Ok, good to know that it should work. I double checked the authorization policy matched rule in the authentication details, and each time it was hitting the exact same one – and succeeded.
Either way, it's good to know what items can be finicky and may need some attention to get working. I have the same kind of experience with port channels sometimes – config is exactly correct, but just copy / paste / re-add and it starts working. Thanks for the input. Jay Killion, CCIE #17873 R/S From: Jeff Rensink <[email protected]<mailto:[email protected]>> Date: Wednesday, January 8, 2014 10:54 PM To: Jay Killion <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Wireless] WLC Admin - TACACS I'd check your ACS logs to see which rule was being matched prior to your change. It's possible that you may not have been matching the rule that you thought, and therefore not returning the shell profile that you needed. One other possibility is that I've actually run into issues in ACS where it says that it's matching the appropriate rule and it says that it sends the correct shell profile, but it never let's me into the device. I've then switched from using the explicit rule to using the default rule (or vice versa) and it's worked after that. Even though both methods resulted in the use of the exact same shell profile. So if you check your logs, and it was matching the correct rule, you may be hitting the same thing. No idea what causes this. But in the ACS logs, as long as the authentication succeeded, you'll get a green record and it'll look like a success. The issue that you were hitting was an authorization issue. As far as ACS was concerned, the user/pass was correct and it sent the appropriate shell profile result. The WLC just wasn't liking the results that ACS was giving it. Regards, Jeff Rensink : Sr Instructor : iPexpert<http://www.ipexpert.com/> CCIE # 24834 :: Wireless / R&S :: World-Class Cisco Certification Training Direct: +1.810.326.1444 :: Free Videos<http://www.youtube.com/ipexpertinc> :: Free Training / Product Offerings<http://www.facebook.com/ipexpert> :: CCIE Blog<http://blog.ipexpert.com/> :: Twitter<http://www.twitter.com/ipexpert> On Wed, Jan 8, 2014 at 8:52 PM, Jay Killion (jakillio) <[email protected]<mailto:[email protected]>> wrote: Hi all - I was working on WLC Tacacs Admin access tonight and hit something I can't explain yet, hoping someone can shed light. I followed the normal steps for the policy (role1, ALL), and under the Access Policy I included "Authentication Method" for one of the conditions that needed to be matched. As I would in Radius, I set the "Authentication Method" to "PAP_ASCII". When I attempt to login to the WLC, the gui login window keeps returning telling me something has failed. Interestingly, I go to ACS and see I have a perfect match and auth has succeeded. After troubleshooting for a while, I eventually removed "Authentication Method" as one of the conditions – which resulted in authentication immediately succeeding on not just ACS but also WLC. I'm confused now on two fronts (not uncommon ;) First, why did ACS show everything successful when the WLC was obviously not on the same page? Second, why did removing Auth Method as a condition cause WLC to suddenly start accepting the auth? Thanks - Jay Killion, CCIE #17873 R/S _______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc<http://www.youtube.com/ipexpertinc>
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
