Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
247
Views
4
Helpful
3
Replies

WLC9800 not showing configuration and administration via webgui

Go to solution
hfaisca
Beginner
Beginner

‎04-04-2023 04:25 AM

Hello,

I'm having an issue after login via TACACs on webgui, it is not showing "Configuration" and "Adminstration" tabs. 

aaa group server tacacs+ TAC_GROUP
server name TACACS_SVR_1
server name TACACS_SVR_2

aaa authentication login default local
aaa authentication login VTY local group TAC_GROUP
aaa authentication login AUTH_LIST_GUEST group RADIUS_GROUP
aaa authentication login HTTP local group TAC_GROUP
aaa authentication dot1x AUTH_LIST_DOT1X group RADIUS_GROUP_CORP
aaa authorization exec default local if-authenticated
aaa authorization exec VTY local group TAC_GROUP if-authenticated
aaa authorization exec HTTP local group TAC_GROUP if-authenticated
aaa authorization network AUTH_LIST_GUEST group RADIUS_GROUP
aaa accounting identity AUTH_LIST_GUEST start-stop group RADIUS_GROUP
aaa accounting exec default start-stop group TAC_GROUP

ip http server 
ip http authentication aaa login-authentication HTTP
ip http authentication aaa exec-authorization HTTP
ip http authentication aaa command-authorization 15 TAC_GROUP
ip http secure-server

 

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP Mentor VIP Mentor
VIP Mentor

‎04-04-2023 05:27 AM - edited ‎04-04-2023 05:56 AM

 

 - Usually that happens when full admin privileges' are not returned with the RADIUS based authentication, you will have to configure radius to return or include this attribute :                         Cisco-AV-Pair:   shell:priv-lvl=15

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

3 Replies 3

Go to solution
marce1000
VIP Mentor VIP Mentor
VIP Mentor

‎04-04-2023 05:27 AM - edited ‎04-04-2023 05:56 AM

 

 - Usually that happens when full admin privileges' are not returned with the RADIUS based authentication, you will have to configure radius to return or include this attribute :                         Cisco-AV-Pair:   shell:priv-lvl=15

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Go to solution
Prince.O
Beginner
Beginner

‎04-04-2023 07:12 AM

Exactly as @marce1000 mentioned, TACACS needs to return privilege 15. If you had a previous AireOS controller, this will be different than the 9800 as far as attributes that are understood. Refer to the guide below that shows an example configuration of the TACACS configuration that needs to be applied for the 9800 to understand: 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

Go to solution
Rich R
VIP Advisor VIP Advisor
VIP Advisor

‎04-04-2023 07:14 AM

As Marce said and also you might be trying to do more authorization than is supported on GUI.
See https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html#toc-hId-2036691447

------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's   and   Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
Field Notice: FN-63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN-72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN-72524 - During Software Upgrade/Downgrade IOS APs Might Remain in Downloading State
     after 4 Dec 2022 Due to Certificate Expiration - Fixed in 8.10.185.3 and latest 9800 IOS-XE releases
     also fixed in 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM) if you can't upgrade to 8.10
     TAC confirmed that Mobility Express AP TFTP download is not affected so ME 8.5.182.0 still works but see FN-74035 below
Field Notice: FN-70479 Out-Of-The-Box AP Fails to Join WLC or Joins with Single Radio due to Country Mismatch - RMA required
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN-74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
     fixed in 8.10.185.3 and see the field notice for 8.5, Mobility Express and other fixed releases
Check your WLC config with Wireless Config Analyzer using "show tech wireless" output (9800) or "config paging disable" then "show run-config" output (AireOS) and use Wireless Debug Analyzer to analyze your WLC client debugs
Leo Laohoo's list of bugs affecting 2800/3800/4800/1560 APs
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents