[tac_plus] Trouble with AAA working on Cisco Wireless Controllers

Erwin, Shane Shane.Erwin at greenwayhealth.com
Thu Jun 23 21:37:27 UTC 2016 

IT     I S    A L I V E  ! ! ! !

user = Wnelson {
        login = PAM
        member = default
        service = ciscowlc {
          role1 = ALL
}
}

user = Bspringstein {
        login = PAM
        member = default
        service = ciscowlc {
          role1 = ALL
}
}


Thank you so much.  I can spell Linux but not much experience beyond how to VI a file. Now I understand what y’all  have been saying.

Again, Thanks!!


From: Daniel Schmidt [mailto:daniel.schmidt at wyo.gov]
Sent: Thursday, June 23, 2016 4:55 PM
To: Erwin, Shane <Shane.Erwin at greenwayhealth.com>
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Trouble with AAA working on Cisco Wireless Controllers

The Cisco WLC is totally different, it uses roles.  So, under your user, you would do:

        service = ciscowlc {
                role1 = MONITOR
        }
MONITOR and ALL are two roles I remember.  There's more, you can go look them up, they pretty much follow the tabs.

On Wed, Jun 22, 2016 at 9:39 PM, Erwin, Shane <Shane.Erwin at greenwayhealth.com<mailto:Shane.Erwin at greenwayhealth.com>> wrote:
Hi,

I have 4 Cisco Wireless controllers I'd like to use with the Shrubbery Networks TACACs interface but I'm having some issues. Could you help?

I seem to have it setup correctly but when the TACACs server returns a "Good-Authorized" message. The WLC doesn't seem to understand and it drops the reply. So I can't login.

This is what I've been seeing. Can anyone help?

Thanks!
Shane Erwin

TACACS Server
Mon Jun 20 18:08:48 2016 [10897]: Reading config
Mon Jun 20 18:08:48 2016 [10897]: Version F4.0.4.26 Initialized 1
Mon Jun 20 18:08:48 2016 [10897]: tac_plus server F4.0.4.26 starting
Mon Jun 20 18:08:48 2016 [10897]: session.peerip is 10.226.21.133
Mon Jun 20 18:08:48 2016 [10897]: login query for 'serwin' unknown-port from 10.226.21.133 accepted



The Wireless controller log shows the following
The WLC logs reads with the following.
*emWeb: Jun 20 23:00:58.451: #EMWEB-3-LOGIN_FAILED: ews_auth.c:2138 Login failed for the user:serwin. Service-Type is not present or it doesn't allow READ/WRITE permission..


Wireless Controller debug of AAA
(Cisco Controller) >
*tplusTransportThread: Jun 21 20:27:44.562: User has the following mgmtRole 0
*tplusTransportThread: Jun 21 20:28:27.594: Conecting to tacacs server 10.23.232.106 on port=49

*tplusTransportThread: Jun 21 20:28:27.632: Received tplus auth response: type=1 seq_no=2 session_id=6bab0428 length=16 encrypted=0

*tplusTransportThread: Jun 21 20:28:27.632: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Jun 21 20:28:27.632: auth_cont get_pass reply: pkt_length=27

*tplusTransportThread: Jun 21 20:28:27.632: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Jun 21 20:28:28.183: Received tplus auth response: type=1 seq_no=4 session_id=6bab0428 length=6 encrypted=0

*tplusTransportThread: Jun 21 20:28:28.183: Created tacacs author request payload(rc=0)

*tplusTransportThread: Jun 21 20:28:28.183: TPLUS_AUTHEN_STATUS_PASS: username=[serwin]

*tplusTransportThread: Jun 21 20:28:28.183: Conecting to tacacs server 10.23.232.106 on port=49

*tplusTransportThread: Jun 21 20:28:28.216: author response body: status=1 arg_cnt=0 msg_len=0 data_len=0

*tplusTransportThread: Jun 21 20:28:28.217:
                                            User has the following mgmtRole 0

(Cisco Controller) >*tplusTransportThread: Jun 21 20:28:47.774: Conecting to tacacs server 10.23.232.106 on port=49

*tplusTransportThread: Jun 21 20:28:47.811: Received tplus auth response: type=1 seq_no=2 session_id=67fc0acd length=16 encrypted=0

*tplusTransportThread: Jun 21 20:28:47.811: TPLUS_AUTHEN_STATUS_GETPASS

*tplusTransportThread: Jun 21 20:28:47.811: auth_cont get_pass reply: pkt_length=27

*tplusTransportThread: Jun 21 20:28:47.811: processTplusAuthResponse: Continue auth transaction
*tplusTransportThread: Jun 21 20:28:48.350: Received tplus auth response: type=1 seq_no=4 session_id=67fc0acd length=6 encrypted=0

*tplusTransportThread: Jun 21 20:28:48.351: Created tacacs author request payload(rc=0)

*tplusTransportThread: Jun 21 20:28:48.351: TPLUS_AUTHEN_STATUS_PASS: username=[serwin]

*tplusTransportThread: Jun 21 20:28:48.351: Conecting to tacacs server 10.23.232.106 on port=49

*tplusTransportThread: Jun 21 20:28:48.385: author response body: status=1 arg_cnt=0 msg_len=0 data_len=0


NOTICE: This e-mail message and all attachments transmitted with it may contain legally privileged and confidential information intended solely for the use of the addressee. If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by electronic mail and delete this message and all copies and backups thereof. Thank you. Greenway Health.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160623/ae4ace61/attachment.html>
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net<mailto:tac_plus at shrubbery.net>
http://www.shrubbery.net/mailman/listinfo/tac_plus



E-Mail to and from me, in connection with the transaction
of public business, is subject to the Wyoming Public Records
Act and may be disclosed to third parties.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20160623/35e2f95e/attachment.html>

More information about the tac_plus mailing list