Cisco :: WLC 5508 Use TACACS To Authenticate Admins / With Maximum Privileges
Sep 23, 2012
I have an issue with two wlc 5508 in the same mobility group. We use TACACS to authenticate admins, with maximum privileges.
When I want to configure cleanair, or some security functions (such as ACL, or password policies), I have an error message saying that my privileges are not enough.When I use local account, it works well.
At the begining, I thought it was a TACACS issue, but I have the same problem with WCS and SNMP. Cleanair doesn't appears in config menu, and I have an error message for security function.
View 10 Replies
ADVERTISEMENT
May 24, 2011
I think i've got everything set up to authenticate against AD for Tacacs+ device logins. When i check the logs, i see:"24408 User authentication against Active Directory failed since user has entered the wrong password". This leads me to believe that it is checking AD correctly, however if i enter the password correctly for the same AD user, there is no log at all...no pass, no fail.
If i look at the Tacacs debugs on the switch, i see the following:May 25 10:55:07.927 CDT: TAC+: ver=192 id=874699084 received AUTHEN status = ERRORMay 25 10:55:09.932 CDT: TAC+: send abort reason=Unknown
Obviously the switch is communicating to ACS, and ACS is passing info back to the switch. ACS also appears to be communicating effectively with AD since it knows when i put in an incorrect password for the specific user.
View 2 Replies
View Related
Jan 5, 2012
ACS 5.1 is failing to authenticate tacacs authentication to the ASA firewall, getting
View 6 Replies
View Related
May 2, 2012
I have a cisco nexus 7000 switch and a cisco ACS 5.2. I would like to setup the switch to be able to authenticate users with tacacs+ using RSA secureid tokens when they try to logon to the switch.
View 1 Replies
View Related
Aug 20, 2012
we have deployed L3 in-band scenario for wireless 2 years ago and the solution was working without any problem. we have upgrade wireless controller to 5508, since then, when users login to the first page and certified, and they want to browse to the internet, NAC redirects the web page and ask for authenticatin again, despite the users' devices are being shown as certified devices in the list.
View 6 Replies
View Related
Sep 8, 2011
I am transitioning from RADIUS auth to local auth and i don't want to hassle everyone to change in one hit.If i can get auth requests to look in the WLC local net db first and if not found try RADIUS then this is what i am after! You can easily do it with web auth but doesnt seem so easy via WPA2 method.
View 1 Replies
View Related
May 19, 2011
I am trying to configure my ACS to allow 802.11 phones to authenticate. I have searched high and low for documentation on doing this with no luck. We are using unified wireless with a mix of 5508 and wism controllers. I am able to authenticate windows devices against active directory via the acs but can't seem to get anything working with the phones.
View 3 Replies
View Related
Sep 25, 2011
Having an issue with Cisco ACS v5.1.0.44 and the Cisco WLC 5508. Cannot get users to authenticate and keep getting error messages referring to EAP session timeouts from WLC filling our logs. Seems to be with this model WLC because we have Cisco 4400 WLCs pointing to the same ACS with no issues. Is there a bug or special configuration that is necessary to marry the 5508 with ACS v5.1.0.44?
View 9 Replies
View Related
Oct 24, 2011
Tacacs not working for 3 new 5508 WLC's...working fine for 6 old 4400 WLC's.
Before 7.116 code upgrade...I remember 5508 was working on and off and now they are not.
Same configs on SW, WLC and ACS.
Debug on WLC gives..below message when Tacacs is attempted..
*aaaQueueReader: Oct 25 09:20:41.700: tplus_processAuthRequest: memory alloc failed for tplus
Not sure why statistics show zero...?? Radius is working for users.
(wlc03) >show tacacs auth statistics
Authentication Servers:
Server Index..................................... 1
Server Address................................... 10.3.121.21
Msg Round Trip Time.............................. 0 (msec)
First Requests................................... 0
Retry Requests................................... 0
Accept Responses................................. 0
Reject Responses................................. 0
[ Code].....
