Cisco WLC and tac_plus configuration
1,910 views
Skip to first unread message
Askon
Jan 13, 2012, 1:22:24 PM1/13/12
to Event-Driven Servers
Hello,
I'm trying to configure cisco WLC 5508 to use tacacs.
I use this guide to configure TACACS on WLC -
http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_security_sol.html#wp1697872
On WLC side I have successfully configured AAA, I see accounting in
tac_plus logs, access logs show successful authorization, but I can't
login to WLC.
Debug on WLC show me:
*tplusTransportThread: Jan 13 15:57:13.478: author response body:
status=1 arg_cnt=0 msg_len=0 data_len=0
*tplusTransportThread: Jan 13 15:57:13.478:
User has the following
mgmtRole 0
I have configured tac_plus for WLC in this way, according to
configuration example for ACS server
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3:
group=wlc-admins {
default service = permit
service = ciscowlc {
set role1 = ALL
}
}
user=user1 {
debug = CMD
default service = permit
login = clear 123
service = shell {
default cmd = permit
set priv-lvl = 15
}
client = wlc-cisco
member = wlc-a...@192.168.1.1
}
As far as I understand TACACS server should be able send to WLC:
1. ciscowlc for Service
2. Custom attributes role1, role2 etc. For example role1=ALL
Any suggestion?
I'm trying to configure cisco WLC 5508 to use tacacs.
I use this guide to configure TACACS on WLC -
http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_security_sol.html#wp1697872
On WLC side I have successfully configured AAA, I see accounting in
tac_plus logs, access logs show successful authorization, but I can't
login to WLC.
Debug on WLC show me:
*tplusTransportThread: Jan 13 15:57:13.478: author response body:
status=1 arg_cnt=0 msg_len=0 data_len=0
*tplusTransportThread: Jan 13 15:57:13.478:
User has the following
mgmtRole 0
I have configured tac_plus for WLC in this way, according to
configuration example for ACS server
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#topic3:
group=wlc-admins {
default service = permit
service = ciscowlc {
set role1 = ALL
}
}
user=user1 {
debug = CMD
default service = permit
login = clear 123
service = shell {
default cmd = permit
set priv-lvl = 15
}
client = wlc-cisco
member = wlc-a...@192.168.1.1
}
As far as I understand TACACS server should be able send to WLC:
1. ciscowlc for Service
2. Custom attributes role1, role2 etc. For example role1=ALL
Any suggestion?
Charl Matthee
Jan 18, 2012, 5:18:05 PM1/18/12
to Event-Driven Servers
Hi,
The following config works for our access to WLCs:
group = admin {
set role1 = ALL
}
enable = login
}
The following config works for our access to WLCs:
group = admin {
default service = permit
service = ciscowlc {
default protocol = permit
service = ciscowlc {
set role1 = ALL
}
enable = login
}
Benjamin Allen
Mar 18, 2014, 5:52:08 PM3/18/14
to event-driv...@googlegroups.com
so, this fix shows the proper group config,
what about the user config?
daniel...@intersection.com
Jun 7, 2016, 11:28:57 AM6/7/16
to Event-Driven Servers, jaminall...@gmail.com
Did anyone get this working? I am getting successful authentication but the wlc keeps prompting me to login again. I am also seeing the mgmtRole 0 message in the wlc debugs. I also tried this example http://www.tacacs.org/tacacsplus/2008/11/04/cisco-wireless-control-system#comments-54ad5834e4b0f2d6f427623f= but same issue.
Any help is appreciated.
Danny
Shin Sterneck
Jun 12, 2016, 2:49:47 AM6/12/16
to Event-Driven Servers, jaminall...@gmail.com
Hi Danny,
yes, this works well for me both on H/W and S/W WLCs
here a working configuration:
group = WlcAdmins {
default service = permit
enable = login
# Service Name: ciscowlc
# Service Description: Cisco WLC Service
service = ciscowlc {
set role1 = ALL
}
}
Then just add/drop the user into this group and you should be set to go.
Regards,
Shin
Reply all
Reply to author
Forward
0 new messages