TACACS+ not working on WLC

Hi All,
I have configured tacacs for WLC. But I am not able to login to WLC using TACACS username and password.
Getting following message
Tue Sep 22 15:26:50 2009: Forwarding request to 10.0.0.1
6 port=49
Tue Sep 22 15:26:50 2009: tplus response: type=1 seq_no=2 session_id=ecf27238 le
ngth=6 encrypted=0
Tue Sep 22 15:26:50 2009: TPLUS_AUTHEN_STATUS = UNKNOWN(1)
Thanks
Jamal.S

There is radius happening on the auth portion of the WLC.
There seems to be a misconfiguration issue.
What do the ACS failed logs say?
Can you make sure you followed exactly:
http://cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60sol.html#wpmkr1261119

Similar Messages

  • Tacacs not working for 5508

    Tacacs not working for 3 new 5508 WLC's...working fine for 6 old 4400 WLC's.
    before 7.116 code upgrade...I remember 5508 was working on and off and now they are not.
    Same configs on SW, WLC and ACS.
    Debug on WLC gives..below message when Tacacs is attempted..
    *aaaQueueReader: Oct 25 09:20:41.700: tplus_processAuthRequest: memory alloc failed for tplus
    Any pointers for troubleshooting? Not sure why statistics show zero...?? Radius is working for users.
    (wlc03) >show tacacs auth statistics
    Authentication Servers:
    Server Index..................................... 1
    Server Address................................... 10.3.121.21
    Msg Round Trip Time.............................. 0 (msec)
    First Requests................................... 0
    Retry Requests................................... 0
    Accept Responses................................. 0
    Reject Responses................................. 0
    Error Responses.................................. 0
    Restart Responses................................ 0
    Follow Responses................................. 0
    GetData Responses................................ 0
    Encrypt no secret Responses...................... 0
    Challenge Responses.............................. 0
    Malformed Msgs................................... 0
    Bad Authenticator Msgs........................... 0
    Timeout Requests................................. 0
    Unknowntype Msgs................................. 0
    Other Drops...................................... 0
    Server Index..................................... 2
    --More-- or (q)uit
    Server Address................................... 10.3.121.22
    Msg Round Trip Time.............................. 0 (msec)
    First Requests................................... 0
    Retry Requests................................... 0
    Accept Responses................................. 0
    Reject Responses................................. 0
    Error Responses.................................. 0
    Restart Responses................................ 0
    Follow Responses................................. 0
    GetData Responses................................ 0
    Encrypt no secret Responses...................... 0
    Challenge Responses.............................. 0
    Malformed Msgs................................... 0
    Bad Authenticator Msgs........................... 0
    Timeout Requests................................. 0
    Unknowntype Msgs................................. 0
    Other Drops...................................... 0
    (wlc03) >show tacacs summary
    Authentication Servers
    Idx  Server Address    Port    State     Tout
    1    10.3.121.21     49      Enabled   5    
    2    10.3.121.22      49      Enabled   5    
    Authorization Servers
    Idx  Server Address    Port    State     Tout
    1    10.3.121.21      49      Enabled   30   
    2    10.3.121.22     49      Enabled   5    
    Accounting Servers
    Idx  Server Address    Port    State     Tout
    1    10.3.121.21      49      Enabled   5 
    We can ping the TACACS servers...