View 7 Replies
View Related
Sep 13, 2011
I an currently running Cisco (ACS 5.2.0.26.3) and attempting to get my Cisco 5508 WLC's (7.0.98.0) loaded into ACS for TACACS+ authentication for managment users.
However I keep getting the following error:
*emWeb: Sep 14 14:44:45.931: %EMWEB-1-LOGIN_FAILED: ews_auth.c:2104 Login failed for the user:test_tac. Service-Type is not present or it doesn't allow READ/WRITE permission.
Now I've attempted the step-by-step using the following URL but to no avail.( there are some slight differences in ACS 5.2)
[URL]
Latest WLC configuration guide I could find (Software Release 7.0 June 2010) isn't much useful either.
View 6 Replies
View Related
Jun 22, 2011
We have 2 WLCs, 4402 (main) and 5508 (backup). While we turn on both devices, 4402 have 10 APs, and 5508 have 10 APs as well. Total connected clients will be 120+, but when we turn off either 1 wlc, let's say only 4402 is power on, total 20 APs joined, but the total client will be 90+, never reach over 100 clients. The same happened on 5508, is there any maximum associated connection on WLC?
View 1 Replies
View Related
Mar 7, 2012
I have a client that is running ACS 5.3 as a VM in ESX 4.1. The client wants their VMWare admins to have the ability to shut down the ACS server during maintenance etc... I know I could create a CLI user with admin priviliges, however, assigning full admin priviliges is beyond the scope of what the user requires. They simply want a user account with the added privilige of performing a halt from the CLI. In the CLI Reference Guide for ACS.
So is it possible to create an account with user priviliges, then modify its permissions to allow for a halt?
View 3 Replies
View Related
Jul 10, 2011
which is the maximum number of simultaneous wired guest clients on a 5508? And in a 2112 controller?
Wired clients count as wireless clients??
What about anchoring limitations, what is the effect of wired guest clients on the anchor controller?
View 2 Replies
View Related
Jul 31, 2011
if its possible to set a maximum bandwidth for the entire wlan or for entire Vlan in the WLC 5508 ?
View 3 Replies
View Related
Mar 7, 2012
We have a Cisco 1841 router that requires 2 levels of access, at the moment we have network admins logging in with a single username via SSH and with privilege 15 but we also need our helpdesk to login to run certain commands but not chaneg anything
View 4 Replies
View Related
Aug 7, 2012
I think this is a bug, but I wanted to check if others have the same problem. If we try to delete rogue AP's under MONITOR > Rogues with Remove Selected then we get a error message Authorization Failed. No sufficient privileges. At first sight, it looks like the AP's are gone, but if you click on the same menu again, they are still there.
My ACS admin user has role1=ALL. I even tried to set role1=MONITOR, then I don't get the message above, but it is stated that I can not delete known rogue AP's.
View 10 Replies
View Related
Feb 10, 2013
How can i create customized user in Cisco ASA 5505 having the following Privileges? note i dont have AAA server.User can only perform show running, ping, traceroute, show xlate. I have review one of the firewall configuration and found two type of password defined, what is the difference b/w enable and password?
View 2 Replies
View Related
Jul 26, 2012
I am just wondering if it is possible to have two user accounts in Cisco RV042 V3 (Firmware: v4.1.1.01-sp (Dec 6 2011 20:03:18). User accounts to mean that one user can access the router with an administrative level access can do all the changes and management of the router's configurations and settings while another user can only do viewing of the system summary tab and connect and manage the simple configuration to connection to the ISP in both WANs, like setting up the connection type and release/renew the ip address for dynamic ip assigned by the ISP DHCP server.
View 1 Replies
View Related
Mar 1, 2013
I have a HP G60 Series. Im trying to bridge connections with my xbox and wifi and i cant because it says "you don't have sufficient privileges to configure connection properties
View 1 Replies
View Related
Jul 26, 2012
I have Cisco 2960 switches deployed in my environment along with radius server authentication. Now i need to assign some roles to particular users (shutdown port, description) so what i need to do for this task so not all users have same privileges.
