Security

I have configured Clearpass as TACACS for a Cisco WLC.  I have verified I'm hitting the correct profile.

 

Under that profile I am using the CiscoWLC:Common service to provide the name role1 with value of ALL.  The cisco is not liking the message its getting from clearpass and is classifying it as a Authentication failure.  Is there anything else I need to add or change?

 

profile attached.

There is no profile attached.

If its an auth error it usually isnt a profile issue. Can you attach the alert in access tracker

It actually shows it passes in Clearpass.  The WLC just isnt likeing the response for some reason.

Attaching images:  

Even though it passes Auth sometimes there is still an alert in access tracker. I ran into the same thing yesterday with a juniper switch. I just wanted to make sure.

I am experiencing this issue trying to get my WLC to work with Clearpass for tacacs admin.

 

Any ideas?

Have you tested with the Privilege level = 15 in the enforcement profile?

 

Is there a document that shows how to do this..?

I have the same problem still.

 

This guys says he added to priv-15 enforcement and it worked when just previously he said it didn't

Make sure you have all three aaa components setup with tacacs servers

authentication 

accounting 

authorization (i was missing this and it just kept cycling the login)

 

Also found that these are the Official roles you can send and yes you can send more then one.  

 

https://networkproguide.com/how-to-configure-cisco-wlc-tacacs-cisco-ise-2-4/

"The WLC uses TACACS+ custom attributes defined as role1, role2, etc… with a value that corresponds to the access level you wish to grant within that profile. The available roles are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, COMMAND, ALL, and LOBBY.

The first seven listed roles control access to the respectively named menus in the WLC web user interface. ALL grants read-write to everything, LOBBY grants access to the Lobby feature, which I won’t be covering here.

When configuring a TACACS Profile you can configure multiple roles as multiple custom attributes to allow read-write access to multiple menus and read-only to the rest. For example, if you wanted someone to have access to WLAN and WIRELESS you could create a TACACS Profile with two roles (Role1 and Role2) with values WLAN and WIRELESS respectively like so:

Role1 = WLAN
Role2 = WIRELESS"

 

for full r/w access 

Role1 = ALL

I am having this issue too.  Yes I am using priv 15 as well.  session detail states:  ciscowlc:  Fail.    Auth Request Message on Alert tab:  Tacacs server=ciscowlc:common not enabled. 

I found/fixed my problem. It was a config issue in my policy.

 Hi Berg,

 

Can you please share on what was the issue on the policy? i am having the same problem too.

 

Regards

Aabarnam S

I had to add priv 15 to my enforcement. 

Hi Everyone,

 

I have encountered the same issue as Berg whereby i got the error  Auth Request Message on Alert tab:  Tacacs server=ciscowlc:common not enabled. Can anyone assist me on this?

Have you tried configuring the enforcement profile with privilege level 15 and selected services as CiscoWLC:Common along with supported rolename under service attributes ?

Hi Vivin@88,

 

I have figured out my issue. Basically my role policy is configured wrongly therefore it is not getting the correct role which have the required enforcement profile you mentioned. Anyone reading this post, I suggest you take a look at the access tracker if you encounter the same issue as my. It did wonders for me.

 

Best Regards,

Ng Turng Hui