WLC - ACS TACACS+ mismatch shared secred

Similar Messages

• Cisco ACS (TACACS+) - AAA failure on WLC

  Setting up TACACS+ between Cisco ACS and 4402 WLC using the below configuration guide.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml#add-authorizserv
  Authenication is failing on the WLC. Currently getting the below error message on the Cisco ACS server (Reports and activity > failed attempts)
  Message Type: Author Failed
  Author-Failure-Code: Service denied
  Author-Data: service=ciscowlc protocol=common
  Anybody have any idea to resolve this problem.
  Thanks,
  Colm

  Hi,
  The document you referred is correct.
  What version of WLC are you running?
  Check this one:
  CSCsk21007    WLC requires tacacs authentication when configuration change ccess Control
  HTH
  Regards,
  JK
  Plz rate helpful posts-

• How to Assign Privilege Levels with CiscoSecure ACS TACACS+

  how to assign privilege level to a user in secure ACS TACACS+ user exist in external database
  Regards,
  Bilal

  Hi Bilal,
  Bring users/groups in at level 15
      1.  Go to user or group setup in ACS
      2.  Drop down to "TACACS+ Settings"
      3.  Place a check in "Shell (Exec)"
      4.  Place a check in "Privilege level" and enter "15" in the adjacent field
  Regards,
  ~JG
  Do rate helpful posts

• ACE ACS TACACS+ Key Mismatch issue

  Goodday,
  I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".
  We have confirmed that the key we are using is the same on the ACE and on the ACS.
  The question I have is as follows:
  Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.
  So config entered something like this:
  tacacs-server host 10.10.10.10 key mysharedkey
  aaa group server tacacs+ acs_pri
  server 10.10.10.10
  aaa authentication login default group acs_pri local none
  BTW, we are running version 2.1.4(a).
  Thanks for any assitance with this.
  Paul

  Hi Kevin,
  Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.
  On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.
  This is my concern.
  We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.
  The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.
  See my problem...
  Thanks again for the assistance and any further guidance would be appreciated.
  Paul.

• Cannot login to 4400 using ACS-TACACS+

  Hello,
  I am using a 4402 running 4.2.207 setup with TACACS+ to management user authentication.  I am running ACS 4.2 in a VM.  I went thru the setup and added the ciscowlc-common attribute under the user group and added role1=ALL.
  I cannot get any user to login to the WLC.  If I turn off the ACS service the local auth works fine.  The ACS says that the authentication passed in the log but all I get when I try to connect to the WLC is prompted over and over again for username and password.
  Here are some captures from the WLC when I try to login to it from the web browser.
  Mon Aug  9 15:43:06 2010: Forwarding request to 192.168.1.90 port=49
  Mon Aug  9 15:43:06 2010: tplus response: type=1 seq_no=2 session_id=223f532e length=16 encrypted=0
  Mon Aug  9 15:43:06 2010: TPLUS_AUTHEN_STATUS_GETPASS
  Mon Aug  9 15:43:06 2010: auth_cont get_pass reply: pkt_length=22
  Mon Aug  9 15:43:06 2010: processTplusAuthResponse: Continue auth transaction
  Mon Aug  9 15:43:06 2010: tplus response: type=1 seq_no=4 session_id=223f532e length=6 encrypted=0
  Mon Aug  9 15:43:06 2010: tplus_make_author_request: athr server not found
  Mon Aug  9 15:43:06 2010: tplus_make_author_request() from tplus_authen_passed returns rc=1
  (Wireless) >show tacacs auth statistics
  Authentication Servers:
  Server Index..................................... 1
  Server Address................................... 192.168.1.90
  Msg Round Trip Time.............................. 0 (1/100 second)
  First Requests................................... 1
  Retry Requests................................... 1
  Accept Responses................................. 1
  Reject Responses................................. 0
  Error Responses.................................. 0
  Restart Responses................................ 0
  Follow Responses................................. 0
  GetData Responses................................ 0
  Encrypt no secret Responses...................... 0
  Challenge Responses.............................. 0
  Malformed Msgs................................... 0
  Bad Authenticator Msgs........................... 0
  Timeout Requests................................. 0
  Unknowntype Msgs................................. 0
  Other Drops...................................... 0
  show aaa auth
  Management authentication server order:
      1............................................ tacacs
      2............................................ local
  Any help is greatly appreciated.
  Seth

  Did you also configure the server info under TACACS Authorization and Accounting on the controller?  You can get this debug response if you only set up the server under the Authentication section.