View 1 Replies
View Related
Mar 17, 2011
We replaced a WLC2106 with a WLC2112 and the 2112 can't authenticate anything. Both WLCs have the exact same configuration on them. We are using a RADIUS server to do MAC authentication. Both WLCs have been set to use no delimiter in the MAC filtering.
When the 2106 is in place, we have no issues and all allowed devices can authenticate without issue. However, when the 2106 is removed and the 2112 is powered up, every single device fails authentication and is put on the exclusion list. When we check RADIUS, it tells us the devices fail because they are locked. We unlock the device's account, and 5 minutes later the 2112 has screwed something up and they are locked again.
View 3 Replies
View Related
Mar 4, 2013
If I choose to authenticate NCS users through Cisco ACS (5.4 in this instance) via TACACS, do I still have the ability to do accounting to track what changes they have made? I'm not getting anything in the TACACS accounting reports and I don't see anywhere to configure TACACS for accounting within NCS gui like I can on a WLC. I know that NCS has an internal audit trail but if a users account is both a local account on NCS as well as an account being authenticated through ACS does the Audit trail on NCS for that local user still contain the information about changes the user made? I ask because it looks like it does but I want to make sure I'm not going mad. Here is my example:
Local account username: NCS_Admin2AD account via TACACS username: NCS_Admin2
Audit trail for the NCS_Admin2 account on NCS looks like changes are being logged to NCS even though the user is logging in with their AD credentials via TACACS.
View 4 Replies
View Related
Aug 30, 2012
Having an issue with Macbook authentication. All Macbooks at this one site, on same switch, going to same RADIUS server, work except for one. Looking at logs it appears server and client never exchange certificates. Attached is log for failed Macbook authentication.
View 4 Replies
View Related
Jan 30, 2013
I have been trying to set this up for like 4 hours. What a waste of time. This should be as easy as punching in the IP and password for the radius server. It isn't.I have a brand new SG-300-10. LATEST firmwawre, I just updated it about 5 minutes ago. 1.2.7.6 I think.This is what I have done so far in the GUI: (I have CLI access too if necessary)
Security > RADIUS and entered my radius IP/secret there.
Security > Access Management Profiles > Create new template called ALL that permits access to all applications. Set it as active also.
Security > Management Access Authentication > For HTTP and SSH
I put RADIUS first then Local second.My radius server works. As I type this message I am logging in via radius with OpenBSD/Centos even Fedora. (If OpenBSD can do it, these switches can do it.)But whenever I try to login with RADIUS credentials to my switch, I get no logs or any connectivity reports on my radius server? Is the switch even attempting to contact the server? The logs dont show anything regarding RADIUS. I am trying a reboot now, but I don't think that should be necessary.Is there a step I missed? When first looking at this I expected it to be done in 5 minutes. I have been on this for lik 4 hours. Isimply want to login to the administration console (web gui) using RADIUS credentials.
View 5 Replies
View Related
Feb 14, 2012
I am trying to connect using officeextend but couldn't . I have managed to connect the officeextend AP to the DMZ WLC however i cant get the users to authenticte to the ACS (although there is a rule to access the access on ports 1813 and 1812). Should the DMZ WLC need the ACS servers (i thought they wouldnt require as they are anchored back to the Internal WLC that the ACS server address
oon a side note, i have'nt created dhcp for hte officeedxtend users - will this cause an issue - (just deciding on to it on WLC or windows server)In-fact i cant even see myself authenticating on the ACS server
View 25 Replies
View Related
Mar 4, 2012
I have a Cisco ASA (8.2) setup with remote access for my users using Cisco VPN client. The authentication is passed off to my ACS 5.3 which then checks with AD. What I've done so far is create Access Policy rule where I define specifically the Location and NDG where the ASA is and then a DenyAllCommands command set. This should pass authentications just fine but this also gives those users the ability to remote connect directly into the ASA and login successfully. Even though there is a Deny Commands there I still would prefer they get Access Denied as a message. If I do a Deny Access on the ShellProfile then this stops the login authentication altogether.
View 2 Replies
View Related
Jul 12, 2012
how to Configure ACS 5.x so LMS 4 users can authenticate via TACACS+? I have ACS 5.x setup and authenticating to Active Directory. Have changed the LMS 4.x Authentication Module to TACACS+. Have gotten past the user / password problem by configuring a local user in LMS 4.x. Now, am hitting the Default rule in ACS and Shell Profile is deny access..