    >show memory statistics
    System Memory Statistics:
    Total System Memory............: 1028820992 bytes
    Used System Memory.............: 458424320 bytes
    Free System Memory.............: 570396672 bytes
    Bytes allocated from RTOS......: 21939008 bytes
    Chunks Free....................: 29 bytes
    Number of mmapped regions......: 45
    Total space in mmapped regions.: 212779008 bytes
    Total allocated space..........: 12015112 bytes
    Total non-inuse space..........: 9923896 bytes
    Top-most releasable space......: 133800 bytes
    Total allocated (incl mmap)....: 234718016 bytes
    Total used (incl mmap).........: 224794120 bytes
    Total free (incl mmap).........: 9923896 bytes
    show buffers
    Pool[00]: 16 byte chunks
        chunks in pool:    50000
        chunks in use:     19030
        bytes in use:      304480
        bytes requested:   90479 (214001 overhead bytes)
    Pool[01]: 64 byte chunks
        chunks in pool:    40000
        chunks in use:     14519
        bytes in use:      929216
        bytes requested:   566395 (362821 overhead bytes)
    Pool[02]: 128 byte chunks
        chunks in pool:    20000
        chunks in use:     7726
        bytes in use:      988928
        bytes requested:   672853 (316075 overhead bytes)
    Pool[03]: 256 byte chunks
        chunks in pool:    4000
        chunks in use:     808
        bytes in use:      206848
        bytes requested:   154777 (52071 overhead bytes)
    Pool[04]: 1024 byte chunks
    --More-- or (q)uit
        chunks in pool:    15300
        chunks in use:     11645
        bytes in use:      11924480
        bytes requested:   4945714 (6978766 overhead bytes)
    Pool[05]: 2048 byte chunks
        chunks in pool:    1000
        chunks in use:     189
        bytes in use:      387072
        bytes requested:   355272 (31800 overhead bytes)
    Pool[06]: 4096 byte chunks
        chunks in pool:    1000
        chunks in use:     36
        bytes in use:      147456
        bytes requested:   102479 (44977 overhead bytes)
    Raw Pool:
        chunks in use:     186
        bytes requested:   156052303
    show process memory
    Name               Priority       BytesInUse  BlocksInUse    Reaper
    cslStoreManager    (240/  7)              0            0      (  0/  0)%
    System Reset Task  (240/  7)              0            0      (  0/  0)%
    reaperWatcher      (  3/ 96)              0            0      (  0/  0)%   I
    osapiReaper        ( 10/ 94)              0            0      (  0/  0)%   I
    TempStatus         (240/  7)            424            1      (  0/  0)%   I
    pktDebugSocketTask (255/  1)              0            0      (  0/  0)%
    LICENSE AGENT      (240/  7)           2228           85      (  0/  0)%   I
    emWeb              (  7/ 95)        1235795        20743      (  0/  0)%   T 300
    webJavaTask        (240/  7)              0            0      (  0/  0)%
    fmcHsTask          (100/ 60)              0            0      (  0/  0)%
    apstatEngineTask   (240/  7)              0            0      (  0/  0)%
    rrcEngineTask      (240/  7)              0            0      (  0/  0)%
    spectrumDataTask   (255/  1)        1614480           12      (  0/  0)%
    spectrumNMSPTask   (255/  1)          28808            3      (  0/  0)%
    wipsTask           (240/  7)              0            0      (  0/  0)%
    tsmTask            (255/  1)              0            0      (  0/  0)%
    cids-cl Task       (240/  7)              0            0      (  0/  0)%
    ethoipSocketTask   (  7/ 95)              0            0      (  0/  0)%
    ethoipOsapiMsgRcv  (240/  7)              0            0      (  0/  0)%
    --More-- or (q)uit
    envCtrollerStatus  (240/  7)              0            0      (  0/  0)%
    rfidTask           (240/  7)              0            0      (  0/  0)%
    idsTrackEventTask  (239/  8)              0            0      (  0/  0)%
    DHCP Server        (240/  7)              0            0      (  0/  0)%
    bcastReceiveTask   (240/  7)              0            0      (  0/  0)%
    ProcessLoggingTask (240/  7)              0            0      (  0/  0)%
    CDP Main           (240/  7)           3100           13      (  0/  0)%
    sntpMainTask       (240/  7)              0            0      (  0/  0)%
    sntpReceiveTask    (240/  7)              0            0      (  0/  0)%
    cdpSocketTask      (240/  7)              0            0      (  0/  0)%
    grouping Task      (255/  1)              0            0      (  0/  0)%
    dot11a             (255/  1)             63            3      (  0/  0)%
    rrm Socket Task    (  1/ 97)          35024            1      (  0/  0)%
    rrm Socket Task    (255/  1)          35024            1      (  0/  0)%
    dot11a             (255/  1)              0            0      (  0/  0)%
    grouping Task      (255/  1)              0            0      (  0/  0)%
    dot11b             (255/  1)            105            5      (  0/  0)%
    rrm Socket Task    (255/  1)          35024            1      (  0/  0)%
    dot11b             (255/  1)              0            0      (  0/  0)%
    rrm Socket Task    (255/  1)          35024            1      (  0/  0)%
    apfPmkCacheTimer   (240/  7)              0            0      (  0/  0)%
    Apf Guest          (240/  7)              0            0      (  0/  0)%
    RLDP Schedule Task (240/  7)              0            0      (  0/  0)%
    --More-- or (q)uit
    apfMsConnTask_5    (175/ 32)              0            0      (  0/  0)%
    apfMsConnTask_4    (175/ 32)              0            0      (  0/  0)%
    apfMsConnTask_6    (175/ 32)              0            0      (  0/  0)%
    apfMsConnTask_7    (175/ 32)              0            0      (  0/  0)%
    apfMsConnTask_3    (175/ 32)              0            0      (  0/  0)%
    apfMsConnTask_2    (175/ 32)              0            0      (  0/  0)%
    apfLbsTask         (240/  7)              0            0      (  0/  0)%
    apfMsConnTask_0    (175/ 32)              0            0      (  0/  0)%
    apfMsConnTask_1    (175/ 32)              0            0      (  0/  0)%
    apfProbeThread     (200/ 22)              0            0      (  0/  0)%
    apfOrphanSocketTas (240/  7)              0            0      (  0/  0)%
    apfRogueDetectorTh (175/ 32)              0            0      (  0/  0)%
    apfRogueTask       (240/  7)              0            0      (  0/  0)%
    apfOpenDtlSocket   (175/ 32)              0            0      (  0/  0)%
    apfRLDP            (175/ 32)            424            1      (  0/  0)%
    apfRLDPRecv        (175/ 32)              0            0      (  0/  0)%
    apfReceiveTask     (175/ 32)              0            0      (  0/  0)%
    mmMfpTask          (175/ 32)              0            0      (  0/  0)%
    mmMobility         (240/  7)           1272            3      (  0/  0)%
    mmSSHPeerRegister  (240/  7)              0            0      (  0/  0)%
    mmListen           (180/ 30)          99920          227      (  0/  0)%
    tplusTransportThre (201/ 22)              0            0      (  0/  0)%
    radiusCoASupportTr (201/ 22)              0            0      (  0/  0)%
    --More-- or (q)uit
    EAP Framework      (240/  7)              0            0      (  0/  0)%
    aaaQueueReader     (225/ 13)           3518           12      (  0/  0)%
    radiusRFC3576Trans (201/ 22)              0            0      (  0/  0)%
    radiusTransportThr (201/ 22)              0            0      (  0/  0)%
    pemReceiveTask     (240/  7)              0            0      (  0/  0)%
    iappSocketTask     (240/  7)              0            0      (  0/  0)%
    ccxRmTask          (230/ 11)              0            0      (  0/  0)%
    ccxS69Task         (240/  7)            424            1      (  0/  0)%
    ccxDiagTask        (240/  7)              0            0      (  0/  0)%
    ccxL2RoamTask      (240/  7)         240424            3      (  0/  0)%
    dot1xSocketTask    (240/  7)              0            0      (  0/  0)%
    Dot1x_NW_MsgTask_7 (240/  7)              0            0      (  0/  0)%
    Dot1x_NW_MsgTask_6 (240/  7)              0            0      (  0/  0)%
    Dot1x_NW_MsgTask_2 (240/  7)              0            0      (  0/  0)%
    Dot1x_NW_MsgTask_3 (240/  7)              0            0      (  0/  0)%
    Dot1x_NW_MsgTask_4 (240/  7)              0            0      (  0/  0)%
    Dot1x_NW_MsgTask_5 (240/  7)              0            0      (  0/  0)%
    Dot1x_NW_MsgTask_1 (240/  7)              0            0      (  0/  0)%
    Dot1x_NW_MsgTask_0 (240/  7)            424            1      (  0/  0)%
    dot1xMsgTask       (240/  7)              0            0      (  0/  0)%
    locpTxServerTask   (220/ 15)            408            2      (  0/  0)%
    locpRxServerTask   (200/ 22)         428043         1961      (  0/  0)%
    capwapSocketTask   ( 72/ 70)         303104          148      (  0/  0)%
    --More-- or (q)uit
    spamApTask6        (118/ 53)          25929           63      (  0/  0)%
    spamApTask7        ( 53/ 78)          24233           59      (  0/  0)%
    spamApTask5        (118/ 53)          23445           61      (  0/  0)%
    spamApTask4        (118/ 53)          23513           58      (  0/  0)%
    spamApTask3        (118/ 53)          19569           48      (  0/  0)%
    spamApTask2        ( 53/ 78)          23809           58      (  0/  0)%
    spamApTask1        ( 53/ 78)          22961           56      (  0/  0)%
    spamApTask0        ( 78/ 68)          39189          106      (  0/  0)%
    spamReceiveTask    (120/ 52)        2204024          252      (  0/  0)%
    spamSocketTask     ( 32/ 85)              0            0      (  0/  0)%
    Image License brok (240/  7)              0            0      (  0/  0)%   I
    Image License brok (240/  7)             28            1      (  0/  0)%   I
    IPC Main Thread    (240/  7)              0            0      (  0/  0)%   I
    License Client Lib (240/  7)             96            1      (  0/  0)%   I
    sshpmLscScepTask   (100/ 60)              0            0      (  0/  0)%
    License Client Lib (240/  7)             96            1      (  0/  0)%   I
    sshpmLscTask       (100/ 60)          25783         1739      (  0/  0)%
    sshpmReceiveTask   (175/ 32)           6697           66      (  0/  0)%
    sshpmMainTask      (100/ 60)         208440          358      (  0/  0)%
    mfpKeyRefreshTask  (255/  1)              0            0      (  0/  0)%
    mfpEventTask       (255/  1)              0            0      (  0/  0)%
    mfpTrapForwardTask (255/  1)              0            0      (  0/  0)%
    clientTroubleShoot (100/ 60)        2841248            4      (  0/  0)%
    --More-- or (q)uit
    loggerMainTask     (200/ 22)              0            0      (  0/  0)%
    debugMainTask      (200/ 22)              0            0      (  0/  0)%
    dot3ad_lac_task    (240/  7)          32901            3      (  0/  0)%
    gccp_t             (240/  7)           5864            5      (  0/  0)%
    dot1dTimer         (240/  7)              0            0      (  0/  0)%   T 300
    dot1dRecv          (250/  3)              0            0      (  0/  0)%
    uart_session       (240/  7)              0            0      (  0/  0)%
    StatsTask          (240/  7)              0            0      (  0/  0)%
    fdbTask            (240/  7)              0            0      (  0/  0)%
    broffu_SocketRecei (100/ 60)             13            1      (  0/  0)%
    SNMPProcMon        (240/  7)              0            0      (  0/  0)%   T 300
    RMONTask           ( 71/ 71)              0            0      (  0/  0)%   I
    SNMPTask           (240/  7)          61089         1064      (  0/  0)%
    DHCP Socket Task   (240/  7)              0            0      (  0/  0)%
    DHCP Proxy Task    (240/  7)              0            0      (  0/  0)%
    dhcpClientTimerTas (240/  7)              0            0      (  0/  0)%
    DHCP Client Task   (240/  7)              0            0      (  0/  0)%   T 600
    BootP              (240/  7)              0            0      (  0/  0)%   T 300
    TransferTask       (240/  7)            848            2      (  0/  0)%   I
    osapiTimer         (100/ 60)          13024            2      (  0/  0)%   T 300
    nim_t              (100/ 60)           2447            3      (  0/  0)%
    dtlArpTask         (  7/ 95)          98436            3      (  0/  0)%
    dtlTask            (100/ 60)          41089           20      (  0/  0)%
    --More-- or (q)uit
    dtlDataLowTask     (  7/ 95)              0            0      (  0/  0)%
    sysapiprintf       (240/  7)          22657            3      (  0/  0)%
    osapiBsnTimer      ( 95/ 62)              0            0      (  0/  0)%
    fp_main_task       (240/  7)       153068796        26868      (  0/  0)%

