WLC Admin Access by Radius Server

In this post we will learn how to provide or control WLC management users access via external radius server.

We will create 3 users:

User1: Full Admin rights on WLC – sandeeprw
User2: Read-Only rights to WLC – sandeepro
User3: Lobby user to create Guest Accounts – sandeeplobby

Parameters:

ACS Server: 192.168.205.5
WLC: 192.168.112.10
Shared Secret: Test12345

Read/Write User: sandeeprw, Password: sandeeprw
Read/Only User: sandeepro, Password: sandeepro
Lobby User: sandeeplobby, Password: sandeeplobby

Steps:

  1. Add ACS server to WLC as Radius server (Check this post: Configure RADIUS server on WLC
  2. Add WLC as AAA client to ACS.
  3. Create Identity Groups.
  4. Create Users and assign to respective Identity Groups
  5. Assign roles or Authorization profiles to Users
  6. Configure Access Policies for specific Users
  7. Assign the Priority order for management access.
  8. Verification

So let’s start with configuration:

Add ACS server to WLC as Radius server

Go to WLC GUI, click Security > AAA > RADIUS > Authentication. Enter the parameters specific to the RADIUS server. If we need to put accounting server info then enters the info as well.

*** Don’t forget to Check Management box.

WLC-Admin-RAdius1

Add WLC as AAA client to ACS

Login to ACS and then go to Network Resources > Network Devices and AAA Clients

Must select RADIUS check box and put the same shared secret as we did while adding ACS to WLC.

WLC-Admin-RAdius2

Create Identity Groups

Create Identity groups for different users.

These are the Groups:

Admin-Lobby
Admin-RO
Admin-RW

WLC-Admin-RAdius3

Create Users and assign to respective Identity Groups

WLC-Admin-RAdius4

Assign roles or Authorization profiles to Users

Here we will Create Authorization profile and assign the Service-Type Attribute to users to get access.

Admin Users: Administrative
Read-Only User: NAS Prompt
Lobby Users: Callback Administrative

WLC-Admin-RAdius5

WLC-Admin-RAdius6

WLC-Admin-RAdius7

Configure Access Policies for specific Users

Create Authorization rules under default Network Access:

It will look like this:

WLC-Admin-RAdius8

Assign the Priority order for management access

If WLC is configured with management users both locally & RADIUS server with the Management check box enabled. In this case, by default, when a user tries to login to the WLC, the WLC behaves in this manner:

First looks at the local management users. If the user exists in its local list, then it allows authentication for this user. If this user does not appear locally, then it looks to the RADIUS server.

Means WLC always takes precedence when compared to the RADIUS server.

Authentication Oder for management users on the WLC.

Security > Priority Order > Management User.

WLC-Admin-RAdius9

*** If LOCAL is selected as second priority, then the user will be authenticated using this method only if the method defined as the first priority (RADIUS) is unreachable.

Verification

To verify each account, we must login with different users and check it.

If we login with user (sandeeprw) then we will have full administrative access to the WLC.

Example: If we login with read only user (sandeepro) and want to modify something on WLC then this will appear:

WLC-Admin-RAdius10

Verification Logs from ACS about users attempts:

WLC-Admin-RAdius11

That’s all 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s