In this post we will learn how to provide or control WLC management users access via external radius server.
We will create 3 users:
User1: Full Admin rights on WLC – sandeeprw
User2: Read-Only rights to WLC – sandeepro
User3: Lobby user to create Guest Accounts – sandeeplobby
ACS Server: 192.168.205.5
Shared Secret: Test12345
Read/Write User: sandeeprw, Password: sandeeprw
Read/Only User: sandeepro, Password: sandeepro
Lobby User: sandeeplobby, Password: sandeeplobby
- Add ACS server to WLC as Radius server (Check this post: Configure RADIUS server on WLC
- Add WLC as AAA client to ACS.
- Create Identity Groups.
- Create Users and assign to respective Identity Groups
- Assign roles or Authorization profiles to Users
- Configure Access Policies for specific Users
- Assign the Priority order for management access.
So let’s start with configuration:
Add ACS server to WLC as Radius server
Go to WLC GUI, click Security > AAA > RADIUS > Authentication. Enter the parameters specific to the RADIUS server. If we need to put accounting server info then enters the info as well.
*** Don’t forget to Check Management box.
Add WLC as AAA client to ACS
Login to ACS and then go to Network Resources > Network Devices and AAA Clients
Must select RADIUS check box and put the same shared secret as we did while adding ACS to WLC.
Create Identity Groups
Create Identity groups for different users.
These are the Groups:
Create Users and assign to respective Identity Groups
Assign roles or Authorization profiles to Users
Here we will Create Authorization profile and assign the Service-Type Attribute to users to get access.
Admin Users: Administrative
Read-Only User: NAS Prompt
Lobby Users: Callback Administrative
Configure Access Policies for specific Users
Create Authorization rules under default Network Access:
It will look like this:
Assign the Priority order for management access
If WLC is configured with management users both locally & RADIUS server with the Management check box enabled. In this case, by default, when a user tries to login to the WLC, the WLC behaves in this manner:
First looks at the local management users. If the user exists in its local list, then it allows authentication for this user. If this user does not appear locally, then it looks to the RADIUS server.
Means WLC always takes precedence when compared to the RADIUS server.
Authentication Oder for management users on the WLC.
Security > Priority Order > Management User.
*** If LOCAL is selected as second priority, then the user will be authenticated using this method only if the method defined as the first priority (RADIUS) is unreachable.
To verify each account, we must login with different users and check it.
If we login with user (sandeeprw) then we will have full administrative access to the WLC.
Example: If we login with read only user (sandeepro) and want to modify something on WLC then this will appear:
Verification Logs from ACS about users attempts:
That’s all 🙂