  • Nexus 1KV TACACS+ Not Working

    I have been trying to get my Nexus 1KV working with AAA/TACACS+ and I'm stumped.
    The short version is that I see where the issue is, but can't seem to resolve it.
    When I try to log in using TACACS, it fails.  The ACS server reports InvalidPassword.
    The CLI on the Nexus shows:
    2011 Sep  9 16:37:13 NY_nexus1000v %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
    2011 Sep  9 16:37:14 NY_nexus1000v %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user gtopf from 192.168.20.151 - sshd[15675]
    2011 Sep  9 16:37:23 NY_nexus1000v %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user gtopf from 192.168.20.151 - sshd[15672]
    And an AAA test from the nexus fails.
    I have good connectivity between the two boxes, I can ping, and obviously the failed login showing on ACS shows that it's talking, but it's just not working.
    My config is below (omitted ethernet port configs)
    !Command: show running-config
    !Time: Fri Sep  9 16:45:49 2011
    version 4.2(1)SV1(4a)
    no feature telnet
    feature tacacs+
    feature lacp
    username admin password 5 $1$Q50UpgN/$4eu39QmZHLTf3FAkwwdOF1  role network-admin
    banner motd #Nexus 1000v Switch#
    ssh key rsa 2048
    ip domain-lookup
    ip domain-lookup
    ip name-server 192.168.20.10
    tacacs-server timeout 30
    tacacs-server host 192.168.20.30 key 7 "j3gp0"
    aaa group server tacacs+ TacServer
        server 192.168.20.30
        deadtime 15
        use-vrf management
        source-interface mgmt0
    hostname NY_nexus1000v
    ntp server 192.168.20.10
    aaa authentication login default group TacServer
    aaa authentication login console group TacServer
    aaa authentication login error-enable
    tacacs-server directed-request
    vrf context management
      ip route 0.0.0.0/0 192.168.240.1
    vlan 1,20,40,240
    lacp offload
    port-channel load-balance ethernet source-mac
    port-profile default max-ports 32
    port-profile type ethernet Unused_Or_Quarantine_Uplink
      vmware port-group
      shutdown
      description Port-group created for Nexus1000V internal usage. Do not use.
      state enabled
    port-profile type vethernet Unused_Or_Quarantine_Veth
      vmware port-group
      shutdown
      description Port-group created for Nexus1000V internal usage. Do not use.
      state enabled
    port-profile type ethernet system-uplink
      vmware port-group
      switchport mode trunk
      switchport trunk allowed vlan 20,40,240
      channel-group auto mode active
      no shutdown
      system vlan 240
      description "System profile for critical ports"
      state enabled
    port-profile type vethernet data20
      vmware port-group
      switchport mode access
      switchport access vlan 20
      no shutdown
      description "Data profile for VM traffic 20 VLAN"
      state enabled
    port-profile type vethernet data40
      vmware port-group
      switchport mode access
      switchport access vlan 40
      no shutdown
      description "Data profile for VM traffic 40 VLAN"
      state enabled
    port-profile type vethernet data240
      vmware port-group
      switchport mode access
      switchport access vlan 240
      no shutdown
      description "Data profile for VM traffic 240 VLAN"
      state enabled
    port-profile type vethernet system-upilnk
      description "Uplink profile for VM traffic"
    vdc NY_nexus1000v id 1
      limit-resource vlan minimum 16 maximum 2049
      limit-resource monitor-session minimum 0 maximum 2
      limit-resource vrf minimum 16 maximum 8192
      limit-resource port-channel minimum 0 maximum 768
      limit-resource u4route-mem minimum 32 maximum 32
      limit-resource u6route-mem minimum 16 maximum 16
      limit-resource m4route-mem minimum 58 maximum 58
      limit-resource m6route-mem minimum 8 maximum 8
    interface port-channel1
      inherit port-profile system-uplink
      vem 3
    interface port-channel2
      inherit port-profile system-uplink
      vem 4
    interface port-channel3
      inherit port-profile system-uplink
      vem 5
    interface port-channel4
      inherit port-profile system-uplink
      vem 6
    interface mgmt0
      ip address 192.168.240.10/24
    interface control0
    line console
    boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4a.bin sup-1
    boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4a.bin sup-1
    boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4a.bin sup-2
    boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4a.bin sup-2
    svs-domain
      domain id 500
      control vlan 240
      packet vlan 240
      svs mode L2 
    svs connection vcenter
      protocol vmware-vim
      remote ip address 192.168.20.127 port 80
      vmware dvs uuid "52 8b 1d 50 44 9d d7 1f-b6 25 76 f1 f7 97 d8 5e" datacenter-name 28th St Datacenter
      max-ports 8192
      connect
    vsn type vsg global
      tcp state-checks
    vnm-policy-agent
      registration-ip 0.0.0.0
      shared-secret **********
      log-level

