Configure RADIUS and TACACS+ for GUI andCLI Authentication on 9800 Wireless LANControllers Contents

IntroductionBackground InformationPrerequisitesRequirementsComponents UsedConfigureConfigure RADIUS WLCConfigure RADIUS ISEConfigure Tacacs+ WLCTacacs+ ISE configurationTroubleshooting

Introduction

This document describes how to configure a 9800 Wireless LAN Controllers (WLC) for RADIUS orTACACS+ external authentication when you access its Graphic User Interface (GUI) or CommandLine Interface (CLI).

Background Information

When a user tries to access the CLI or the GUI of the WLC, it will be prompted to input ausername and password. By default, these credentials are compared against the local database ofusers, which is present on the device itself. Alternatively, the WLC can be instructed in order tocompare the input credentials against a remote AAA server: the WLC can either talk to the serverwith the use of RADIUS or TACACS+.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Catalyst Wireless 9800 configuration model●

AAA, RADIUS and TACACS+ concepts●

Components Used

The information in this document is based on these software and hardware versions:

C9800-CL v16.10●

ISE 2.2.0●

The information in this document was created from the devices in a specific lab environment. All ofthe devices used in this document started with a cleared (default) configuration. If your network islive, ensure that you understand the potential impact of any command.

Configure

In this example, configure two types of users on the AAA server (ISE), respectively adminuserand helpdeskuser. The user adminuser is expected to be granted full access to the WLC,whereas the helpdeskuser is meant to only be granted monitor privileges to the WLC, hence noconfiguration access.

First, configure on the WLC and on ISE for RADIUS authentication, and later perform the same forTACACS+.

Configure RADIUS WLC

Step 1. Declare the RADIUS server.

Firstly, create the RADIUS server ISE on the WLC. This can be done from the GUI WLCpage https://<WLC-IP>/webui/#/aaa as shown in the image.

A popup window will open, where you can type the server name (it does not have to match the ISEsystem name), its IP address, the shared secret, and the port that is used for authentication andaccounting, along with other parameters.

From CLI:

paolo-9800(config)#radius server labISE

paolo-9800(config-radius-server)# address ipv4 10.48.71.92 auth-port 1812 acct-port 1813

paolo-9800(config-radius-server)# key Cisco123

Step 2. Map the RADIUS server to a Server Group.

In case you have multiple RADIUS servers that can be used for authentication, it is recommendedto map all these servers to the same Server Group. The WLC will then take care of load balancingdifferent authentications among the servers in the server group.

From the same GUI tab as shown in the image.

In the popup, give a name to the group, and move the desired servers to the Assigned list.

From CLI:

paolo-9800(config)#aaa group server radius radGroup

paolo-9800(config-sg-radius)# server name labISE

Step 3. Create an AAA authentication login method that points to the RADIUS server group.

Always in the GUI page https://<WLC-IP>/webui/#/aaa, move to the AAA Method list tab andcreate the Authentication method as shown in the image.

In the popup, give a name to the method, select type as login, and assign the group servercreated in the previous step.

If you select Group Type as 'local', the WLC will first check if the user exists locally, and will thenfall back to the server group.

CLI:

paolo-9800(config)#aaa authentication login radAutheMethod local group radGroup

If you select Group Type as 'group', and no fall back to local option checked, the WLC will justcheck the user against the server group.

CLI:

paolo-9800(config)#aaa authentication login radAutheMethod group radGroup

If you select Group Type as 'group', and the fall back to local option is checked, the WLC willcheck the user against the server group and will query the local database only if the server doesnot respond. If the server sends a reject, the user won't be authenticated, even though it mightexist on the local database.

CLI:

paolo-9800(config)#aaa authentication login radAutheMethod group radGroup local

In this example setup, there are some users who are only created locally, and some users only onthe ISE server, hence make use of the first option.

Step 4.Create a AAA authorization exec method that points to the RADIUS server group. The userhas to be also authorized in order to be granted access. From the same tab as shown in theimage.

Use the same order of local/group that is used for the authentication method in the previous step,and select type as 'exec'.

From CLI:

paolo-9800(config)#aaa authorization exec radAuthzMethod local group radGroup

Step 5. Assign the methods to the HTTP configurations and to the VTY lines used for Telnet/SSH.These steps cannot take place from GUI, hence they need to be done from CLI.

