Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass as TACACS for Cisco WLC

  • 1.  Clearpass as TACACS for Cisco WLC

    Posted May 29, 2014 02:45 PM

    I have configured Clearpass as TACACS for a Cisco WLC.  I have verified I'm hitting the correct profile.

     

    Under that profile I am using the CiscoWLC:Common service to provide the name role1 with value of ALL.  The cisco is not liking the message its getting from clearpass and is classifying it as a Authentication failure.  Is there anything else I need to add or change?

     

    profile attached.



  • 2.  RE: Clearpass as TACACS for Cisco WLC

    Posted May 29, 2014 03:20 PM
    There is no profile attached.

    If its an auth error it usually isnt a profile issue. Can you attach the alert in access tracker


  • 3.  RE: Clearpass as TACACS for Cisco WLC

    Posted May 29, 2014 03:26 PM

    It actually shows it passes in Clearpass.  The WLC just isnt likeing the response for some reason.

    Attaching images:  

    wlc2.png

    WLC.png



  • 4.  RE: Clearpass as TACACS for Cisco WLC

    Posted May 29, 2014 03:30 PM
    Even though it passes Auth sometimes there is still an alert in access tracker. I ran into the same thing yesterday with a juniper switch. I just wanted to make sure.


  • 5.  RE: Clearpass as TACACS for Cisco WLC

    Posted Nov 28, 2016 02:51 PM

    I am experiencing this issue trying to get my WLC to work with Clearpass for tacacs admin.

     

    Any ideas?



  • 6.  RE: Clearpass as TACACS for Cisco WLC

    Posted Dec 14, 2016 12:31 PM

    Have you tested with the Privilege level = 15 in the enforcement profile?

     



  • 7.  RE: Clearpass as TACACS for Cisco WLC

    Posted Oct 11, 2019 05:29 PM

    Is there a document that shows how to do this..?

    I have the same problem still.

     

    This guys says he added to priv-15 enforcement and it worked when just previously he said it didn't



  • 8.  RE: Clearpass as TACACS for Cisco WLC

    Posted Feb 03, 2020 12:14 PM

    Make sure you have all three aaa components setup with tacacs servers

    authentication 

    accounting 

    authorization (i was missing this and it just kept cycling the login)

     

    Also found that these are the Official roles you can send and yes you can send more then one.  

     

    https://networkproguide.com/how-to-configure-cisco-wlc-tacacs-cisco-ise-2-4/

    "The WLC uses TACACS+ custom attributes defined as role1, role2, etc… with a value that corresponds to the access level you wish to grant within that profile. The available roles are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, COMMAND, ALL, and LOBBY.

    The first seven listed roles control access to the respectively named menus in the WLC web user interface. ALL grants read-write to everything, LOBBY grants access to the Lobby feature, which I won’t be covering here.

    When configuring a TACACS Profile you can configure multiple roles as multiple custom attributes to allow read-write access to multiple menus and read-only to the rest. For example, if you wanted someone to have access to WLAN and WIRELESS you could create a TACACS Profile with two roles (Role1 and Role2) with values WLAN and WIRELESS respectively like so:

    Role1 = WLAN
    Role2 = WIRELESS"

     

    for full r/w access 

    Role1 = ALL



  • 9.  RE: Clearpass as TACACS for Cisco WLC

    Posted Feb 28, 2017 11:43 AM

    I am having this issue too.  Yes I am using priv 15 as well.  session detail states:  ciscowlc:  Fail.    Auth Request Message on Alert tab:  Tacacs server=ciscowlc:common not enabled. 



  • 10.  RE: Clearpass as TACACS for Cisco WLC

    Posted Mar 01, 2017 07:16 AM

    I found/fixed my problem. It was a config issue in my policy.



  • 11.  RE: Clearpass as TACACS for Cisco WLC

    Posted Mar 15, 2017 04:48 AM

     Hi Berg,

     

    Can you please share on what was the issue on the policy? i am having the same problem too.

     

    Regards

    Aabarnam S



  • 12.  RE: Clearpass as TACACS for Cisco WLC

    Posted Mar 15, 2017 07:02 AM

    I had to add priv 15 to my enforcement. 



  • 13.  RE: Clearpass as TACACS for Cisco WLC

    Posted Aug 20, 2020 08:16 PM

    Hi Everyone,

     

    I have encountered the same issue as Berg whereby i got the error  Auth Request Message on Alert tab:  Tacacs server=ciscowlc:common not enabled. Can anyone assist me on this?



  • 14.  RE: Clearpass as TACACS for Cisco WLC

    Posted Aug 24, 2020 02:12 AM

    Have you tried configuring the enforcement profile with privilege level 15 and selected services as CiscoWLC:Common along with supported rolename under service attributes ?



  • 15.  RE: Clearpass as TACACS for Cisco WLC

    Posted Aug 24, 2020 08:11 PM

    Hi Vivin@88,

     

    I have figured out my issue. Basically my role policy is configured wrongly therefore it is not getting the correct role which have the required enforcement profile you mentioned. Anyone reading this post, I suggest you take a look at the access tracker if you encounter the same issue as my. It did wonders for me.

     

    Best Regards,

    Ng Turng Hui