• ACS Tacacs+ aaa authorization commands

  Hi,
  I would like to authorize only certain configuration commands by the Tacacs Server, so in the group setup of ACS, I have checked : command, I have written in the field : configure, and declared as arguments : permit terminal and permit snmp-server enable traps. But I can not configure snmp until I declare in the router : privilege config level 7 snmp-server enable. (I use a level 7 user)
  My question is : is there a way to control the granularity of configuration commands on the ACS, in the same way as you can control the granularity of the show commands ?
  Many thanks
  Patrice

  Yes, you can get very granular using Command Authorization Sets and they can be applied to individual users or groups.
  Setting Up and Managing Shared Profile Components
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00800d9e6b.html
  hth

• ACE 4710 A3(2.0) and ACS - TACACS+

  Hi.
  I am having trouble getting my ACE 4710 (A3(2.0) Build 3.0) to cooperate with my Cisco Secure ACS-server. In the same environment I have it working on my ACE Module, with the same configuration.
  ACE 4710:
  tacacs-server host 10.7.50.20 key 7 "fewhg"
  aaa group server tacacs+ tacacs_server_group
      server 10.7.50.20
      deadtime 15
  aaa authentication login default group tacacs_server_group local none
  aaa accounting default group tacacs_server_group local
  aaa authentication login error-enable
  ACS is configured correctly too. I have tried with several users, both in groups, with and without attributes and so forth. The ACS installation works with other devices and with my ACE modules running A2(3.1). I have tried this on both ACS 4.2(0).124 and 4.2(1).15.
  The strange part is what I see when I set up Wireshark on my ACS-server to look at the traffic. From what I can see, the ACE only sends a request to the AAA-server if the user exists locally. But I do not get authenticated and Failed Attempts show a line with with Message-Type: "Unknown NAS".
  It seems like others have the same problem. The problem is that the link attacked in the topic beneath only leads me back to forum and not to a topic with solution.
  https://supportforums.cisco.com/thread/132445?decorator=print&displayFullThread=true#132445
  Any help is appreciated and thanks in advance!

  are you using telnet or ssh ?
  if ssh can you try telnet, allow telent on your management policy to do this. Then if it works via telnet , then try ssh again, if it now works then you have hit CSCsu36078
  http://tools.cisco.com/squish/03240

• WLC 5508 duplex mismatch error

  Hi I've got a WLC 5508 connected to a Catalyst 6000 switch. In the switch I've get a CDP duplex mismatch error every 30 min.
  %CDP-4-DUPLEXMISMATCH:Full/half duplex mismatch detected on port 3/23
  with the show port command I can see this:
  Port  Name                 Status     Vlan       Duplex Speed       Type
  3/23  WLC           connected  trunk        full        1000 10/100/1000
  With the show CDP neigh I see a duplex mismatch
  C6K9> (enable) sh cdp neig 3/23 detail
  Port (Our Port): 3/23
  Holdtime: 142 sec
  Capabilities: HOST
  Version:
    Manufacturer's Name: Cisco Systems Inc.  Product Name: Cisco Controller  Product Version: 7.0.116.0  RTOS Version: Erro  Bootloader Version: 1.0.1  Build Type: DATA + WPS
  Platform: AIR-CT5508-K9
  Port-ID (Port on Neighbors's Device): GigabitEthernet0/0/1
  VTP Management Domain: unknown
  Native VLAN: unknown
  Duplex: half (Mismatch)
  But in the WLC console there is not half duplex
  (WLC5508) show>port 1
             STP   Admin   Physical   Physical   Link   Link
  Pr  Type   Stat   Mode     Mode      Status   Status  Trap     POE    SFPType  
  1  Normal  Forw Enable  Auto       1000 Full  Up     Enable  N/A     1000BaseTX
  I don't have errors in the port counters
  How I can resolve this duplex mismatch?

  Try upgrading the firmware of the WLC to 7.0.230.0.