    FYI...
    I was able to get TACACS+ auth working using the commands in the Original Post (without the two additional suggestions) as follows...
    1000v# conf t
    1000v(config)# feature tacacs+
    1000v(config)# tacacs-server host 192.168.1.1 key 0
    1000v(config)# aaa group server tacacs+ TacServer
    1000v(config-tacacs+)# server 192.168.1.1
    1000v(config-tacacs+)# use-vrf management
    1000v(config-tacacs+)# source-interface mgmt 0
    1000v(config-tacacs+)# aaa authentication login default group TacServer local
    1000v(config)# aaa authentication login error-enable
    1000v(config)# tacacs-server directed-request
    I guess the OP had some other problem (perhaps incorrect shared secret??)

  • TACACS not working - Need help

    Hi,
    I have implemented the TACACS in VPN VRF environment but the same is not working, I am not able to route the ACS servers IP's through the VRF-VPN.
    Configuration pasted below
    aaa authentication login default group tacacs+ line
    aaa authentication login no_tacacs line
    aaa authorization exec default group tacacs+ if-authenticated
    aaa authorization commands 0 default group tacacs+ if-authenticated
    aaa authorization commands 1 default group tacacs+ if-authenticated
    aaa authorization commands 15 default group tacacs+ if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 1 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    ip tacacs source-interface VLAN1
    tacacs-server host X.X.X.X
    tacacs-server host 10.10.10.4
    tacacs-server key 7 ####################333
    tacacs-server administration
    aaa group server tacacs+ tacacs1
    server-private 10.10.10.4 key ############
    ip vrf forwarding LAN
    ip tacacs source-interface VLAN1

    Hi sorry for late reply.
    Please find below the logs from the router
    Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): free_rec, count 2
    Feb 12 14:10:28.748: AAA/ACCT/CMD(000000B9): Setting session id 283 : db=846968EC
    Feb 12 14:10:28.748: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
    Feb 12 14:10:35.450: AAA/BIND(000000BA): Bind i/f
    Feb 12 14:10:35.450: AAA/ACCT/EVENT/(000000BA): CALL START
    Feb 12 14:10:35.450: Getting session id for NET(000000BA) : db=83E3E3B0
    Feb 12 14:10:35.450: AAA/ACCT(00000000): add node, session 284
    Feb 12 14:10:35.450: AAA/ACCT/NET(000000BA): add, count 1
    Feb 12 14:10:35.450: Getting session id for NONE(000000BA) : db=83E3E3B0
    Feb 12 14:10:36.014: AAA/AUTHEN/LOGIN (000000BA): Pick method list 'default'
    Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): STOP protocol reply FAIL
    Feb 12 14:10:38.749: AAA/ACCT(000000B9): Accouting method=NOT_SET
    Feb 12 14:10:38.749: AAA/ACCT(000000B9): Send STOP accounting notification to EM successfully
    Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9): Tried all the methods, osr 0
    Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) Record not present
    Feb 12 14:10:38.749: AAA/ACCT/CMD(000000B9) reccnt 2, csr FALSE, osr 0
    Feb 12 14:10:46.011: AAA/AUTHEN/LINE(000000BA): GET_PASSWORD
    Feb 12 14:11:14.326: AAA/AUTHOR: config command authorization not enabled
    Feb 12 14:11:14.326: AAA/ACCT/CMD(000000B9): Pick method list 'default'
    Feb 12 14:11:14.326: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83E2FF8C, Name default
    Feb 12 14:11:14.330: Getting session id for CMD(000000B9) : db=846968EC
    Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): add, count 3
    Feb 12 14:11:14.330: AAA/ACCT/EVENT/(000000B9): COMMAND
    Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 1
    Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): free_rec, count 2
    Feb 12 14:11:14.330: AAA/ACCT/CMD(000000B9): Setting session id 285 : db=846968EC
    Feb 12 14:11:14.330: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
    Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Pick method list 'default'
    Feb 12 14:11:16.642: AAA/ACCT/SETMLIST(000000BA): Handle 0, mlist 83E2FEEC, Name default
    Feb 12 14:11:16.642: Getting session id for EXEC(000000BA) : db=83E3E3B0
    Feb 12 14:11:16.642: AAA/ACCT(000000BA): add common node to avl failed
    Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): add, count 2
    Feb 12 14:11:16.642: AAA/ACCT/EVENT/(000000BA): EXEC DOWN
    Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): Accounting record not sent
    Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA): free_rec, count 1
    Feb 12 14:11:16.642: AAA/ACCT/EXEC(000000BA) reccnt 1, csr FALSE, osr 0
    Feb 12 14:11:18.425: AAA/AUTHOR: config command authorization not enabled
    Feb 12 14:11:18.425: AAA/ACCT/243(000000B9): Pick method list 'default'
    Feb 12 14:11:18.425: AAA/ACCT/SETMLIST(000000B9): Handle 0, mlist 83144FF8, Name default
    Feb 12 14:11:18.425: Getting session id for CMD(000000B9) : db=846968EC
    Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): add, count 3
    Feb 12 14:11:18.425: AAA/ACCT/EVENT/(000000B9): COMMAND
    Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Queueing record is COMMAND osr 2
    Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): free_rec, count 2
    Feb 12 14:11:18.425: AAA/ACCT/CMD(000000B9): Setting session id 286 : db=846968EC
    Feb 12 14:11:18.429: AAA/ACCT(000000B9): Accouting method=tacacs+ (TACACS+)
    Feb 12 14:11:18.649: AAA/ACCT/EVENT/(000000BA): CALL STOP
    Feb 12 14:11:18.649: AAA/ACCT/CALL STOP(000000BA): Sending stop requests
    Feb 12 14:11:18.649: AAA/ACCT(000000BA): Send all stops
    Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): STOP
    Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Method list not found
    Feb 12 14:11:18.649: AAA/ACCT(000000BA): del node, session 284
    Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): free_rec, count 0
    Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA) reccnt 0, csr TRUE, osr 0
    Feb 12 14:11:18.649: AAA/ACCT/NET(000000BA): Last rec in db, intf not enqueued

