Guest

Wireless, LAN (WLAN)

TACACS Administrator Access to the Converged Access Wireless LAN Controllers Configuration Example

Document ID: 117711

Updated: May 20, 2014

Contributed by Surendra BG, Cisco TAC Engineer.

   Print

Introduction

This document provides a configuration example of Terminal Access Controller Access Control System Plus (TACACS+) in a Cisco Converged Access Wireless LAN Controller (WLC) 5760/3850/3650 for the CLI and the GUI. This document also provides some basic tips to troubleshoot the configuration.

TACACS+ is a client/server protocol that provides centralized security for users who attempt to gain management access to a router or network access server. TACACS+ provides these Authentication, Authorization, and Accounting (AAA) services:

  • Authentication of users that attempt to log in to the network equipment

  • Authorization to determine what level of access users should have

  • Accounting to keep track of all changes the user makes

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • How to configure WLCs and lightweight access points (LAPs) for basic operation
  • Lightweight Access Point Protocol (LWAPP) and wireless security methods
  • Basic knowledge of RADIUS and TACACS+
  • Basic knowledge of Cisco ACS configuration

Components Used

The information in this document is based on these software and hardware versions:

  • WLC 5760 that runs Cisco IOS® XE Release 3.3.3
  • Access Control Server (ACS) 5.2

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

Note: Use the Command Lookup Tool (registered customers only) in order to obtain more information on the commands used in this section.

Network Diagram

Configurations

This is a two step process:

  • Configuration on the WLC
  • Configuration on the RADIUS/TACACS server

Configuration on the WLC

  1. Define the TACACS server on the WLC. Ensure you configure the exact same shared secret on the TACACS.
    tacacs-server host 10.106.73.71 key Cisco123
    tacacs server ACS
     address ipv4 10.106.102.50
     key Cisco123
     timeout 10
  2. Configure the server groups and map the server configured in the previous step.
    aaa group server tacacs+ ACS
     server name ACS
    !
  3. Configure the Authentication and the Authorization policies for the administrator access. In this, you allow the TACACS group followed by local which is the fallback.
    aaa authentication login Admin_Access group ACS local

    aaa authorization exec Admin_Access group ACS local
  4. Apply the policy to the line vty and HTTP.
    line vty 0 4
     authorization exec Admin_Access
     login authentication Admin_Access
    line vty 5 15
     exec-timeout 0 0
     authorization exec Admin_Access
     login authentication Admin_Access
  5. Apply the same to HTTP.
    ip http server
    ip http authentication aaa login-authentication Admin_Access
    ip http authentication aaa exec-authorization Admin_Access

Configuration on the ACS

  1. Choose Network Resources > Network Devices and AAA Clients in order to add the WLC as the AAA client for TACACS on the ACS. Ensure the Shared Secret configured here matches the one configured on the WLC.

  2. Choose Users and Identity Stores > Internal Identity Stores > Users in order to define the user for administrator access.

  3. Choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles in order to set the privilege levels to 15.

  4. Choose Access Policies > Access Services > Default Device Admin in order to allow the required protocols.

  5. Choose Access Policies > Access Services > Default Device Admin > Identity in order to create an identity for the device administrator that allows internal users with authentication options.

  6. Choose Access Policies > Access Services > Default Device Admin > Authorization in order to allow the Priv15 authorization profile created in Step 3. Here the client with the passed identity (internal users) is put on the Priv15 profile.

Verify

Use this section to confirm that your configuration works properly.

Open a browser and enter the switch IP address. The Authentication Required prompt displays. Enter the group user credentials in order to log in to the device.

In order to check the Telnet/SSH access, Telnet/SSH to the switch IP address and enter the credentials.

This is displayed for ACS logging.

Troubleshoot

This section provides information you can use to troubleshoot your configuration.

Note: Refer to Important Information on Debug Commands before you use debug commands.