• ASA enable authentication for AD user by ACS TACACS fails

  In order to authorize command on ASA8.x for different users, I have to put 'aaa authentication enable console TACACS' into ASA configuration, and in ACS - user setup - TACACS+ enable password - Use separate password, I set an enable password.
  It works fine for ACS local users, they are able to get into priv EXEC mode by entering 'enable' command and use my pre-set password, however, the password doesn't work for AD user.
  So, how to setup enable authorization for AD user?
  Or is there a way to drop a user directly into level 15 on ASA just like it on router?
  below is the debug info.(I'm sure the password is the one I set in ACS)
  LABASA1(config)# AAA API: In aaa_open
  AAA session opened: handle = 884
  AAA API: In aaa_process_async
  aaa_process_async: sending AAA_MSG_PROCESS
  AAA task: aaa_process_msg(d45bd5c8) received message type 0
  AAA FSM: In AAA_StartAAATransaction
  AAA FSM: In AAA_InitTransaction
  Initiating authentication to primary server (Svr Grp: TACACS)
  AAA FSM: In AAA_BindServer
  AAA_BindServer: Using server: 192.168.1.221
  AAA FSM: In AAA_SendMsg
  User: fostco\user1
  Resp:
  callback_aaa_task: status = -1, msg =
  AAA FSM: In aaa_backend_callback
  aaa_backend_callback: Handle = 884, pAcb = d5b193e0
  aaa_backend_callback: Error:
  Incorrect password.
  AAA task: aaa_process_msg(d45bd5c8) received message type 1
  AAA FSM: In AAA_ProcSvrResp
  Back End response:
  Authentication Status: -1 (REJECT)
  AAA FSM: In AAA_NextFunction
  AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
  AAA_NextFunction: authen svr = TACACS, author svr = <none>, user pol = , tunn pol =
  AAA_NextFunction: New i_fsm_state = IFSM_DONE,
  AAA FSM: In AAA_ProcessFinal
  AAA FSM: In AAA_Callback
  user attributes:
  None
  user policy attributes:
  None
  tunnel policy attributes:
  None
  Auth Status = REJECT
  aaai_internal_cb: handle is 884, pAcb is d5b193e0, pAcb->tq.tqh_first is d441d1d8
  AAA API: In aaa_close
  AAA task: aaa_process_msg(d45bd5c8) received message type 3
  In aaai_close_session (884)

  I have run into a similar situation. I just want to authenticate via TACACS to enable mode in an ssh session. After using the "aaa authentication enable console TACACS LOCAL" command on the ASA, the ACS server rejects the password.
  I have tried everything I can think of on the ACS as far as "TACACS+ enable password" using both a windows database or a separate password, and PIX/ASA command sets. I cannot go into enable mode unless I set the ASA to LOCAL authentication, which just uses the globally defined enable password.

• Cisco WLC + ACS + AD for Machine AND User auth...

  So I am trying to implement an SSID that requires a machine to be a domain member, AND require the user to provide username/password credentials before being allowed on that SSID.
  I am reading that it is possible, but can't find a clear config on how it is supposed to be setup... read about Machine Access Restrictions as being part of the config.
  Any help here?
  WLC 7.6 and ACS 5.5
  -g

  We are testing ISE with EAP chaining. It allows you to validate the company device (laptop) is joined to the domain and then the user credentials. However this requires EAP-FAST and the Cisco Anyconnect client. There is a group set up to look at EAP-TEAP. This will allow for standardize "chaining"
  http://tools.ietf.org/html/draft-ietf-emu-eap-tunnel-method-01#page-5

• ACS 4.1 Shared Services Components problem

  I'm not able to edit the Shared Profiles Components for CiscoWorks in ACS. Error:
  Failed to edit Ciscoworks Campus Manager.
  Reason: You have insufficient privilege to Add/Edit Ciscoworks Campus Manager.
  I logged in with admin account in ACS with all permissions. When opening the properties of my admin account, all the CiscoWorks rights are deselected. I can select all the rights, apply the changes, but the rights are not applied !