  • Web Auth page not working on WLC

    I have a WLC 4402 and I upgraded the s/w from 4.1 to 4.2.176 since I did the web auth on my Guest wlan does not work. I can connect to the wireless ok and when I type in a web address I should get the web auth page but I just get "This page cannot be displayed". However if i type in the ip address of the WLC in the addrsss bar I get the web auth page and it work fine form then on. The web auth page worked fine on ver 4.1. Any ideas?

    I opened a TAC case this morning on this same problem, and my solution is what is listed above (config network secureweb cipher-option sslv2 enable)
    Basically, SSLv2 is disabled in 4.2. The Default is now SSLv3.
    Depending on your Internet settings, if IE is configured to use SSLv2, the webpage will not work.
    So in internet explorer, tools, internet options, advanced, There will be a checkbox next to Use SSLv2. (Even if Use SSLv3 is enabled, you still have the https issue).
    Basically, my issues was that a select few users could not Web authenticate and a select few admins couldn't HTTPS manage the GUI. Turns out in all cases, the computers that were all able to work, did not have SSLv2 enabled.
    By enabling SSLv2, all affected users now work (I think).

  • TACACS+ roles not working on WLC 5508

    I have read the documentation and configured tacacs+ correctly but when I log in to the 5508 I am seeing all the menu pages regardless of the role I set on the ACS.  Am I missing something?

    Hi Jang,
    You will see all tabs as read only but will get rw access only to Security Tab.
    Regards
    Don't forget to rate helpful posts

  • Cisco AIR-LAP1041N-E-K9 not working with WLC 4402 version 7.0.116.0

    Hi All,
    appreciate your support for a problem i started facing today. i have a Cisco WLC 4402 running version 7.0.116.0 and it is working great with 25 Cisco 1252 APs. we have recieved a new 20 Cisco 1041N APs today and i installed one in our site but it doesn't work. it worked fine and loaded the image from flash and got the WLC ip address through DHCP option and started showing the below error:
    *Mar  1 00:00:10.021: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
    *Mar  1 00:00:10.033: *** CRASH_LOG = YES
    *Mar  1 00:00:10.333: Port 1 is not presentSecurity Core found.
    Base Ethernet MAC address: C8:9C:1D:53:57:5E
    *Mar  1 00:00:11.373: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
    *Mar  1 00:00:11.465: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1088 messages)
    *Mar  1 00:00:11.494:  status of voice_diag_test from WLC is false
    *Mar  1 00:00:12.526: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
    *Mar  1 00:00:13.594: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
    *Mar  1 00:00:13.647: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C1040 Software (C1140-K9W8-M), Version 12.4(23c)JA2, RELEASE SOFTWARE (fc3)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Wed 13-Apr-11 12:50 by prod_rel_team
    *Mar  1 00:00:13.647: %SNMP-5-COLDSTART: SNMP agent on host APc89c.1d53.575e is undergoing a cold start
    *Mar  1 00:08:59.062: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *Mar  1 00:08:59.062: bsnInitRcbSlot: slot 1 has NO radio
    *Mar  1 00:08:59.138: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar  1 00:08:59.837: %SSH-5-ENABLED: SSH 2.0 has been enabled
    *Mar  1 00:09:00.145: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:09:09.136: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 172.16.26.81, mask 255.255.255.0, hostname APc89c.1d53.575e
    *Mar  1 00:09:17.912: %PARSER-4-BADCFG: Unexpected end of configuration file.
    *Mar  1 00:09:17.912:  status of voice_diag_test from WLC is false
    *Mar  1 00:09:17.984: Logging LWAPP message to 255.255.255.255.
    *Mar  1 00:09:19.865: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
    *Mar  1 00:09:19.886: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar  1 00:09:20.873: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Mar  1 00:09:20.874: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
    Translating "CISCO-CAPWAP-CONTROLLER.atheertele.com"...domain server (172.16.40.240)
    *Mar  1 00:09:29.029: %CAPWAP-5-DHCP_OPTION_43: Controller address 172.16.100.102 obtained through DHCP
    *May 25 08:27:02.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:02.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:03.175: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:03.177: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:03.177: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:03.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:03.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:03.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:03.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:03.378: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:03.378: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:03.448:  status of voice_diag_test from WLC is false
    *May 25 08:27:14.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:14.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:15.185: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:15.186: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:15.186: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:15.330: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:15.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:15.334: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:15.334: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:15.379: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:15.379: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:15.450:  status of voice_diag_test from WLC is false
    *May 25 08:27:26.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:26.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:27.182: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:27.183: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:27.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:27.329: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:27.333: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:27.333: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:27.333: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:27.377: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:27.377: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:27.433: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *May 25 08:27:27.446: %PARSER-4-BADCFG: Unexpected end of configuration file.
    *May 25 08:27:27.447:  status of voice_diag_test from WLC is false
    *May 25 08:27:27.448: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *May 25 08:27:27.456: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *May 25 08:27:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:38.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:39.183: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:39.184: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:39.184: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:39.326: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:39.329: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:39.329: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:39.330: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:39.375: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:39.375: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:39.446:  status of voice_diag_test from WLC is false
    *May 25 08:27:49.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:49.001: %CAPWAP-5-CHANGED: CAPWAP changed state to
    *May 25 08:27:50.179: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 172.16.100.101 peer_port: 5246
    *May 25 08:27:50.180: %CAPWAP-5-SENDJOIN: sending Join Request to 172.16.100.101
    *May 25 08:27:50.180: %CAPWAP-5-CHANGED: CAPWAP changed state to JOIN
    *May 25 08:27:50.323: %CAPWAP-5-CHANGED: CAPWAP changed state to CFG
    *May 25 08:27:50.326: %DTLS-5-ALERT: Received WARNING : Close notify alert from 172.16.100.101
    *May 25 08:27:50.326: %DTLS-5-PEER_DISCONNECT: Peer 172.16.100.101 has closed connection.
    *May 25 08:27:50.326: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 172.16.100.101:5246
    *May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:50.370: %CAPWAP-5-CHANGED: CAPWAP changed state to DISCOVERY
    *May 25 08:27:50.370: bsnInitRcbSlot: slot 1 has NO radio
    *May 25 08:27:50.425: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *May 25 08:27:50.438: %PARSER-4-BADCFG: Unexpected end of configuration file.
    i searched for the regulatory domains difference between  AIR-LAP1041N-E-K9 and  AIR-LAP1041N-A-K9 and didn't find any difference that may affect the operation of this AP.
    just to mention that our configuration in WLC for regulatory domains is:
    Configured Country Code(s) AR 
    Regulatory Domain  802.11a:  -A
                                 802.11bg: -A
    My question is, should i only include my country in the WLC (IQ) to add the requlatry domain (-E) to solve this problem? or changing the country will affect the operation of all working APs??
    Appreciate your kind support,
    Wisam Q.

