Document ID: 99951
Updated: Nov 28, 2007
Contents
Introduction
This paper documents the RADIUS access-accept packet that is received at the Wireless Control System (WCS) from the AAA server, and discusses troubleshooting tips for both RADIUS authentication and TACACS+ authentication.
Note: This document does not discuss how the WCS uses TomCat to authenticate users, but discusses the RADIUS access-accept format and gives an example of a good access-accept response.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
-
Knowledge of WCS
-
Knowledge on Lightweight Access Point Protocol (LWAPP)
Components Used
This document is not restricted to specific software and hardware versions.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
RADIUS Access-Accept Packets on WCS
When customers use a RADIUS or TACACS+ server to login to the WCS, the AAA server, after verifying username and password, sends back an access-accept packet with a usergroup and a list of tasks that the user can perform.
Note: The access-accept comes back as a fragmented packet because of the large number of tasks in some user groups.
You can refer to Adding WCS to a non-Cisco ACS server for use with RADIUS, which shows the process to have the WCS indicate which tasks are associated to which user group.
Or alternatively, you can look in this file:
C:\Program Files\WCS4.1\webnms\webacs\WEB-INF\security\usergroup-map.xml
This is a file with the tasks that different users can perform.
The tasks are passed back as a vendor-specific attribute. This is the basic layout:
These are known as Type, Length, Value (TLV). In this case, the value also contains a TLV.
Here is an example of the data portion of the access-accept packet. In this truncated output for an Admin user group login, notice only one role is sent back: role0 -> Admin. Then, tasks associated to the role start with task0 and increment with task1, task2, ...
0000 06 6d 0e 59 07 3d 6a 24 02 47 07 35 d2 12 a4 eb .m.Y.=j$.G.5.... 0010 a2 5a fa 84 38 20 e4 e2 3a 3a bc e5 1a 20 00 00 .Z..8 ..::... .. 0020 00 09 01 1a 57 69 72 65 6c 65 73 73 2d 57 43 53 ....Wireless-WCS 0030 3a 72 6f 6c 65 30 3d 41 64 6d 69 6e 1a 2b 00 00 :role0=Admin.+.. 0040 00 09 01 25 57 69 72 65 6c 65 73 73 2d 57 43 53 ...%Wireless-WCS 0050 3a 74 61 73 6b 30 3d 55 73 65 72 73 20 61 6e 64 :task0=Users and 0060 20 47 72 6f 75 70 73 1a 27 00 00 00 09 01 21 57 Groups.'.....!W 0070 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b ireless-WCS:task 0080 31 3d 41 75 64 69 74 20 54 72 61 69 6c 73 xx xx 1=Audit Trails.*
Each of the tasks begins with 1a, 26 in decimal. This is the Type in the figure above and indicates that it is a vendor attribute. The next entry, Length, is the total number of bytes to skip in order to reach the next TLV. For task0, Users and Groups, this is 2b or 43 (bytes) in decimal to skip to the next TLV. Next, is the 4 byte field which essentially identifies a Vendor Cisco 09.
What follows next is a TLV for the WCS to read. The first part is 01, which indicates a Cisco AV Pair. The next byte is the Length field with 25 [37 (bytes) in decimal]. This is followed by the text string in hex Wireless-WCS:task0=Users and Groups.
After this is the next TLV until the data portion is completely processed. At the end of the packet, the Access Control Server (ACS) tacks on three other TLVs:
-
RADIUS type 8 (Framed IP Address) of 255.255.255.255
-
type 25 (0x19), indicating a Class which is a string
-
type 80 (0x50) which is the message authenticator
Note: The last TLV, type 80, is unnecessary in WCS version 4.2 and later. TLV type 80 was needed in WCS versions before 4.2 because of Cisco bug ID CSCsj29057.
In order to troubleshoot RADIUS authentication, you need to:
-
Verify the RADIUS packet is an access-accept via the ACS Passed Authentication Log or wired sniffer trace.
-
Verify the task names for the user group in the access-accept via the ACS Passed Authentication Log or wired sniffer trace.
-
Look at the different length fields in the RADIUS packet.
In order to troubleshoot TACACS+ authentication, you need to:
Verify the TACACS+ packet is an access-accept via the ACS Passed Authentication Log.
Note: The service name Wireless-WCS and the method HTTP are case sensitive and must match exactly. When the WCS receives the access-accept from the ACS, it looks for that service name in the reply. If the WCS does not find the service name in the access-accept, it fails the user and puts this message into the WCS logs:
User has no usergroups/roles or tasks/permissions
Note: If the Failed Attempts Log on the ACS indicates Service denied, you must enable (check) the undefined service names on the ACS. If it is missing from the Group, make sure Advanced TACACS features is checked under Interface Configuration --> Advanced Configuration Options. Also, check Display enable default (undefined) service configuration. Go to the Group and check Default (undefined) Services.