  Seems like it is a windows AD-problem. every 30 min the server gets an gpoupdate (depending on who is logged in to the server) and if i have unchecked the box "use proxyserver" (IE - Options - connections - Lan settings) this update changes everything back to default, ie checks that box back. So next step: talk to some windows-people.
  thanks anyway!
  /lina

• Wireless Autentication + WLC + ACS + AD

  Hello Everyone,
  I'm trying to configure autentication policy in my wireless network.
  I need to autenticate users members of group "Wireless users" in active directory.
  My question is: I need use ACS for this autentication in AD Group? Or only the controller is enough?
  I do not like to use this digital certificate solution.
  My Topology is:
  USER -> AP -> Controller -> ACS -> AD
  Or
  USER -> AP -> Controller -> AD
  Help?
  Tks a lot.

  Well, The kind of requirement you have does ask for digital certs because most of the EAP flavors are dependent on certs.
  However, you may go for LEAP ( doesn't need certs)
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c4
  You may go for WLC and LDAP ( with certs without ACS)
  http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a008093f1b9.shtml
  Regds,
  Jatin
  Do rate helpful posts-

• WLC Audit Status Mismatch

  Hi,
  We have two WLC 01 and 02, the WLC01 its the primary and all of AP has WLC01 as primary and WLC02 as secondary.
  We've had network issues that have caused WLC01 to lose connectivity (temporarily) - this caused WLC02 to take the Active role, but some users are left without service (others are not affected).
  We had to reboot WLC02 to force WLC01 to return to the Active role so all the users recover the service.
  The only unusual sign we've noticed is a "Mismatch" Audit Status that shows up in the Configure -> Controllers window in the WCS.
  What could be missing?

  I have the WLC02 configuration (show run-config) and I can see that not all interfaces are configured, i mean configuration is missing on WLC02.
  ***But these interfaces appear reviewing the configuration of the WLC02 through the WCS (Configre->Controllers->WLC02->System->Interfaces)
  If I run the refresh will fix the problem?

• WLC / ACS / AD - Domain and non-Domain Laptops (802.1X / PEAP)

  Hi All,
  I'm implementing a solution based around 4404 WLC, 1113 ACS and Microsoft AD. What I want to achieve is have two WLAN (SSID), one that can only be used by domain users on domain laptops, the other can be used by domain users on personal laptops. The domain laptops will have full connectivity but the personal laptops will be restricted.
  I've created the two SSID using 802.1X via ACS / Remote Agent and can authenticate and logon OK.
  I thought that I should have user auth and machine auth for the domain laptops but just user auth for personal laptops.
  I can have non authenticated machines go to a specific ACS group or blocked but I need to allow them if they're on the restricted SSID. I can't quite figure out how to have two SSIDs authenticating to the same ACS / AD - allow one and block the other.
  Am I on the right path?
  Anyone done this before or have any bright ideas?
  Cheers,
  John

  With the use of SSID-based WLAN access, the users can be authenticated based on the SSID they use in order to connect to the WLAN. The Cisco Secure ACS server is used to authenticate the users. Authentication happens in two stages on the Cisco Secure ACS:
  1. EAP authentication
  2. SSID authentication based on Network Access Restrictions (NARs) on Cisco Secure ACS
  For the further description and configuraiton following URL may help you :
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml

• HTTP authentication via ACS TACACS+.

  Hi.
  I configure a router for tacacs+ access and the console and CLI work fine.
  HTTP access continually prompts for password and I can never gain access via web.
  I have tried the various cli combinations of IP HTTP AUTHENTICATION, but still does not seem to work with tacacs+.
  Debug authentication and authorization are ok (PASS)!
  Any suggestions??
  Thanks.
  Andrea.

  Hi Andrea,
  Make sure that you have privilege level 15, for your account, as telnet can work without it, but for http its a must.
  You can configure it for Group, under whihc you have your user account or per user basis too.
  Select group > Edit Settings > TACACS+ section
  Check "Shell" and "Privilege level" and in box in front of privilege level, put number "15".
  Also if you have configured enable authentication via TACACS+ ,amake sure under your user account you have selected "Use CiscoSecure..." option under TACACS+ enable password if you have your account configured on ACS, of select other as appropriate.
  Let me know if it helps :)
  I suppose you have "ip http authentiaction aaa" command configured.