Hi Jay, ACS logs will show you authorization errors. ACS > Monitoring and Reports > Reports > Catalog > AAA Protocol > TACACS Authorization
Alternatively, TACACS debug on the WLC. Good luck. Adrian On Mon, Feb 17, 2014 at 6:00 AM, <[email protected]>wrote: > Send CCIE_Wireless mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/cgi-bin/mailman/listinfo/ccie_wireless > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Wireless digest..." > > > Today's Topics: > > 1. WLC TACACS (Jay Killion (jakillio)) > 2. Re: WLC TACACS (Andre Aubet) > 3. lab strategy (Jay Killion (jakillio)) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 15 Feb 2014 19:45:41 +0000 > From: "Jay Killion (jakillio)" <[email protected]> > To: "[email protected]" > <[email protected]> > Subject: [OSL | CCIE_Wireless] WLC TACACS > Message-ID: <cf252003.14e15%[email protected]> > Content-Type: text/plain; charset="windows-1252" > > Hi all - > > I wasted a bunch of time this morning on a stupid mistake. Long story > short, I added ACS to my WLC for TACACS authentication but forgot to add it > also for authorization. I grew increasingly frustrated as I focused my > troubleshooting on ACS and could see that my authentication attempts were > showing in ACS logs as successful. After beating my head against the wall > for a while, I finally started again from scratch and realized what I had > wrong. > > Here's my question though ? is there any other way to see I would have > forgot this other than looking at the controller config? What I mean is, > had I forgotten to add ACS to the controller at all then it would have been > evident since ACS logs wouldn't have shown any requests. Had I > misconfigured a password, username, role, etc, I would have seen something > in the ACS logs as well that would have pointed me in the right direction. > Is there anything specific I could have seen in ACS that would have > pointed out my omission of TACACS authorization on the WLC? Of course, I > now know that if all looks like it's succeeding on ACS then that's my sign > to check, but curious if there's anything that would have been more > specific in pointing me to lack of authorization support. > > Thanks - > > Jay Killion, CCIE #17873 R/S > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_wireless/attachments/20140215/cb2d96d5/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Sat, 15 Feb 2014 12:37:40 -0800 (PST) > From: "Andre Aubet" <[email protected]> > To: "Jay Killion (jakillio)" <[email protected]> > Cc: [email protected] > Subject: Re: [OSL | CCIE_Wireless] WLC TACACS > Message-ID: <1392496659641.f656814d@Nodemailer> > Content-Type: text/plain; charset="utf-8" > > I think if you try a debug aaa tacacs on your controller, it must show the > attribute "role1 = ALL" before being logged.If you don't see this, then you > missed something. > > > > > I also had some problems using TACACS. I configured it right on 3 > different controllers at different times, and each time it didn't work on > the 1st try. In the debugs I could see the requests timed out, even if > TACACS worked on another device. I couldn't see any failure or success in > the ACS logs for the WLC just configured, but the other devices showed > success. > > > > > Each time I was forced to stop/start the ACS and after that it worked.? > > > > > Good thing to practice a lot ;) > > > > > Andre. > > > > > > > ? > Sent from Mailbox for iPhone > > On Sat, Feb 15, 2014 at 8:56 PM, Jay Killion (jakillio) > <[email protected]> wrote: > > > Hi all - > > I wasted a bunch of time this morning on a stupid mistake. Long story > short, I added ACS to my WLC for TACACS authentication but forgot to add it > also for authorization. I grew increasingly frustrated as I focused my > troubleshooting on ACS and could see that my authentication attempts were > showing in ACS logs as successful. After beating my head against the wall > for a while, I finally started again from scratch and realized what I had > wrong. > > Here's my question though ? is there any other way to see I would have > forgot this other than looking at the controller config? What I mean is, > had I forgotten to add ACS to the controller at all then it would have been > evident since ACS logs wouldn't have shown any requests. Had I > misconfigured a password, username, role, etc, I would have seen something > in the ACS logs as well that would have pointed me in the right direction. > Is there anything specific I could have seen in ACS that would have > pointed out my omission of TACACS authorization on the WLC? Of course, I > now know that if all looks like it's succeeding on ACS then that's my sign > to check, but curious if there's anything that would have been more > specific in pointing me to lack of authorization support. > > Thanks - > > Jay Killion, CCIE #17873 R/S > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_wireless/attachments/20140215/7ae56e13/attachment-0001.html> > > ------------------------------ > > Message: 3 > Date: Sun, 16 Feb 2014 14:31:09 +0000 > From: "Jay Killion (jakillio)" <[email protected]> > To: "[email protected]" > <[email protected]> > Subject: [OSL | CCIE_Wireless] lab strategy > Message-ID: <cf2627cd.14e31%[email protected]> > Content-Type: text/plain; charset="windows-1252" > > Hi all - > > I'm curious what others recommend doing before you start working on actual > lab tasks. Obviously, the basic that everyone starts with is reading > through the entire lab first to get a good idea of the overall picture. > I'm finding that I have what could be a decently time consuming list of > things go through in an attempt to root out and discover any planted > misconfigurations. How many of these do you actively do at the beginning > as opposed to going with the flow and using these for troubleshooting as > issues arise? > > 1 ? Read lab end to end > > 2 ? Create L2 map labeling switches, devices, physical ports, vlans > allowed, IP address, trunk, etherchannel > > 3 ? Verify ports are in correct vlan for each device > > 4 ? Verify trunks are correctly configured and permit vlans - "sh inter > tru" > > 5 ? Verify IP / subnet for switch SVI's - "sh run | be interface V" > > 6 ? Verify etherchannels - "sh ether summ" > > 7 ? Verify neighbors are on correct ports - "sh cdp neigh" > > 8 ? Verify IP on AAP - "sh ip int brie" > > 9 ? Verify WLC IP, subnet, vlan, port, ap manager - "sh inter det mana" > > 10 ? Verify lwapp's aren't running autonomous code - "sh ver" > > 11 ? Look through each switch config and look for any anomalies, such as > "vlan dot1q tag native" or a shutdown vlan > > 12 ? Ping each controller management IP from switch > > Thanks - > > Jay Killion, CCIE #17873 > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_wireless/attachments/20140216/d04fbef3/attachment-0001.html> > > ------------------------------ > > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc > > End of CCIE_Wireless Digest, Vol 58, Issue 73 > ********************************************* >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