Appendix A- Typical Access Accept from ACS
Note: The access-accept comes back as a fragmented packet because of the large number of tasks in some user groups.
This is the first packet in a 2 fragment access-accept for the Admin user group. The data portion begins at byte 2a (02), which indicates an access-accept. This is followed by the packet identifier, the length, and the authenticator string. The first Cisco AV Pair starts at byte 3e (1a). Byte 015b in the second packet starts the framed IP address.
0000 00 30 48 42 c3 48 00 14 2a 0a eb b6 08 00 45 00 .0HB.H..*.....E. 0010 05 dc 0e 44 20 00 80 11 f0 7e 0a 04 01 14 0a 04 ...D ....~...... 0020 01 33 06 6d 0e 59 07 3d 6a 24 02 47 07 35 d2 12 .3.m.Y.=j$.G.5.. 0030 a4 eb a2 5a fa 84 38 20 e4 e2 3a 3a bc e5 1a 20 ...Z..8 ..::... 0040 00 00 00 09 01 1a 57 69 72 65 6c 65 73 73 2d 57 ......Wireless-W 0050 43 53 3a 72 6f 6c 65 30 3d 41 64 6d 69 6e 1a 2b CS:role0=Admin.+ 0060 00 00 00 09 01 25 57 69 72 65 6c 65 73 73 2d 57 .....%Wireless-W 0070 43 53 3a 74 61 73 6b 30 3d 55 73 65 72 73 20 61 CS:task0=Users a 0080 6e 64 20 47 72 6f 75 70 73 1a 27 00 00 00 09 01 nd Groups.'..... 0090 21 57 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 !Wireless-WCS:ta 00a0 73 6b 31 3d 41 75 64 69 74 20 54 72 61 69 6c 73 sk1=Audit Trails 00b0 1a 2a 00 00 00 09 01 24 57 69 72 65 6c 65 73 73 .*.....$Wireless 00c0 2d 57 43 53 3a 74 61 73 6b 32 3d 54 41 43 41 43 -WCS:task2=TACAC 00d0 53 2b 20 53 65 72 76 65 72 73 1a 29 00 00 00 09 S+ Servers.).... 00e0 01 23 57 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 .#Wireless-WCS:t 00f0 61 73 6b 33 3d 52 41 44 49 55 53 20 53 65 72 76 ask3=RADIUS Serv 0100 65 72 73 1a 22 00 00 00 09 01 1c 57 69 72 65 6c ers."......Wirel 0110 65 73 73 2d 57 43 53 3a 74 61 73 6b 34 3d 4c 6f ess-WCS:task4=Lo 0120 67 67 69 6e 67 1a 24 00 00 00 09 01 1e 57 69 72 gging.$......Wir 0130 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b 35 3d eless-WCS:task5= 0140 4c 69 63 65 6e 73 69 6e 67 1a 3e 00 00 00 09 01 Licensing.>..... 0150 38 57 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 8Wireless-WCS:ta 0160 73 6b 36 3d 53 63 68 65 64 75 6c 65 64 20 54 61 sk6=Scheduled Ta 0170 73 6b 73 20 61 6e 64 20 44 61 74 61 20 43 6f 6c sks and Data Col 0180 6c 65 63 74 69 6f 6e 1a 2b 00 00 00 09 01 25 57 lection.+.....%W 0190 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b ireless-WCS:task 01a0 37 3d 55 73 65 72 20 50 72 65 66 65 72 65 6e 63 7=User Preferenc 01b0 65 73 1a 2a 00 00 00 09 01 24 57 69 72 65 6c 65 es.*.....$Wirele 01c0 73 73 2d 57 43 53 3a 74 61 73 6b 38 3d 53 79 73 ss-WCS:task8=Sys 01d0 74 65 6d 20 53 65 74 74 69 6e 67 73 1a 31 00 00 tem Settings.1.. 01e0 00 09 01 2b 57 69 72 65 6c 65 73 73 2d 57 43 53 ...+Wireless-WCS 01f0 3a 74 61 73 6b 39 3d 44 69 61 67 6e 6f 73 74 69 :task9=Diagnosti 0200 63 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 1a 32 00 c Information.2. 0210 00 00 09 01 2c 57 69 72 65 6c 65 73 73 2d 57 43 ....,Wireless-WC 0220 53 3a 74 61 73 6b 31 30 3d 56 69 65 77 20 41 6c S:task10=View Al 0230 65 72 74 73 20 61 6e 64 20 45 76 65 6e 74 73 1a erts and Events. 0240 2e 00 00 00 09 01 28 57 69 72 65 6c 65 73 73 2d ......(Wireless- 0250 57 43 53 3a 74 61 73 6b 31 31 3d 45 6d 61 69 6c WCS:task11=Email 0260 20 4e 6f 74 69 66 69 63 61 74 69 6f 6e 1a 33 00 Notification.3. 0270 00 00 09 01 2d 57 69 72 65 6c 65 73 73 2d 57 43 ....-Wireless-WC 0280 53 3a 74 61 73 6b 31 32 3d 44 65 6c 65 74 65 20 S:task12=Delete 0290 61 6e 64 20 43 6c 65 61 72 20 41 6c 65 72 74 73 and Clear Alerts 02a0 1a 32 00 00 00 09 01 2c 57 69 72 65 6c 65 73 73 .2.....,Wireless 02b0 2d 57 43 53 3a 74 61 73 6b 31 33 3d 50 69 63 6b -WCS:task13=Pick 02c0 20 61 6e 64 20 55 6e 70 69 63 6b 20 41 6c 65 72 and Unpick Aler 02d0 74 73 1a 32 00 00 00 09 01 2c 57 69 72 65 6c 65 ts.2.....,Wirele 02e0 73 73 2d 57 43 53 3a 74 61 73 6b 31 34 3d 53 65 ss-WCS:task14=Se 02f0 76 65 72 69 74 79 20 43 6f 6e 66 69 67 75 72 61 verity Configura 0300 74 69 6f 6e 1a 31 00 00 00 09 01 2b 57 69 72 65 tion.1.....