Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2746
Views
5
Helpful
22
Replies

WLC login using ACS 5.1

Go to solution
jmarshman
Level 1
Level 1

‎01-24-2012 07:18 AM - edited ‎07-03-2021 09:26 PM

Hello,

I was wondering if anyone has successfully managed to configure ACS 5.1 to accept login request from a 5500 WLC?

I've managed to get it configured following the follow link https://supportforums.cisco.com/docs/DOC-14908
but when I try to login to the WLC using my ACS credentials I just get the login screen again.  I've checked the ACS logs and it says my username has passed the authentication process and it matches all the rules I've set.  The only thing I've noticed is my "Privilege Level" is only 1 but I'm not sure if thats correct for a http login. 

Any help would be appreciated.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to jmarshman

‎01-24-2012 08:55 AM

ok, so it looks like there is a space or a carriage return after the ALL

*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL                   ]

Can you rebuild that attribute and click apply, you might just be able to put the cursor behind teh ALL and hit delete.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

22 Replies 22

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee

‎01-24-2012 07:24 AM

when you defined the role is should be ALL  And make sure you do not hit enter behind it.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
jmarshman
Level 1
Level 1
In response to Stephen Rodriguez

‎01-24-2012 07:28 AM

I did that already, here is the print screen.

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to jmarshman

‎01-24-2012 07:42 AM

Edit that attribute and see where the cursor will go to.  it should be right behind the ALL.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
jmarshman
Level 1
Level 1
In response to Stephen Rodriguez

‎01-24-2012 07:44 AM

I checked and its right next to ALL.

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to jmarshman

‎01-24-2012 07:47 AM

and on the WLC you defined all three servers?

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
jmarshman
Level 1
Level 1
In response to Stephen Rodriguez

‎01-24-2012 07:50 AM

Yes, and I double checked the shared secret.  Here is a screen shot of the AAA authentication log.

0 Helpful

Go to solution
jmarshman
Level 1
Level 1
In response to jmarshman

‎01-24-2012 07:59 AM

What "command set" should I have configured for this rule?

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to jmarshman

‎01-24-2012 08:23 AM

on the WLC, can you login to the CLI with the local credentials and run

debug aaa tacacs enable

then try to hit the GUI with TACACS credentials

this will show what is coming back from the TACACS server

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
jmarshman
Level 1
Level 1
In response to Stephen Rodriguez

‎01-24-2012 08:32 AM


As requested,

(Cisco Controller) >config  *tplusTransportThread: Jan 24 11:29:41.519: Forwardi                       ng request to 10.10.11.12 port=49

*tplusTransportThread: Jan 24 11:29:41.520: tplus auth response: type=1 seq_no=2                        session_id=f432fef2 length=16 encrypted=0

*tplusTransportThread: Jan 24 11:29:41.520: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Jan 24 11:29:41.520: auth_cont get_pass reply: pkt_length                       =26

*tplusTransportThread: Jan 24 11:29:41.520: processTplusAuthResponse: Continue a                       uth transaction

*tplusTransportThread: Jan 24 11:29:41.526: tplus auth response: type=1 seq_no=4                        session_id=f432fef2 length=6 encrypted=0

*tplusTransportThread: Jan 24 11:29:41.526: tplus_make_author_request() from tpl                       us_authen_passed returns rc=0

*tplusTransportThread: Jan 24 11:29:41.526: Forwarding request to 10.10.11.12 po                       rt=49

*tplusTransportThread: Jan 24 11:29:41.531: author response body: status=1 arg_c                       nt=1 msg_len=0 data_len=0

*tplusTransportThread: Jan 24 11:29:41.531: arg[0] = [28][role1=ALL

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to jmarshman

‎01-24-2012 08:35 AM

can you post the rest of the config?  and might be best if you did two login attempts.  that way I can see more of the data

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

Go to solution
jmarshman
Level 1
Level 1
In response to Stephen Rodriguez

‎01-24-2012 08:43 AM

Ok,

I did notice something strange.  If I set the priority order of the login on the WLC to TACACS+ then Local, I can't login using any creditals (local or otherwise) unless I disable the switch port that the ACS is on.

Here is another debug log.

Did you want the running-config?

(Cisco Controller) >*emWeb: Jan 24 11:38:36.782:

                                                 Log to TACACS server(if online): aaa auth mgmt  tacacs local

*aaaQueueReader: Jan 24 11:38:36.783: cmd_buff=[aaa auth mgmt  tacacs local] cmd_buff_len=[27]

*aaaQueueReader: Jan 24 11:38:36.783: tplus_make_acct_request: pkt->length=116 acct_len=116 arg_total_len=83

*tplusTransportThread: Jan 24 11:38:36.835: Forwarding request to 10.10.11.12 port=49

*tplusTransportThread: Jan 24 11:38:36.841: ACCT response length = 5, buffer len = 17

*tplusTransportThread: Jan 24 11:38:36.841: ACCT response body: status=1 msg_len=0 data_len=0

*tplusTransportThread: Jan 24 11:38:36.841: ACCT Socket closed underneath

*tplusTransportThread: Jan 24 11:38:45.967: Forwarding request to 10.10.11.12 port=49

*tplusTransportThread: Jan 24 11:38:45.968: tplus auth response: type=1 seq_no=2 session_id=d443ded8 length=16 encrypted=0

*tplusTransportThread: Jan 24 11:38:45.968: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Jan 24 11:38:45.968: auth_cont get_pass reply: pkt_length=26

*tplusTransportThread: Jan 24 11:38:45.968: processTplusAuthResponse: Continue auth transaction

*tplusTransportThread: Jan 24 11:38:45.974: tplus auth response: type=1 seq_no=4 session_id=d443ded8 length=6 encrypted=0

*tplusTransportThread: Jan 24 11:38:45.974: tplus_make_author_request() from tplus_authen_passed returns rc=0

*tplusTransportThread: Jan 24 11:38:45.974: Forwarding request to 10.10.11.12 port=49

*tplusTransportThread: Jan 24 11:38:45.980: author response body: status=1 arg_cnt=1 msg_len=0 data_len=0

*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL                   ]

*tplusTransportThread: Jan 24 11:38:45.980:

                                            User has the following mgmtRole 0

*tplusTransportThread: Jan 24 11:39:09.451: Forwarding request to 10.10.11.12 port=49

*tplusTransportThread: Jan 24 11:39:09.452: tplus auth response: type=1 seq_no=2 session_id=23510ed4 length=16 encrypted=0

*tplusTransportThread: Jan 24 11:39:09.452: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Jan 24 11:39:09.452: auth_cont get_pass reply: pkt_length=28

*tplusTransportThread: Jan 24 11:39:09.452: processTplusAuthResponse: Continue auth transaction

*tplusTransportThread: Jan 24 11:39:09.457: tplus auth response: type=1 seq_no=4 session_id=23510ed4 length=6 encrypted=0

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to jmarshman

‎01-24-2012 08:55 AM

ok, so it looks like there is a space or a carriage return after the ALL

*tplusTransportThread: Jan 24 11:38:45.980: arg[0] = [28][role1=ALL                   ]

Can you rebuild that attribute and click apply, you might just be able to put the cursor behind teh ALL and hit delete.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Go to solution
jmarshman
Level 1
Level 1
In response to Stephen Rodriguez

‎01-24-2012 09:06 AM

Stephen,

That did it!  I can now login with ACS to the WLC... Thanks for the help.

0 Helpful

Go to solution
Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to jmarshman

‎01-24-2012 09:07 AM

no worries, glad I could help!

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card