Quick note about Cisco WLC and TACACS+. Got a call from a colleague who spent 2 hours on this issue. It is his first WLC install.
When you configure Cisco TACACS+ on a Cisco WLC you need to add your TACACS+ server IP and secret information in 2 sections (authentication and authorization). This is required for TACACS+ to work on a WLC.
First you need to be authenticated and then authorized whereby you receive your (role).
*The accounting section is not required for TACACS+ to work
If you fail to enter only one section or not at all and run a debug “aaa tacacs enable” you will see:
(WiSM-slot1-2) >debug aaa tacacs enable
(WiSM-slot1-2) >*Sep 06 15:02:25.495: tplusServerStateSet(), index=1 state=1
*Sep 06 15:17:13.343: Forwarding request to 10.10.10.100 port=49
*Sep 06 15:17:15.157: tplus response: seq_no=2 session_id=f058fe68 length=16 encrypted=0
*Sep 06 15:17:15.157: TPLUS_AUTHEN_STATUS_GETPASS
*Sep 06 15:17:15.157: auth_cont get_pass reply: pkt_length=25
*Sep 06 15:17:15.157: processTplusAuthResponse: Continue auth transaction
*Sep 06 15:17:15.171: tplus response: seq_no=4 session_id=f058fe68 length=6 encrypted=0
*Sep 06 15:17:15.172: tplus_make_author_request: athr server not found
Configure TACACS+ on WLC
Use these commands to configure a TACACS+ authentication server:
•config tacacs auth add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ authentication server.
•config tacacs auth delete index—Deletes a previously added TACACS+ authentication server.
•config tacacs auth (enable | disable} index—Enables or disables a TACACS+ authentication server.
•config tacacs auth server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ authentication server.
Use these commands to configure a TACACS+ authorization server:
•config tacacs athr add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ authorization server.
•config tacacs athr delete index—Deletes a previously added TACACS+ authorization server.
•config tacacs athr (enable | disable} index—Enables or disables a TACACS+ authorization server.
•config tacacs athr server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ authorization server.
Use these commands to configure a TACACS+ accounting server:
•config tacacs acct add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ accounting server.
•config tacacs acct delete index—Deletes a previously added TACACS+ accounting server.
•config tacacs acct (enable | disable} index—Enables or disables a TACACS+ accounting server.
•config tacacs acct server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ accounting server.
Use these commands to see TACACS+ statistics:
•show tacacs summary—Shows a summary of TACACS+ servers and statistics.
•show tacacs auth stats—Shows the TACACS+ authentication server statistics.
•show tacacs athr stats—Shows the TACACS+ authorization server statistics.
•show tacacs acct stats—Shows the TACACS+ accounting server statistics.