Wired Stuff
WiFi Tablet Corner
My80211 Videos

DHCP Option 43 Nugget

Loading..

Cisco AP Group Nugget

 

Phwn a Cisco WLC w/ a Rogue WCS Server

Wireless NIC 4201-4202

The OTAP Packet Vulnerability- What isn't being reported and you need to know!

Loading..

Hack WEP / WPA Keys from your Windows Zero Config

 

My80211 White Papers (Coming Soon!)

Cisco Wireless Compatibility Matrix (Nov. 2011)

Social Links
Anchor / Office Extends Ports

 

2.4 GHz Channel Overlap

EXAMPLE 1  

EXAMPLE 2

EXAMPLE 3  

Peek Inside Cisco's Gear

See inside Cisco's latest wireless gear!

Interference Types

BLUETOOTH
 

Microwave Oven
 

Cordless Phone

JAMMER!
 

LWAPP QoS Packet Tagging

 

 

IEEE 802.11a/g/n Reference Sheet

 

CWSP RELEASE DATE 2/08/2010
  • CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    CWSP Certified Wireless Security Professional Official Study Guide: Exam PW0-204
    by David D. Coleman, David A. Westcott, Bryan E. Harkins, Shawn M. Jackman

    Shawn Jackman (Jack) CWNE#54 is a personal friend and has been a mentor to me for many years.  I've had the pleasure and opportunity to work with Jack for 4 years. Jack is a great teacher who takes complex 802.11 standards and breaks them down so almost anyone can understand the concept at hand. I'm excited for you brother. Great job and job well done! Put another notch in the belt!

« GEORGE STEFANICK - CWSP JOURNEY, (CHAPTER 5 – KEYS POST#4)- 9/10/2010 | Main | Liquid Antenna - (Sea Water Antenna) »
Wednesday
Sep082010

WLC: TACACS+ Config Note! 

  

Quick note about Cisco WLC and TACACS+. Got a call from a colleague who spent 2 hours on this issue. It is his first WLC install. 

When you configure Cisco TACACS+ on a Cisco WLC you need to add your TACACS+ server IP and secret information in 2 sections (authentication and authorization).  This is required for TACACS+ to work on a WLC.

 First you need to be authenticated and then authorized whereby you receive your (role). 

*The accounting section is not required for TACACS+ to work 

If you fail to enter only one section or not at all and run a debug “aaa tacacs enable” you will see: 

(WiSM-slot1-2) >debug aaa tacacs enable
(WiSM-slot1-2) >*Sep 06 15:02:25.495: tplusServerStateSet(), index=1 state=1
*Sep 06 15:17:13.343: Forwarding request to 10.10.10.100 port=49
*Sep 06 15:17:15.157: tplus response: seq_no=2 session_id=f058fe68 length=16 encrypted=0
*Sep 06 15:17:15.157: TPLUS_AUTHEN_STATUS_GETPASS
*Sep 06 15:17:15.157: auth_cont get_pass reply: pkt_length=25
*Sep 06 15:17:15.157: processTplusAuthResponse: Continue auth transaction
*Sep 06 15:17:15.171: tplus response: seq_no=4 session_id=f058fe68 length=6 encrypted=0
*Sep 06 15:17:15.172: tplus_make_author_request: athr server not found

 

Configure TACACS+ on WLC 

Use these commands to configure a TACACS+ authentication server:

config tacacs auth add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ authentication server.

config tacacs auth delete index—Deletes a previously added TACACS+ authentication server.

config tacacs auth (enable | disable} index—Enables or disables a TACACS+ authentication server.

config tacacs auth server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ authentication server.

Use these commands to configure a TACACS+ authorization server:

config tacacs athr add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ authorization server.

config tacacs athr delete index—Deletes a previously added TACACS+ authorization server.

config tacacs athr (enable | disable} index—Enables or disables a TACACS+ authorization server.

config tacacs athr server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ authorization server.

Use these commands to configure a TACACS+ accounting server:

config tacacs acct add index server_ip_address port# {ascii | hex} shared_secret—Adds a TACACS+ accounting server.

config tacacs acct delete index—Deletes a previously added TACACS+ accounting server.

config tacacs acct (enable | disable} index—Enables or disables a TACACS+ accounting server.

config tacacs acct server-timeout index timeout—Configures the retransmission timeout value for a TACACS+ accounting server. 

Use these commands to see TACACS+ statistics:

show tacacs summary—Shows a summary of TACACS+ servers and statistics.

show tacacs auth stats—Shows the TACACS+ authentication server statistics.

show tacacs athr stats—Shows the TACACS+ authorization server statistics.

show tacacs acct stats—Shows the TACACS+ accounting server statistics.

 

 

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (5)

George, thank you for your help with this...

September 8, 2010 | Unregistered CommenterStan Wagner

This explains my problem ! Thank you

September 10, 2010 | Unregistered CommenterEric Ross

Awesome timing had to setup my first TACACS+ today on ACS 5.1, definitely not as straight forward as it could be.

Thanks for the tips

September 10, 2010 | Unregistered CommenterPete Nugent

There's a little more to it.

1. Under the GUI - You have to tell it to use TACAS since it is not a default option. It won't work properly and can be confusing. I spent a couple to a few hours looking to possibly RMA the unit as the errors consistently reported a read error when I did authenticate using improper RADIUS (aironet), one of the options I tried to no authentication at all when I tried RADIUS (airespace).

2. After I had my prefered method and order listed. Things worked like a charm.

3. Other caveats - Roles is ACS are important - if you want privileges.

4. Shared secret keys and of course specifying the detail of the NAS to the ACS Server are required as well. In my case, I have to sync the ASA Servers - I have three to contend with. So I perform the work on the master and then sync.

I think that covers it.

Darby

http://www.darbyslogs.blogspot.com

October 31, 2010 | Unregistered CommenterDarby Weaver

Darby! Hello my friend ... Of course, there is much more as we know. But what is interesting you cant just config auth and think it will work. You need to config auth and author ...

November 5, 2010 | Registered CommenterGeorge

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>