For GUI authentication:

paolo-9800(config)#ip http authentication aaa login-authentication radAutheMethodpaolo-9800(config)#ip http authentication aaa exec-authorization radAuthzMethod

For Telnet/SSH authentication:

paolo-9800(config)#line vty 0 15

paolo-9800(config-line)#login authentication radAutheMethod

paolo-9800(config-line)#authorization exec radAuthzMethod

When you make the changes to the HTTP configurations, it is best to restart the HTTP andHTTPS services:

paolo-9800(config)#no ip http server

paolo-9800(config)#no ip http secure-server

paolo-9800(config)#ip http server

paolo-9800(config)#ip http secure-server

Configure RADIUS ISE

Step 1. Configure the WLC as a network device for RADIUS as shown in the image.

In the new window, add the IP address, select RADIUS, and type the same shared secret used onthe WLC.

Step 2. Create an authorization result, to return the privilege.

In order to configure, adminuser needs to have a privilege level of 15, which will allow to accessthe exec prompt shell. The other user instead, helpdeskuser does not need exec prompt shellaccess, and it can be assigned a privilege level lower than 15. In order to do so, create anauthorization profile result for adminuser as shown in the image.

Especially, the profile for adminuser has to look like this:

Then create a similar one for the helpdeskuser, change only the string shell:priv-lvl=15 toshell:priv-lvl=X, and replace X with the desired privilege level. In this example, 1 is used.

Step 3. Create the users on ISE as shown in the image.

The credentials given to the users will be the ones that you will type in the WLC later when youauthenticate. 

Step 4. Authenticate the users: In this scenario, the default authentication policy rule of ISE

preconfigured already allows default network access, hence there is no need to change it:

Step 5. Authorize the users: After the login attempt passes the authentication policy, it needs to beauthorized, and ISE needs to return the authorization profile created earlier (permit accept, alongwith the privilege level).

In this example, filter the login attempt based on the device IP address (which is the WLC IPaddress), and distinguish the privilege level to be granted based on the username.

Another valid approach will be to assign all the admin users to a certain group and to grantprivilege level 15 only to the users that belong to such a group.

Configure Tacacs+ WLC

Step 1. Declare the Tacacs+ server. First of all, create the Tacacs+ server ISE on the WLC. This can be done from the GUI WLCpage https://<WLC-IP>/webui/#/aaa.

A popup window opens, where you can type the server name (it does not have to match the ISE system name), its IP address, theshared key, and the port that is used and the timeout.

From CLI:

paolo-9800(config)#tacacs server labISE

paolo-9800(config-server-tacacs)# address ipv4 10.48.71.92

paolo-9800(config-server-tacacs)# key Cisco123

Step 2. Map the Tacacs+ server to a Server Group. In case you have multiple Tacacs+ servers that can be used for authentication,it is recommended to map all these servers to the same Server Group. The WLC then takes care of load balancing differentauthentications among the servers in the server group.From the same GUI tab as shown in the image.

In the popup, give a name to the group, and move the desired servers to the Assigned list.

From CLI:

paolo-9800(config)#aaa group server tacacs+ tacGroup

paolo-9800(config-sg-tacacs+)# server name labISE

Step 3. Create an AAA authentication login method that points to the Tacacs+ server group. Always in the GUI page, https://<WLC-IP>/webui/#/aaa, move to the AAA Method list tab, and create the Authentication method as shown in the image.

In the popup, give a name to the method, select type as login, and assign the group server created in the previous step.If you select Group Type as local, the WLC first checks if the user exists locally, and will then fall back to the server group.CLI:

paolo-9800(config)#aaa authentication login tacAutheMethod local group tacGroup 

If you select Group Type as group, and no fall back to local option checked, the WLC just checks the user against the servergroup.

CLI:

paolo-9800(config)#aaa authentication login tacAutheMethod group tacGroup 

If you select Group Type as a group, and the fall back to local option is checked, the WLC will check the user against the servergroup and will query the local database only if the server does not respond. If the server sends a reject, the user won't beauthenticated, even though it might exist on the local database.

CLI:

paolo-9800(config)#aaa authentication login tacAutheMethod group tacGroup local

In this setup, some users are only created locally and some users only on the ISE server, hence the first option is used.Step 4. Create an AAA authorization exec method that points to the Tacacs+ server group. The user has to also be authorized inorder to be granted access. From the same tab as shown in the image.

Use the same order of local/group that is used for the authentication method in the previous step, and select type as 'exec'.From CLI:

paolo-9800(config)#aaa authorization exec tacAuthzMethod local group tacGroup

Step 5. Assign the methods to the HTTP configurations and to the VTY lines used for Telnet/SSHThese steps cannot be done from GUI, hence they need to be done from CLI.

For the GUI authentication:●

paolo-9800(config)#ip http authentication aaa login-authentication tacAutheMethod

paolo-9800(config)#ip http authentication aaa exec-authorization tacAuthzMethod

For Telnet/SSH authentication:●

paolo-9800(config)#line vty 0 15

paolo-9800(config-line)#login authentication tacAutheMethod

paolo-9800(config-line)#authorization exec tacAuthzMethod

Note: when doing changes to the the HTTP configurations, it is best to restart the HTTP and HTTPS services:

paolo-9800(config)#no ip http server

paolo-9800(config)#no ip http secure-server

paolo-9800(config)#ip http server

paolo-9800(config)#ip http secure-server

Tacacs+ ISE configurationStep 1. Configure the WLC as network device for Tacacs+:

Note that in this example, the WLC is already added for RADIUS, hence click on edit, and scroll down to TACACSAuthentication Settings, and add the needed secret:

Note: in order to use ISE as TACACS+ server, you must have a Device Administration license package, and either a Base or aMobility license.Also, once the licenses are installed, you must enable the Device Admin feature for the node. To do so, edit the node deploymentnode under Administrator > Deployment, and check the box:

Step 2. Create TACACS Profiles, to return the privilegeIn order to do configurations, 'adminuser' needs to have a privilege level of 15, which will allow to access the exec prompt shell.The other user instead, 'helpdeskuser' will not need exec prompt shell access, and it can be assigned a privilege level lower than15.To do so, create TACACS Profiles:

Configure an admin profile with privilege 15 as follows :

In the Helpdesk profile instead, the Default Privilege is set as 1.

Step 3. Create the users on ISE:

This is the same as on step 3 of the RADIUS ISE configuration

Step 4. Create a Device Admin Policy Set:

The specific Policy Set "IOS-9800", in this example,  filters requests with IP Address equal to theexample 9800 IP.

As authentication policy, we leave the Default Rule, and have set up two Authorization rules:

the first one is triggered when the username is 'adminuser', it permits all commands (via thedefault 'Permit_all') rule, and it assigns privilege 15 (via 'IOS_Admin)

●

the second one is triggered when the username is 'helpdeskuser', it permits all commands (viathe default 'Permit_all') rule, and it assigns privilege 15 (via 'IOS_Helpdesk)

●

Troubleshooting

In order to troubleshoot TACACS+ access to the WLC's GUI or CLI, issue the 'debug tacacs'command, along with 'term mon' and see the live output when a login attempt is made.

A successful login attempt of the 'adminuser' user is shown below:

paolo-9800#terminal monitor

paolo-9800#debug tacacs

TACACS access control debugging is on

paolo-9800#

Apr 17 12:16:55.269: TPLUS: Queuing AAA Authentication request 0 for processing

Apr 17 12:16:55.270: TPLUS(00000000) login timer started 1020 sec timeout

Apr 17 12:16:55.270: TPLUS: processing authentication start request id 0

Apr 17 12:16:55.270: TPLUS: Authentication start packet created for 0(adminuser)

Apr 17 12:16:55.270: TPLUS: Using server 10.48.71.92

Apr 17 12:16:55.270: TPLUS(00000000)/0/NB_WAIT/7FF771A25E18: Started 5 sec timeout

Apr 17 12:16:55.271: TPLUS(00000000)/0/NB_WAIT: socket event 2

Apr 17 12:16:55.271: TPLUS(00000000)/0/NB_WAIT: wrote entire 29 bytes request

Apr 17 12:16:55.271: TPLUS(00000000)/0/READ: socket event 1

Apr 17 12:16:55.272: TPLUS(00000000)/0/READ: Would block while reading

Apr 17 12:16:55.277: TPLUS(00000000)/0/READ: socket event 1

Apr 17 12:16:55.277: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 15 bytes data)

