WLC Admin Access by TACAS+ Server

In this post we will learn how to provide or control WLC management user’s access via TACAS+ server.

We will create 3 users:

User1: Full Admin rights on WLC – sandeeprw
User2: Read-Only rights to WLC (Only allow one tab”WLAN” as admin access) – sandeepro
User3: Lobby user to create Guest Accounts – sandeeplobby

Parameters:

ACS Server: 192.168.205.5
WLC: 192.168.112.10
Shared Secret: Test12345

Read/Write User: sandeeprw, Password: sandeeprw
Read/Only User: sandeepro, Password: sandeepro
Lobby User: sandeeplobby, Password: sandeeplobby

Steps:

  1. Add ACS server to WLC as TACAS+ server
  2. Add WLC as AAA client to ACS.
  3. Create Identity Groups.
  4. Create Users and assign to respective Identity Groups
  5. Assign shell profiles to Users
  6. Configure Access Policies for specific Users
  7. Assign the Priority order for management access.
  8. Verification

So let’s start with configuration:

Add ACS server to WLC as TACAS+ server

Go to WLC GUI, click Security > AAA > TACAS+ > Authentication. Enter the parameters specific to the server. Also put Accounting& Authorization server info as well.

TACAS1

Add WLC as AAA client to ACS

Login to ACS and then go to Network Resources > Network Devices and AAA Clients

Must select TACAS+ check box and put the same shared secret as we did while adding ACS to WLC.

WLC-Admin-RAdius2

Create Identity Groups

Create Identity groups for different users.

These are the Groups:

Admin-Lobby
Admin-RO
Admin-RW

WLC-Admin-RAdius3

Create Users and assign to respective Identity Groups

WLC-Admin-RAdius4

Assign shell profiles to Users

Here we will create shell profile and assign the custom attributes to users.

Admin Users: role1 as ALL
Read-Only User: role1 as WLAN
Lobby Users: role1 as MONITOR

TACAS2

TACAS3

TACAS4

Configure Access Policies for specific Users

Create Authorization rules under default Network Access:

It will look like this:

TACAS5

Assign the Priority order for management access

Authentication Oder for management users on the WLC.

Security > Priority Order > Management User.

TACAS6

Verification

To verify each account, we must login with different users and check it.

Verification Logs from ACS about users attempts:

TACAS7

That’s all 🙂

In the next post we will learn the AAA override /Dynamic VLAN Assignment feature.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s