+Wire 0310 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b 31 35 3d less-WCS:task15= 0320 43 6f 6e 66 69 67 75 72 65 20 43 6f 6e 74 72 6f Configure Contro 0330 6c 6c 65 72 73 1a 2f 00 00 00 09 01 29 57 69 72 llers./.....)Wir 0340 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b 31 36 eless-WCS:task16 0350 3d 43 6f 6e 66 69 67 75 72 65 20 54 65 6d 70 6c =Configure Templ 0360 61 74 65 73 1a 33 00 00 00 09 01 2d 57 69 72 65 ates.3.....-Wire 0370 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b 31 37 3d less-WCS:task17= 0380 43 6f 6e 66 69 67 75 72 65 20 43 6f 6e 66 69 67 Configure Config 0390 20 47 72 6f 75 70 73 1a 33 00 00 00 09 01 2d 57 Groups.3.....-W 03a0 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b ireless-WCS:task 03b0 31 38 3d 43 6f 6e 66 69 67 75 72 65 20 41 63 63 18=Configure Acc 03c0 65 73 73 20 50 6f 69 6e 74 73 1a 3c 00 00 00 09 ess Points.<.... 03d0 01 36 57 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 .6Wireless-WCS:t 03e0 61 73 6b 31 39 3d 43 6f 6e 66 69 67 75 72 65 20 ask19=Configure 03f0 41 63 63 65 73 73 20 50 6f 69 6e 74 20 54 65 6d Access Point Tem 0400 70 6c 61 74 65 73 1a 32 00 00 00 09 01 2c 57 69 plates.2.....,Wi 0410 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b 32 reless-WCS:task2 0420 30 3d 43 6f 6e 66 69 67 75 72 65 20 43 68 6f 6b 0=Configure Chok 0430 65 20 50 6f 69 6e 74 73 1a 2f 00 00 00 09 01 29 e Points./.....) 0440 57 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 Wireless-WCS:tas 0450 6b 32 31 3d 4d 6f 6e 69 74 6f 72 20 43 6f 6e 74 k21=Monitor Cont 0460 72 6f 6c 6c 65 72 73 1a 31 00 00 00 09 01 2b 57 rollers.1.....+W 0470 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b ireless-WCS:task 0480 32 32 3d 4d 6f 6e 69 74 6f 72 20 41 63 63 65 73 22=Monitor Acces 0490 73 20 50 6f 69 6e 74 73 1a 2b 00 00 00 09 01 25 s Points.+.....% 04a0 57 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 Wireless-WCS:tas 04b0 6b 32 33 3d 4d 6f 6e 69 74 6f 72 20 43 6c 69 65 k23=Monitor Clie 04c0 6e 74 73 1a 28 00 00 00 09 01 22 57 69 72 65 6c nts.(....."Wirel 04d0 65 73 73 2d 57 43 53 3a 74 61 73 6b 32 34 3d 4d ess-WCS:task24=M 04e0 6f 6e 69 74 6f 72 20 54 61 67 73 1a 2c 00 00 00 onitor Tags.,... 04f0 09 01 26 57 69 72 65 6c 65 73 73 2d 57 43 53 3a ..&Wireless-WCS: 0500 74 61 73 6b 32 35 3d 4d 6f 6e 69 74 6f 72 20 53 task25=Monitor S 0510 65 63 75 72 69 74 79 1a 2f 00 00 00 09 01 29 57 ecurity./.....)W 0520 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b ireless-WCS:task 0530 32 36 3d 4d 6f 6e 69 74 6f 72 20 43 68 6f 6b 65 26=Monitor Choke 0540 70 6f 69 6e 74 73 1a 30 00 00 00 09 01 2a 57 69 points.0.....*Wi 0550 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b 32 reless-WCS:task2 0560 37 3d 41 63 63 65 73 73 20 50 6f 69 6e 74 20 52 7=Access Point R 0570 65 70 6f 72 74 73 1a 28 00 00 00 09 01 22 57 69 eports.(....."Wi 0580 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 6b 32 reless-WCS:task2 0590 38 3d 4d 65 73 68 20 52 65 70 6f 72 74 73 1a 2a 8=Mesh Reports.* 05a0 00 00 00 09 01 24 57 69 72 65 6c 65 73 73 2d 57 .....$Wireless-W 05b0 43 53 3a 74 61 73 6b 32 39 3d 43 6c 69 65 6e 74 CS:task29=Client 05c0 20 52 65 70 6f 72 74 73 1a 2d 00 00 00 09 01 27 Reports.-.....' 05d0 57 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 Wireless-WCS:tas 05e0 6b 33 30 3d 49 6e 76 65 6e 74 k30=Invent
This continues with the second packet (fragment).