Apr 17 12:16:55.277: TPLUS(00000000)/0/READ: socket event 1

Apr 17 12:16:55.277: TPLUS(00000000)/0/READ: read entire 27 bytes response

Apr 17 12:16:55.277: TPLUS(00000000)/0/7FF771A25E18: Processing the reply packet

Apr 17 12:16:55.278: TPLUS: Received authen response status GET_PASSWORD (8)

Apr 17 12:16:55.278: TPLUS: Queuing AAA Authentication request 0 for processing

Apr 17 12:16:55.278: TPLUS(00000000) login timer started 1020 sec timeout

Apr 17 12:16:55.279: TPLUS: processing authentication continue request id 0

Apr 17 12:16:55.279: TPLUS: Authentication continue packet generated for 0

Apr 17 12:16:55.279: TPLUS(00000000)/0/WRITE/7FF771A25E18: Started 5 sec timeout

Apr 17 12:16:55.279: TPLUS(00000000)/0/WRITE: wrote entire 25 bytes request

Apr 17 12:16:55.302: TPLUS(00000000)/0/READ: socket event 1

Apr 17 12:16:55.302: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 103 bytes data)

Apr 17 12:16:55.302: TPLUS(00000000)/0/READ: socket event 1

Apr 17 12:16:55.302: TPLUS(00000000)/0/READ: read entire 115 bytes response

Apr 17 12:16:55.302: TPLUS(00000000)/0/7FF771A25E18: Processing the reply packet

Apr 17 12:16:55.302: TPLUS: Received authen response status PASS (2)

Apr 17 12:16:55.303: TPLUS: Queuing AAA Authorization request 0 for processing

Apr 17 12:16:55.303: TPLUS(00000000) login timer started 1020 sec timeout

Apr 17 12:16:55.303: TPLUS: processing authorization request id 0

Apr 17 12:16:55.304: TPLUS: Inappropriate protocol: 25

Apr 17 12:16:55.304: TPLUS: Sending AV service=shell

Apr 17 12:16:55.304: TPLUS: Sending AV cmd*

Apr 17 12:16:55.304: TPLUS: Authorization request created for 0(adminuser)

Apr 17 12:16:55.304: TPLUS: Using server 10.48.71.92

Apr 17 12:16:55.304: TPLUS(00000000)/0/NB_WAIT/7FF771A25E18: Started 5 sec timeout

Apr 17 12:16:55.305: TPLUS(00000000)/0/NB_WAIT: socket event 2

Apr 17 12:16:55.305: TPLUS(00000000)/0/NB_WAIT: wrote entire 48 bytes request

Apr 17 12:16:55.305: TPLUS(00000000)/0/READ: socket event 1

Apr 17 12:16:55.305: TPLUS(00000000)/0/READ: Would block while reading

Apr 17 12:16:55.335: TPLUS(00000000)/0/READ: socket event 1

Apr 17 12:16:55.335: TPLUS(00000000)/0/READ: read entire 12 header bytes (expect 18 bytes data)

Apr 17 12:16:55.335: TPLUS(00000000)/0/READ: socket event 1

Apr 17 12:16:55.335: TPLUS(00000000)/0/READ: read entire 30 bytes response

Apr 17 12:16:55.335: TPLUS(00000000)/0/7FF771A25E18: Processing the reply packet

Apr 17 12:16:55.335: TPLUS: Processed AV priv-lvl=15

Apr 17 12:16:55.335: TPLUS: received authorization response for 0: PASS

Apr 17 12:16:55.335: AAA Proxy: Couldnt get the login info

Apr 17 12:16:55.426: Socket I/O cleanup message sent to TACACS

Apr 17 12:16:55.426: Socket I/O cleanup message sent to TACACS

TPLUS Proc:SOCKET IO CLEANUP EVENT

TPLUS Proc:SOCKET IO CLEANUP EVENT

Apr 17 12:16:55.336: %WEBSERVER-5-LOGIN_PASSED: Chassis 1 R0/0: nginx: Login Successful from

host 10.149.4.75 by user 'adminuser' using crypto cipher 'ECDHE-RSA-AES256-GCM-SHA384'

It can be seen that the Tacacs+ server returns the correct privilege 'AV priv-lvl=15'

When doing RADIUS authentication, instead, we will have a similar debug output, concerningthe RADIUS traffic.

'debug aaa authentication' and 'debug aaa authorization' will instead show which method list isbeing selected by the WLC when the use tries to login.