where the cursor will go to. it should be right behind the ALL.
Steve
ā01-24-2012 07:44 AM
I checked and its right next to ALL.
ā01-24-2012 07:47 AM
and on the WLC you defined all three servers?
Steve
ā01-24-2012 07:50 AM
Yes, and I double checked the shared secret. Here is a screen shot of the AAA authentication log.
ā01-24-2012 07:59 AM
What "command set" should I have configured for this rule?
ā01-24-2012 08:23 AM
on the WLC, can you login to the CLI with the local credentials and run
debug aaa tacacs enable
then try to hit the GUI with TACACS credentials
this will show what is coming back from the TACACS server
Steve
ā01-24-2012 08:32 AM
As requested,
(Cisco Controller) >config *tplusTransportThread: Jan 24 11:29:41.519: Forwardi ng request to 10.10.11.12 port=49
*tplusTransportThread: Jan 24 11:29:41.520: tplus auth response: type=1 seq_no=2 session_id=f432fef2 length=16 encrypted=0
*tplusTransportThread: Jan 24 11:29:41.520: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Jan 24 11:29:41.520: auth_cont get_pass reply: pkt_length =26
*tplusTransportThread: Jan 24 11:29:41.520: processTplusAuthResponse: Continue a uth transaction
*tplusTransportThread: Jan 24 11:29:41.526: tplus auth response: type=1 seq_no=4 session_id=f432fef2 length=6 encrypted=0
*tplusTransportThread: Jan 24 11:29:41.526: tplus_make_author_request() from tpl us_authen_passed returns rc=0
*tplusTransportThread: Jan 24 11:29:41.526: Forwarding request to 10.10.11.12 po rt=49
*tplusTransportThread: Jan 24 11:29:41.531: author response body: status=1 arg_c nt=1 msg_len=0 data_len=0
*tplusTransportThread: Jan 24 11:29:41.531: arg[0] = [28][role1=ALL
ā01-24-2012 08:35 AM
can you post the rest of the config? and might be best if you did two login attempts. that way I can see more of the data
Steve
ā01-24-2012 08:43 AM
Ok,
I did notice something strange. If I set the priority order of the login on the WLC to TACACS+ then Local, I can't login using any creditals (local or otherwise) unless I disable the switch port that the ACS is on.
Here is another debug log.
Did you want the running-config?
(Cisco Controller) >*emWeb: Jan 24 11:38:36.782:
Log to TACACS server(if online): aaa auth mgmt tacacs local
*aaaQueueReader: Jan 24 11:38:36.783: cmd_buff=[aaa auth mgmt tacacs local] cmd_buff_len=[27]
*aaaQueueReader: Jan 24 11:38:36.783: tplus_make_acct_request: pkt->length=116 acct_len=116 arg_total_len=83
*tplusTransportThread: Jan 24 11:38:36.835: Forwarding request to 10.10.11.12 port=49
*tplusTransportThread: Jan 24 11:38:36.841: ACCT response length = 5, buffer len = 17
*tplusTransportThread: Jan 24 11:38:36.841: ACCT response body: status=1 msg_len=0 data_len=0
*tplusTransportThread: Jan 24 11:38:36.841: ACCT Socket closed underneath
*tplusTransportThread: Jan 24 11:38:45.967: Forwarding request to 10.10.11.12 port=49
*tplusTransportThread: Jan 24 11:38:45.968: tplus auth response: type=1 seq_no=2 session_id=d443ded8 length=16 encrypted=0
*tplusTransportThread: Jan 24 11:38:45.968: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Jan 24 11:38:45.968: auth_cont get_pass reply: pkt_length=26
*tplusTransportThread: Jan 24 11:38:45.968: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Jan 24 11:38:45.974: tplus auth response: type=1 seq_no=4 session_id=d443ded8 length=6 encrypted=0
*tplusTransportThread: Jan 24 11:38:45.974: tplus_make_author_request() from tplus_authen_passed returns rc=0
*tplusTransportThread: Jan 24 11:38:45.974: Forwarding request to 10.10.11.12 port=49
*tplusTransportThread: Jan 24 11:38:45.980: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0
*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL ]
*tplusTransportThread: Jan 24 11:38:45.980:
User has the following mgmtRole 0
*tplusTransportThread: Jan 24 11:39:09.451: Forwarding request to 10.10.11.12 port=49
*tplusTransportThread: Jan 24 11:39:09.452: tplus auth response: type=1 seq_no=2 session_id=23510ed4 length=16 encrypted=0
*tplusTransportThread: Jan 24 11:39:09.452: TPLUS_AUTHEN_STATUS_GETPASS
*tplusTransportThread: Jan 24 11:39:09.452: auth_cont get_pass reply: pkt_length=28
*tplusTransportThread: Jan 24 11:39:09.452: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Jan 24 11:39:09.457: tplus auth response: type=1 seq_no=4 session_id=23510ed4 length=6 encrypted=0
ā01-24-2012 08:55 AM
ok, so it looks like there is a space or a carriage return after the ALL
*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL ]
Can you rebuild that attribute and click apply, you might just be able to put the cursor behind teh ALL and hit delete.
Steve
ā01-24-2012 09:06 AM
Stephen,
That did it! I can now login with ACS to the WLC... Thanks for the help.
ā01-24-2012 09:07 AM
no worries, glad I could help!
Steve
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide