MY80211.com

"A blog by a WiFi engineer for WiFi engineers"

MY80211

INTEL WIRELESS

CCIE Wireless V3

Cisco Wireless

Wired Stuff

CCIE Wireless v2

WiFi Tablet Corner

My80211 Projects

WiFi Tools

CWNP or BUST Blogs!

My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

Podcasts / Videos

My80211 Videos

Info

Social Links

Revolution WiFi Capacity Planner

WLC: TACACS+ Config Note!

Wednesday, September 8, 2010 at 11:34AM

Quick note about Cisco WLC and TACACS+. Got a call from a colleague who spent 2 hours on this issue. It is his first WLC install.

When you configure Cisco TACACS+ on a Cisco WLC you need to add your TACACS+ server IP and secret information in 2 sections (authentication and authorization). This is required for TACACS+ to work on a WLC.

First you need to be authenticated and then authorized whereby you receive your (role).

*The accounting section is not required for TACACS+ to work

If you fail to enter only one section or not at all and run a debug “aaa tacacs enable” you will see:

(WiSM-slot1-2) >debug aaa tacacs enable
(WiSM-slot1-2) >*Sep 06 15:02:25.495: tplusServerStateSet(), index=1 state=1
*Sep 06 15:17:13.343: Forwarding request to 10.10.10.100 port=49
*Sep 06 15:17:15.157: tplus response: seq_no=2 session_id=f058fe68 length=16 encrypted=0
*Sep 06 15:17:15.157: TPLUS_AUTHEN_STATUS_GETPASS
*Sep 06 15:17:15.157: auth_cont get_pass reply: pkt_length=25
*Sep 06 15:17:15.157: processTplusAuthResponse: Continue auth transaction
*Sep 06 15:17:15.171: tplus response: seq_no=4 session_id=f058fe68 length=6 encrypted=0
*Sep 06 15:17:15.172: tplus_make_author_request: athr server not found

Configure TACACS+ on WLC

Use these commands to configure a TACACS+ authentication server:

•config tacacs auth add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ authentication server.

•config tacacs auth delete index—Deletes a previously added TACACS+ authentication server.

•config tacacs auth (enable | disable} index—Enables or disables a TACACS+ authentication server.

•config tacacs auth server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ authentication server.

Use these commands to configure a TACACS+ authorization server:

•config tacacs athr add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ authorization server.

•config tacacs athr delete index—Deletes a previously added TACACS+ authorization server.

•config tacacs athr (enable | disable} index—Enables or disables a TACACS+ authorization server.

•config tacacs athr server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ authorization server.

Use these commands to configure a TACACS+ accounting server:

•config tacacs acct add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ accounting server.

•config tacacs acct delete index—Deletes a previously added TACACS+ accounting server.

•config tacacs acct (enable | disable} index—Enables or disables a TACACS+ accounting server.

•config tacacs acct server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ accounting server.

Use these commands to see TACACS+ statistics:

•show tacacs summary—Shows a summary of TACACS+ servers and statistics.

•show tacacs auth stats—Shows the TACACS+ authentication server statistics.

•show tacacs athr stats—Shows the TACACS+ authorization server statistics.

•show tacacs acct stats—Shows the TACACS+ accounting server statistics.

George |

5 Comments |

Email Article

View Printer Friendly Version

Email Article to Friend

Reader Comments (5)

George, thank you for your help with this...

September 8, 2010 |

Stan Wagner

This explains my problem ! Thank you

September 10, 2010 |

Eric Ross

Awesome timing had to setup my first TACACS+ today on ACS 5.1, definitely not as straight forward as it could be.

Thanks for the tips

September 10, 2010 |

Pete Nugent

There's a little more to it.

1. Under the GUI - You have to tell it to use TACAS since it is not a default option. It won't work properly and can be confusing. I spent a couple to a few hours looking to possibly RMA the unit as the errors consistently reported a read error when I did authenticate using improper RADIUS (aironet), one of the options I tried to no authentication at all when I tried RADIUS (airespace).

2. After I had my prefered method and order listed. Things worked like a charm.

3. Other caveats - Roles is ACS are important - if you want privileges.

4. Shared secret keys and of course specifying the detail of the NAS to the ACS Server are required as well. In my case, I have to sync the ASA Servers - I have three to contend with. So I perform the work on the master and then sync.

I think that covers it.

Darby

http://www.darbyslogs.blogspot.com

October 31, 2010 |

Darby Weaver

Darby! Hello my friend ... Of course, there is much more as we know. But what is interesting you cant just config auth and think it will work. You need to config auth and author ...

November 5, 2010 |

George

Post a New Comment

Enter your information below to add a new comment.

My response is on my own website »

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>