WCS/WLC read-only access

Unanswered Question
Mar 16th, 2009

We use WCS and AAA in our wireless environment. Reading through the WCS user guide (http://www.cisco.com/en/US/docs/wireless/wcs/5.2/configuration/guide/5_2manag.html#wp1089936) , authorization seems awfully course grained. Is there a way to provide a security group with login and read-only rights to all aspects of all wireless components (or at least to WCS and all WLC)? Ideally, the security group would be able to login to any WLC at any time and verify settings, etc.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Leo Laohoo Mon, 03/16/2009 - 18:21

Sure you can.

On the WLC, go to Management -> Local Management User -> New -> under User Access Mode, choose ReadOnly.

Does this help?

mhellman Tue, 03/17/2009 - 05:48

No, not really. We're using WCS to manage the infrastructure and we're using AAA authentication. Manually adding local users on a bunch of WLC's isn't really enterprise management.

mhellman Wed, 03/18/2009 - 10:29

no, we use a NAC guest server for that. This is about "management" access to the infrastructure. One group needs full read only access. I'll have to ask our local engineers.

Daniel Laden Thu, 04/02/2009 - 17:11

You may have already solved this but there is the information I use. I have only setup the WCS and WLC to use TACACS but you should be able to use Radius as well.

Cisco Unified Wireless Network TACACS+ Configuration


RADIUS Server Authentication of Management Users on the Controller Configuration Example


Understanding RADIUS and TACACS+ Authentication on WCS


-Dan Laden

mhellman Fri, 04/03/2009 - 06:16

here's where I'm struggling. In that doc it says:


In the text box below Custom attributes, enter this text if the user created needs access only to WLAN, SECURITY and CONTROLLER: role1=WLAN role2=SECURITY role3=CONTROLLER.

If the user needs access only to the SECURITY tab, enter this text: role1=SECURITY.

The role corresponds to the seven menu bar items in the controller web GUI. The menu bar items are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT and COMMAND.


This seems to imply that I can't grant READ-ONLY access to the MANAGEMENT tab...that it's an all or nothing thing. That's not enterprise thinking.

serotonin888 Wed, 01/20/2010 - 08:19

Hi Jamal,

Did you ever find a solution?

I am in the same situation. I need to set up tacacs accounts that have read only access to WLC's.



Jatin Katyal Sun, 01/24/2010 - 08:10


We need to follow following document to ensure that user with which we are logging in has the appropriate attributes assigned,


What different roles means, please go through following document,





Plz rate helpful posts-

rtanner Thu, 01/28/2010 - 14:56

For WLCs, by using ROLE1=MONITOR in ACS, you effectively give the user Read Only access to the system. All menu items and settings can be seen, but cannot be changed. They look like they can be changed, but a message "Authorization Failed. Insufficient Privileges" message is returned. Your security group could audit the WLC without being able to change anything.


This Discussion



Trending Topics - Security & Network