    Hi Ramon,
    thank you for the reply but as shown in the below link:
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7.0.html#wp233793
    the WLC in version 7.0.116.0 supports Cisco 1040 seiries APs.
    Thanks,
    Wisam Q.

  • TACACS not working

    Hi Guys
    I have added a 2960x switch to my network and configured with tacacs. It does not seems to talk to the tacacs ACS server and I can ping the server as it also authenticates other devices on the network but this new switch only lets me login with local credentials. I have added the switch to ACS aswell
    When i tried "test aaa group tacacs username password" Attempting authentication test to server-group tacacs+ using tacacs+
    No authoritative response from any server."
    My config on the switch is:
    aaa group server tacacs+ ACS1
     server 10.10.10.10
    aaa authentication login default group ACS1 local
    aaa authentication enable default group ACS1 enable
    aaa authorization config-commands
    aaa authorization exec default group ACS1 if-authenticated
    aaa authorization commands 1 default group ACS1 if-authenticated
    aaa authorization commands 15 default group ACS1 if-authenticated
    aaa accounting update newinfo
    aaa accounting commands 1 default start-stop broadcast group ACS1
    aaa accounting commands 15 default start-stop broadcast group ACS1
    tacacs-server host 10.10.10.10
    tacacs-server key 12345678
    Thanks

    Thanks Reza
    After some investigation it seemed the issue is with the tacacs-server host 10.10.10.10 command. I realised upon entering this command the cli accepted it but gave a warning message
    "Warning: The cli will be deprecated soon
     'tacacs-server host acs-1 key 0 <my-key>'
     Please move to 'tacacs server <name>' CLI"
    Apparently cisco have made a few changes to the config. The tacacs-server ACS1 commands didnt work.
    So I entered tacacs-server host 10.10.10.10 key 12345678
    That worked.
    Thanks

  • WLC 2106_AP-1131_dell vostro 14 v3446 wifi not working with WLC

    Hi,
    I'm facing issue with newly purchased Dell laptops(dell vostro 14 v3446) are not able to join in WLC.
    I have check WLAN profile for these laptops ,all mapped correct,but laptops not able to join the same profile.
    Only one(newly purchased) laptop is working fine with WLC profile,remaining laptop all config is same but not getting connected with WLC. 
    Laptop wifi is working with another vendor APs.
    But this particular profile working with my exciting user's laptop perfectly.
    WLC/-AIR-WLC2106-K9-Firmware version—6.0.199.4
    AP-AIR-LAP1131AG-A-K9.
    Please advice me here to resolve this problem.
    regards,vijesh
    This was posted in lieu of blog https://supportforums.cisco.com/node/12292096  which was deleted since questions should be questions as discussions as not as blogs ;-) 

    Hi Leo,
    Thanks for your response.
    Client laptop trying to connect the SSID and once authentication key entered ,it will try for a while then error message come "could not connect...." 
    As our suggested,i will create new profile with open authentication,then try to connect the laptop.
    we have planned to upgrade WLC firmware in coming weekend.

  • TACACS not working in ASA 8.0(3)

    We have quite a few ASA s with similar tacacs and crypto configs but yesterday we had issue with pix and we swapped pix with ASA 8.0(3) and tunnel is up and running but we are not able to login using tacacs even after the configs,, and i found a bug in cisco.com which asks us to use command " crypto map set reverse-route"
    http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk08454
    even after configuring it right,, am not able to,, login using tacacs,, can some tell me how to use this command or ,, any other way ?
    thnx in advance

    we have a tunnel established with remote ASA and here are the configs related: let me know if ya need any hing,, thnx for replyin thgh
    local device configs:
    aaa-server protocol tacacs+
    aaa-server host < ip>
    aaa authentication ssh console
    aaa authentication http console
    access-list extended permit ip any
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto map 20 match address
    crypto map 20 set peer x.x.x.x
    crypto map 20 set transform-set ESP-3DES-MD5
    crypto map 20 set reverse-route
    crypto map interface outside
    crypto isakmp enable outside
    crypto isakmp policy 20
    crypto isakmp policy 65535
    remote ASA
    access-list remark MobileAL
    access-list extended permit ip any ip add subnet
    crypto map 1925 match address outside_1925_cryptomap
    crypto map 1925 set peer
    crypto map 1925 set transform-set ESP-3DES-MD5
    crypto map 1925 set security-association lifetime seconds 86400
    crypto map 1925 set nat-t-disable
    crypto map 1925 set reverse-route

