I have configured Clearpass as TACACS for a Cisco WLC. I have verified I'm hitting the correct profile.
Under that profile I am using the CiscoWLC:Common service to provide the name role1 with value of ALL. The cisco is not liking the message its getting from clearpass and is classifying it as a Authentication failure. Is there anything else I need to add or change?
It actually shows it passes in Clearpass. The WLC just isnt likeing the response for some reason.
I am experiencing this issue trying to get my WLC to work with Clearpass for tacacs admin.
Have you tested with the Privilege level = 15 in the enforcement profile?
Is there a document that shows how to do this..?
I have the same problem still.
This guys says he added to priv-15 enforcement and it worked when just previously he said it didn't
Make sure you have all three aaa components setup with tacacs servers
authorization (i was missing this and it just kept cycling the login)
Also found that these are the Official roles you can send and yes you can send more then one.
"The WLC uses TACACS+ custom attributes defined as role1, role2, etc… with a value that corresponds to the access level you wish to grant within that profile. The available roles are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, COMMAND, ALL, and LOBBY.
The first seven listed roles control access to the respectively named menus in the WLC web user interface. ALL grants read-write to everything, LOBBY grants access to the Lobby feature, which I won’t be covering here.
When configuring a TACACS Profile you can configure multiple roles as multiple custom attributes to allow read-write access to multiple menus and read-only to the rest. For example, if you wanted someone to have access to WLAN and WIRELESS you could create a TACACS Profile with two roles (Role1 and Role2) with values WLAN and WIRELESS respectively like so:
Role1 = WLANRole2 = WIRELESS"
for full r/w access
Role1 = ALL
I am having this issue too. Yes I am using priv 15 as well. session detail states: ciscowlc: Fail. Auth Request Message on Alert tab: Tacacs server=ciscowlc:common not enabled.
I found/fixed my problem. It was a config issue in my policy.
Can you please share on what was the issue on the policy? i am having the same problem too.
I had to add priv 15 to my enforcement.
I have encountered the same issue as Berg whereby i got the error Auth Request Message on Alert tab: Tacacs server=ciscowlc:common not enabled. Can anyone assist me on this?
Have you tried configuring the enforcement profile with privilege level 15 and selected services as CiscoWLC:Common along with supported rolename under service attributes ?
I have figured out my issue. Basically my role policy is configured wrongly therefore it is not getting the correct role which have the required enforcement profile you mentioned. Anyone reading this post, I suggest you take a look at the access tracker if you encounter the same issue as my. It did wonders for me.
Ng Turng Hui
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.