Enter the debug tacacs command in order to troubleshoot your configuration.

debug tacacs

*May 14 23:11:06.396: TPLUS: Queuing AAA Authentication request 4775 for processing
*May 14 23:11:06.396: TPLUS(000012A7) login timer started 1020 sec timeout
*May 14 23:11:06.396: TPLUS: processing authentication continue request id 4775
*May 14 23:11:06.396: TPLUS: Authentication continue packet generated for 4775
*May 14 23:11:06.396: TPLUS(000012A7)/0/WRITE/962571D4: Started 10 sec timeout
*May 14 23:11:06.396: TPLUS(000012A7)/0/WRITE: wrote entire 25 bytes request
*May 14 23:11:06.398: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:06.398: TPLUS(000012A7)/0/READ: read entire 12 header bytes (expect
16 bytes data)
*May 14 23:11:06.398: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:06.398: TPLUS(000012A7)/0/READ: read entire 28 bytes response
*May 14 23:11:06.398: TPLUS(000012A7)/0/962571D4: Processing the reply packet
*May 14 23:11:06.398: TPLUS: Received authen response status GET_PASSWORD (8)
*May 14 23:11:08.680: TPLUS: Queuing AAA Authentication request 4775 for processing
*May 14 23:11:08.680: TPLUS(000012A7) login timer started 1020 sec timeout
*May 14 23:11:08.680: TPLUS: processing authentication continue request id 4775
*May 14 23:11:08.680: TPLUS: Authentication continue packet generated for 4775
*May 14 23:11:08.680: TPLUS(000012A7)/0/WRITE/962571D4: Started 10 sec timeout
*May 14 23:11:08.680: TPLUS(000012A7)/0/WRITE: wrote entire 25 bytes request
*May 14 23:11:08.687: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:08.687: TPLUS(000012A7)/0/READ: read entire 12 header bytes (expect
6 bytes data)
*May 14 23:11:08.687: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:08.687: TPLUS(000012A7)/0/READ: read entire 18 bytes response
*May 14 23:11:08.687: TPLUS(000012A7)/0/962571D4: Processing the reply packet
*May 14 23:11:08.687: TPLUS: Received authen response status PASS (2)
*May 14 23:11:08.687: TPLUS: Queuing AAA Authorization request 4775 for processing
*May 14 23:11:08.687: TPLUS(000012A7) login timer started 1020 sec timeout
*May 14 23:11:08.687: TPLUS: processing authorization request id 4775
*May 14 23:11:08.687: TPLUS: Protocol set to None .....Skipping
*May 14 23:11:08.687: TPLUS: Sending AV service=shell
*May 14 23:11:08.687: TPLUS: Sending AV cmd*
*May 14 23:11:08.687: TPLUS: Authorization request created for 4775(surbg123)
*May 14 23:11:08.687: TPLUS: using previously set server 10.106.102.50 from
group SURBG_ACS

*May 14 23:11:08.688: TPLUS(000012A7)/0/NB_WAIT/93C63F04: Started 10 sec timeout
*May 14 23:11:08.690: TPLUS(000012A7)/0/NB_WAIT: socket event 2
*May 14 23:11:08.690: TPLUS(000012A7)/0/NB_WAIT: wrote entire 61 bytes request
*May 14 23:11:08.690: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:08.690: TPLUS(000012A7)/0/READ: Would block while reading
*May 14 23:11:08.696: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:08.696: TPLUS(000012A7)/0/READ: read entire 12 header bytes (expect
18 bytes data)
*May 14 23:11:08.696: TPLUS(000012A7)/0/READ: socket event 1
*May 14 23:11:08.696: TPLUS(000012A7)/0/READ: read entire 30 bytes response
*May 14 23:11:08.696: TPLUS(000012A7)/0/93C63F04: Processing the reply packet
*May 14 23:11:08.696: TPLUS: Processed AV priv-lvl=15
*May 14 23:11:08.696: TPLUS: received authorization response for 4775: PASS
Updated: May 20, 2014
Document ID: 117711