  • Tacacs+ not working on VRF Interface

    C4948-10G switch running IOS 15.0(2)SG
    ACS 4.2 cannot authenticate on the vrf interface. The issue on vrf aaa authentication.
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication login no_tacacs local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local if-authenticated
    aaa authorization network default group tacacs+ local if-authenticated
    aaa accounting commands 15 default start-stop group tacacs+
    aaa session-id common
    ip vrf mgmt
    rd 100:1
    interface fa1
    ip vrf forwarding mgmt
    IP address 192.168.5.1 255.255.255.0
    duplex auto
    speed auto
    ip vrf forwarding mgmt
    aaa group server tacacs+ tacacs+ (command did not prompt to sub-command for server-private ....)
    server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]
    tacacs-server host 192.168.5.75 key secret (Then, I decided to use global)
    tacacs-server host 192.168.5.76 key secret
    ip route vrf mgmt 192.168.5.75 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server1)
    ip route vrf mgmt 192.168.5.76 255.255.255.0 192.168.5.2 (ACS 4.2 Tacacs+ server2)
    ip route vrf mgmt 192.168.5.85 255.255.255.0 192.168.5.2 (my management workstation)
    ip tacacs source-interface fa1
    sw2#debug tacacs
    SW2#debug aaa authentication
    SW2#test aaa group tacacs+ tester passwordtest new-code
    Feb  4 11:36:09.808: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default'
    Feb  4 11:36:09.808: TPLUS: Queuing AAA Authentication request 0 for processing
    Feb  4 11:36:09.808: TPLUS: processing authentication start request id 0
    Feb  4 11:36:09.808: TPLUS: Authentication start packet created for 0(tester)
    Feb  4 11:36:09.808: TPLUS: Using server 192.168.5.75
    Feb  4 11:36:09.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: Started 5 sec timeout
    Feb  4 11:36:14.808: TPLUS(00000000)/0/NB_WAIT/1AEFC558: timed out
    Feb  4 11:36:14.808: TPLUS: Choosing next server 192.168.5.76
    Feb  4 11:36:14.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: Started 5 sec timeout
    Feb  4 11:36:14.808: TPLUS(00000000)/1AEFC558: releasing old socket 0User rejected
    SW2#
    Feb  4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out
    Feb  4 11:36:19.808: TPLUS(00000000)/1/NB_WAIT/1AEFC558: timed out, clean up
    Feb  4 11:36:19.808: TPLUS(00000000)/1/1AEFC558: Processing the reply packet
    SW2#test aaa group tacacs+ tester passwordtest legacy
    Attempting authentication test to server-group tacacs+ using tacacs+
    Feb  4 11:39:16.372: AAA: parse name=<no string> idb type=-1 tty=-1
    Feb  4 11:39:16.372: AAA/MEMORY: create_user (0x1AEFC4A4) user='tester' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    Feb  4 11:39:16.372: TAC+: send AUTHEN/START packet ver=192 id=153531412
    Feb  4 11:39:16.372: TAC+: Using default tacacs server-group "tacacs+" list.
    Feb  4 11:39:16.372: TAC+: Opening TCP/IP to 192.168.5.75/49 timeout=5
    Feb  4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
    SW2#
    Feb  4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:26.372: AAA/MEMORY: free_user (0x1AEFC4A4) user='tester' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
    SW2#ping vrf mgmt 192.168.5.85
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.5.85, timeout is 2 seconds:
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
    SW2#sh ip route vrf mgmt
    Routing Table: mgmt
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is not set
         192.168.5.0/24 is variably subnetted, 3 subnets, 2 masks
    S       192.168.5.75/32 [1/0] via 192.168.5.2
    S       192.168.5.76/32 [1/0] via 192.168.5.2
    S       192.168.5.85/32 [1/0] via 192.168.5.2
    C       192.168.5.0/24 is directly connected, FastEthernet1
    SW2#sh ip vrf
      Name                             Default RD          Interfaces
      mgmt                             100:1                     Fa1
    http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080bd091c.shtml

    Hi,
    Your debug output shows time out to ACS server as below.
    Feb  4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
    Feb  4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
    Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
    Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
    Hope that helps
    Najaf
    Please rate when applicable or helpful !!!

  • Per VRF Tacacs+ - not working

    I'm trying to configure per VRF tacacs+ on a 2901 running IOS 15.2(4)M2.
    I have the following configured:
    aaa new-model
    aaa group server tacacs+ MYGROUP
     server-private 1.2.3.4 key cisco
     ip vrf forwarding vpn_nms
     ip tacacs source-interface Loopback100
    aaa authentication login default local
    aaa authentication login MYGROUP group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group MYGROUP if-authenticated
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting network default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa accounting system default start-stop group tacacs+
    aaa session-id common
    ip cef
    ip vrf forwarding
    ip vrf vpn_nms
     rd 65XXX:3
    interface Loopback100
     description NMS LOOPBACK
     ip vrf forwarding vpn_nms
     ip address 10.10.10.10 255.255.255.255
    tacacs-server host 1.2.3.4
    tacacs-server directed-request
    tacacs-server key cisco
    line con 0
     privilege level 15
     logging synchronous
     login authentication MYGROUP
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     logging synchronous
     login authentication MYGROUP
     length 0
     transport input all
    I know some of this config is redundant but I have been trying different things and getting nowhere.

    Hi,
    Your debug output shows time out to ACS server as below.
    Feb  4 11:39:21.372: TAC+: TCP/IP open to 192.168.5.76/49 failed -- Connection timed out; remote host not responding
    Feb  4 11:39:21.372: TAC+: Opening TCP/IP to 192.168.5.76/49 timeout=5No authoritative response from any server.
    Feb  4 11:39:26.372: TAC+: TCP/IP open to 192.168.5.75/49 failed -- Connection timed out; remote host not responding
    Considering the fact that you are not able to see any logs on ACS, that means traffic may not be reaching the ACS.
    Have you tried pinging the ACS server from the switch mgmt vrf? Your previous example was showing ping responce to the managment workstation (192.168.5.85) and not to the ACS.
    Hope that helps
    Najaf
    Please rate when applicable or helpful !!!