View 1 Replies
View Related
Feb 9, 2012
We have remote users that dial-in over ISDN to a Cisco 2911. We have configured AAA to pass the authentication off to a RADIUS server. Once successfully authenticated, the router permits the users to access a single web server. However, we need to do some testing in our test environment, but unfortunately we don't have an ISDN line to test with. We have created a little environment in our LAB using a 2911, a switch, a RADIUS server & web server. I was hoping that we could simply create a "user" VLAN off the back of the 2911 to simulate our remote users, and access the web site from the test usr PC's over the LAN. I was hoping that the 2911 would be able to intercept the connection and pass the authentication off to the RADIUS server (as it does with the PPP ISDN traffic). But I cannot find anyway to do this, because I can only configure AAA to offload either PPP traffic or telnet/ssh connections to the router itself.
In summary what I want is for a user to access an internal web site over a LAN interface of a 2911 - but have the 2911 authenticate the user via a remote RADIUS server first. Is there a way to configure a 2911 (or any router!) to do this?Is the answer to configure port-based authentication (802.1X) on the switch?
View 3 Replies
View Related
Jul 30, 2012
I have setup Cisco Identity Service Engine (1.1.1) with Wireless LAN Controller (7.2.110)Everything is complete unless the URL redirect. My guest client can join the Guest SSID and also can authenticate to ISE.But after they success to authenticate with ISE, the URL in the browser doesn't change to the pre-configure. It still be something like [URL]. Anyway the content in the browser is changed to the URL that being configured such as url...How can I do with this situation cause everything is working fine but only the browser URL that is not change to the preconfigure one.
View 5 Replies
View Related
Apr 12, 2013
I have 1142 with W7 (c1140-k9w7-mx.152-2.JB)I have it configured WPA2+AES on the 2.4GHZ interface (Config below)I have my PC and Mac and phoens connected, all good.However I also have a Wi-Fi radio (url...), when I try to connect the radio to the wireless net, I keep authentication failed.If I configure my old Linksys router as the network, also using WPA2/AES, all works.Just something do to with Cisco pass and this radio.I tried TKIP > same but when I tried Tried WEP > working good!.
[code]....
View 21 Replies
View Related
Jun 3, 2012
Have set up a pair of ACS 5.3 servers and have set up device administration authentication be passed through to an RSA server via RADIUS. All works great.
What we want to do is go a step further and set the system up so that ACS Administrators also have to authenticate to the ACS system by RSA via RADIUS (the same as the Device Authentication we've set up) for ACS administration tasks.
Looking at the options available in the ACS Administration setup (administrator accounts etc) there doesn't seem to be an option to authenticate via another method apart from a local administrator account on the ACS.
Is it possible to do this?
View 1 Replies
View Related
Aug 21, 2012
I have seen couple of people with win7 cannot authenticate to ISE: 12520 EAP-TLS failed SSL/TLS handshake because the client rejected the ISE local-certificate.I've thought of this: Maybe get a 3rd party cert (go daddy) and have that installed in ISE.I know i do have to make a CSR Cert.Sign.Request that matches cn=primary.ise.mydomain, would I also need a cert for secondary?
If I use LEAP as a preferred protocol then it doesn't ask for cert and users are authenticated successfully.I know they have to say do not validate cert and all that but sometimes it doesn't popupt to them they just can't get on.Again maybe going wtih 3rd party certs will make it easier while benefiting from using PEAP?
View 5 Replies
View Related
Jul 12, 2011
On an ASA5520 v7.2 I can only seem to authenticate to the console when using telnet and not ssh. I can connect using both methods, but just have trouble authenticating with ssh. Here are relevent lines related to the issue:
username user1 password ***** encrypted privilege 15username user2 password ***** encrypted privilege 15
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
telnet <my subnet> 255.255.255.0 Inside
ssh <my subnet> 255.255.255.0 Inside
View 2 Replies
View Related
