tac_plus and Cisco Wireless Controller
81 views
Skip to first unread message
Daniel Moraes
Oct 19, 2018, 3:05:49 PM10/19/18
to Event-Driven Servers
Hi folks,
We are configuring a WLC to authenticate against tac_plus. If I set 'set role1 = ALL' everything works fine.
group = USERS {
message = "[Admin privileges]"
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
service = ciscowlc {
#role1 = ALL
### Allowed Roles: ALL, MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT and COMMAND
protocol = common {
set role1 = ALL
}
}
}
But when I wanna restrict the access using the configuration bellow:
group = guest {
default service = permit
enable = deny
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
service = ciscowlc {
protocol = common {
set role1=MONITOR
}
}
}
user = readonly {
password = clear readonly
member = guest
}
Or been, setting the role1 with 'MONITOR' is the same I set to 'ALL' and I can see all menus into Cisco Wireless Controller (including make changes). Please could you help me?
Thank you!
Daniel
We are configuring a WLC to authenticate against tac_plus. If I set 'set role1 = ALL' everything works fine.
group = USERS {
message = "[Admin privileges]"
default service = permit
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 15
}
service = ciscowlc {
#role1 = ALL
### Allowed Roles: ALL, MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT and COMMAND
protocol = common {
set role1 = ALL
}
}
}
But when I wanna restrict the access using the configuration bellow:
group = guest {
default service = permit
enable = deny
service = shell {
default command = permit
default attribute = permit
set priv-lvl = 1
}
service = ciscowlc {
protocol = common {
set role1=MONITOR
}
}
}
user = readonly {
password = clear readonly
member = guest
}
Or been, setting the role1 with 'MONITOR' is the same I set to 'ALL' and I can see all menus into Cisco Wireless Controller (including make changes). Please could you help me?
Thank you!
Daniel
Aleksey Mochalin
Oct 20, 2018, 2:12:21 AM10/20/18
to Event-Driven Servers
Hello Daniel,
Could you try to use service like that:
service = ciscowlc {
set role1=MONITOR
}
set role1=MONITOR
}
}
Best Regards, Aleksey
Daniel Moraes
Oct 22, 2018, 7:45:35 AM10/22/18
to Event-Driven Servers
Hi Aleksey,
Thanks for your answer but I did the suggested adjustment and didn't work properly and I can see all menus.
Thanks for your answer but I did the suggested adjustment and didn't work properly and I can see all menus.
Daniel Moraes
Oct 24, 2018, 10:54:47 AM10/24/18
to Event-Driven Servers
Hi folks,
I'm able to receive more suggestions about the theme.
Thanks!
Daniel
I'm able to receive more suggestions about the theme.
Thanks!
Daniel
Aleksey Mochalin
Oct 25, 2018, 2:57:17 AM10/25/18
to Event-Driven Servers
Hello Daniel,
Could you give the output of debug command --> debug aaa tacacs enable
I found it here.
Aleksey
Aleksey Mochalin
Oct 25, 2018, 10:39:50 AM10/25/18
to Event-Driven Servers
Seems like something wrong with device. It gets correct attribute but works incorrectly. means that user get monitor rights
arg[0] = [13][role1=MONITOR] *tplusTransportThread: Oct 25 10:26:08.147: User has the following mgmtRole 4
User has the following mgmtRole 4 <-- means that user get monitor rightsLOBBY = mgmtRole 2WLAN = mgmtRole 8CONTROLLER = mgmtRole 10WIRELESS = mgmtRole 20SECURITY = mgmtRole 40MANAGEMENT = mgmtRole 80COMMANDS = mgmtRole 100mgmtRole also can be combined, e.g. role1=CONTROLLER role2=WIRELESS equal to mgmtRole 30Hope it helps.Best Regards, Aleksey
Daniel Moraes
Oct 25, 2018, 10:51:49 AM10/25/18
to Event-Driven Servers
Thank you for your quick answer :-).
So I'll put the device under investigation and some news I'll tell you.
Reply all
Reply to author
Forward
0 new messages