  • TACACS is not working in 7206 VXR

    Hi all,
    TACACS is not working in my 7206 VXR.When i am telneting in to router it is  showing Authorization Failed.I can able to login using console.
    KEY is same b/w router and the server .Please help.
    7206(config)#do sh run | in aaa|tacacs
    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec default group tacacs+ local if-authenticated
    aaa authorization commands 15 default group tacacs+ local
    aaa accounting exec default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa session-id common
    ip tacacs source-interface Loopback0
    tacacs-server host 202.148.202.174
    tacacs-server key 7 073D055B42291A413630384D2E
    GURG-7206-EDGE1(config)#do ping 202.148.202.174 source lo0
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 202.148.202.174, timeout is 2 seconds:
    Packet sent with a source address of 202.148.199.196
    Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/44 ms

    It is most likely a configuration or rechability issue. Double check
    that you've got the right IP in the config, and that there's nothing
    interfering with UDP between the two. With tacacs, it's good idea
    to have known backup telnet & enable passwords, this same kind of
    thing can happen when you have a badly congested link or some kind of
    network problem and life is better when you can get into the router.

  • TACACS enable password is not working after completing ACS & MS AD integration

    Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
    1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
    2. Enable password is not working (using the same user password configured in MS AD.
    3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
    Switch Tacacs Configuration
    aaa new-model
    aaa authentication login default none
    aaa authentication login ACS group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec ACS group tacacs+ local 
    aaa authorization commands 15 ACS group tacacs+ local 
    aaa accounting exec ACS start-stop group tacacs+
    aaa accounting commands 15 ACS start-stop group tacacs+
    aaa authorization console
    aaa session-id common
    tacacs-server host 10.X.Y.11
    tacacs-server timeout 20
    tacacs-server directed-request
    tacacs-server key gacakey
    line vty 0 4
     session-timeout 5 
     access-class 5 in
     exec-timeout 5 0
     login authentication ACS
     authorization commands 15 ACS
     authorization exec ACS
     accounting commands 15 ACS
     accounting exec ACS
     logging synchronous
    This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
    Regards,

    Hi Edward,
    I created a new shell profiles named "root" as the default one "Permit Access" can't be access or modified, underneath the steps I've made.
    1. Create a new shell profile name "root" with max privilege of 15. And then used it in "Default Device Admin/Authorization/Rule-1" shell profile - see attached file for more details.
    2. Telnet the Switch and then Issue "debug aaa authentication" using both "Root Shell" and "Permit Access" applied in Rule-1 profile.
    Note:
    I also attached here the captured screen and debug result for the "shell profiles"

  • WLC 2504 LAG is not working?

    Hi All,
    Yesterday i configured LAG on my New WLC using following configuration:
    Enable LAG on controller > General
    then reboot
    On Neighbor Switch:
    Interface range GigabitEthernet <Interfce ID>
    Channel-group <id> mode on
    no sh
    Interface port-channel <id>
    switchport trunk allowed vlan <id>
    switchport mode trunk
    no sh
    i can see on switch trunk is established.
    I also tag the LAG to my management vlan.
    But still not working, can any one help me to find what going wrong.
    I have HA device i configure same on that it worked. But not working on my primary
    (Cisco Controller) >show sysinfo
    Manufacturer's Name.............................. Cisco Systems Inc.
    Product Name..................................... Cisco Controller
    Product Version.................................. 8.0.110.0
    Bootloader Version............................... 1.0.20
    Field Recovery Image Version..................... 7.6.101.1
    Firmware Version................................. PIC 16.0
    Build Type....................................... DATA + WPS
    System Name......................................
    System Location..................................
    System Contact...................................
    System ObjectID.................................. 
    IP Address.......................................
    IPv6 Address..................................... ::
    Last Reset....................................... Software reset
    System Up Time................................... 0 days 0 hrs 21 mins 0 secs
    System Timezone Location.........................
    System Stats Realtime Interval................... 5
    System Stats Normal Interval..................... 180
    --More-- or (q)uit
    Configured Country............................... 
    Operating Environment............................ Commercial (0 to 40 C)
    Internal Temp Alarm Limits....................... 0 to 65 C
    Internal Temperature............................. +28 C
    External Temperature............................. +33 C
    Fan Status....................................... 4300 rpm
    State of 802.11b Network......................... Enabled
    State of 802.11a Network......................... Enabled
    Number of WLANs.................................. 1
    Number of Active Clients......................... 0
    Burned-in MAC Address............................ 
    Maximum number of APs supported.................. 75
    System Nas-Id....................................
    WLC MIC Certificate Types........................ SHA1

    Try to delete the config on  switch and try this.
    Switch config :
    interface range <>
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport trunk allowed vlan X,Y,Z
    Channel-group <> mode on
    Still not working then check if WLC is reachable via ssh or telnet!
    if you have access via ash or telnet then reboot WLC by using "reset system" command .
    hope it helps.
    Regards
    Dont forget to rate helpful posts

Maybe you are looking for

  • New iMac, have several questions

    Community, First of all I'm not sure if this is the right community to post to. My questions seem to span several forum categories. If there is a better general forum for my questions, please let me know. I just got a new iMac, (21.5 inch late 2013),

  • Installing windows 7 with bootcamp on mac pro yosemite 10.10: 'your disk could not be partitioned'

    I have been trying to no avail to install windows 7 on my new macbook pro with bootcamp in yosemite 10.10 i continually get the message  'your disk could not be partitioned', does anyone know how to tackle this? *I am including the screenshot and whe

  • Group Sort on formula field

    I am using CR Professional 11.5 on Windows XP/Progress platform. I have a formula field that calculates the GM% on the Employee Group Footer level and want to sort the employees in descending order by GM%.  I have gone in circles trying to calculate

  • Can we copy the already created Configuration Item in ATO Model

    Hi all, We have the requirement for copy the Existing configurator ATO items into new model. i.e. Customer will congifured the model in istore process flow to create a sale order. After that for second sales order customer don't want to make same con

  • Cannot print to HP Printer in landscape

    I have an HP Photosmart B110a configured via cups and hplip. Everything seems to work well - until I try and print in landscape.  It always prints in portrait mode - regardless of what settings I change.  I have tried printing using 3 different piece