0000 00 30 48 42 c3 48 00 14 2a 0a eb b6 08 00 45 00 .0HB.H..*.....E. 0010 01 89 0e 44 00 b9 80 11 14 19 0a 04 01 14 0a 04 ...D............ 0020 01 33 6f 72 79 20 52 65 70 6f 72 74 73 1a 2f 00 .3ory Reports./. 0030 00 00 09 01 29 57 69 72 65 6c 65 73 73 2d 57 43 ....)Wireless-WC 0040 53 3a 74 61 73 6b 33 31 3d 50 65 72 66 6f 72 6d S:task31=Perform 0050 61 6e 63 65 20 52 65 70 6f 72 74 73 1a 2c 00 00 ance Reports.,.. 0060 00 09 01 26 57 69 72 65 6c 65 73 73 2d 57 43 53 ...&Wireless-WCS 0070 3a 74 61 73 6b 33 32 3d 53 65 63 75 72 69 74 79 :task32=Security 0080 20 52 65 70 6f 72 74 73 1a 2a 00 00 00 09 01 24 Reports.*.....$ 0090 57 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 Wireless-WCS:tas 00a0 6b 33 33 3d 4d 61 70 73 20 52 65 61 64 20 4f 6e k33=Maps Read On 00b0 6c 79 1a 2b 00 00 00 09 01 25 57 69 72 65 6c 65 ly.+.....%Wirele 00c0 73 73 2d 57 43 53 3a 74 61 73 6b 33 34 3d 4d 61 ss-WCS:task34=Ma 00d0 70 73 20 52 65 61 64 20 57 72 69 74 65 1a 2b 00 ps Read Write.+. 00e0 00 00 09 01 25 57 69 72 65 6c 65 73 73 2d 57 43 ....%Wireless-WC 00f0 53 3a 74 61 73 6b 33 35 3d 43 6c 69 65 6e 74 20 S:task35=Client 0100 4c 6f 63 61 74 69 6f 6e 1a 2a 00 00 00 09 01 24 Location.*.....$ 0110 57 69 72 65 6c 65 73 73 2d 57 43 53 3a 74 61 73 Wireless-WCS:tas 0120 6b 33 36 3d 52 6f 67 75 65 20 4c 6f 63 61 74 69 k36=Rogue Locati 0130 6f 6e 1a 29 00 00 00 09 01 23 57 69 72 65 6c 65 on.).....#Wirele 0140 73 73 2d 57 43 53 3a 74 61 73 6b 33 37 3d 50 6c ss-WCS:task37=Pl 0150 61 6e 6e 69 6e 67 20 4d 6f 64 65 08 06 ff ff ff anning Mode..... 0160 ff 19 24 43 49 53 43 4f 41 43 53 3a 30 30 30 34 ..$CISCOACS:0004 0170 34 30 34 33 2f 30 61 30 34 30 31 33 33 2f 66 65 4043/0a040133/fe 0180 66 65 6c 69 78 50 12 f4 44 a6 57 fb d7 2f 22 eb felixP..D.W../". 0190 80 ba 80 2d c1 36 9d ...-.6.
Related Information
Open a Support Case 
(Requires a Cisco Service Contract.)
Related Cisco Support Community Discussions
The Cisco Support Community is a forum for you to ask and answer questions, share suggestions, and collaborate with your peers.
Refer to Cisco Technical Tips Conventions for information on conventions used in this document.