Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
4
Helpful
3
Replies

WLC9800 not showing configuration and administration via webgui

Go to solution
hfaisca
Level 1
Level 1

‎04-04-2023 04:25 AM

Hello,

I'm having an issue after login via TACACs on webgui, it is not showing "Configuration" and "Adminstration" tabs. 

aaa group server tacacs+ TAC_GROUP
server name TACACS_SVR_1
server name TACACS_SVR_2

aaa authentication login default local
aaa authentication login VTY local group TAC_GROUP
aaa authentication login AUTH_LIST_GUEST group RADIUS_GROUP
aaa authentication login HTTP local group TAC_GROUP
aaa authentication dot1x AUTH_LIST_DOT1X group RADIUS_GROUP_CORP
aaa authorization exec default local if-authenticated
aaa authorization exec VTY local group TAC_GROUP if-authenticated
aaa authorization exec HTTP local group TAC_GROUP if-authenticated
aaa authorization network AUTH_LIST_GUEST group RADIUS_GROUP
aaa accounting identity AUTH_LIST_GUEST start-stop group RADIUS_GROUP
aaa accounting exec default start-stop group TAC_GROUP

ip http server 
ip http authentication aaa login-authentication HTTP
ip http authentication aaa exec-authorization HTTP
ip http authentication aaa command-authorization 15 TAC_GROUP
ip http secure-server

 

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
marce1000
VIP
VIP

‎04-04-2023 05:27 AM - edited ‎04-04-2023 05:56 AM

 

 - Usually that happens when full admin privileges' are not returned with the RADIUS based authentication, you will have to configure radius to return or include this attribute :                         Cisco-AV-Pair:   shell:priv-lvl=15

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

3 Replies 3

Go to solution
marce1000
VIP
VIP

‎04-04-2023 05:27 AM - edited ‎04-04-2023 05:56 AM

 

 - Usually that happens when full admin privileges' are not returned with the RADIUS based authentication, you will have to configure radius to return or include this attribute :                         Cisco-AV-Pair:   shell:priv-lvl=15

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Go to solution
Prince.O
Spotlight
Spotlight

‎04-04-2023 07:12 AM

Exactly as @marce1000 mentioned, TACACS needs to return privilege 15. If you had a previous AireOS controller, this will be different than the 9800 as far as attributes that are understood. Refer to the guide below that shows an example configuration of the TACACS configuration that needs to be applied for the 9800 to understand: 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

Go to solution
Rich R
VIP
VIP

‎04-04-2023 07:14 AM

As Marce said and also you might be trying to do more authorization than is supported on GUI.
See https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html#toc-hId-2036691447

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card