ACS 5 Express and WLC 4400 device login

Unanswered Question
Jul 13th, 2009
User Badges:

I am trying to get a WLC4404-100 to use a ACS Express 5.0 for authentication to the WLC for administration. I have the device in the ACs but it does not authenticate any users. If i switch to RADIUS on the WLC with Local as secondary in the priority list i can login with ACS local users database but then i get not privilege level of 15 on the WLC.

Does any one know how to setup a ACS Express 5.0 to authenticate users to manage a WLC4404 running 6.x code and be able to have full admin rights on the WLC?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bobschumacher Tue, 07/14/2009 - 08:45
User Badges:

thank you, i had already reviewed those docs prior to posting my message. I have the RADIUS piece working to let me authenticate but it does not send back to the WLC the privilege level for administering the WLC at level 15 or all level access. There is no doc i can find on customizing the RADIUS responses back to the WLC to tell it to give what privilege levels. And with TACACS as the priority the WLC login doe snot get authenticated at all even with a valid config on the ACS Express 5.0 appliance.

Is there anything else i can refer to to customize a RADIUS response back to the WLC. I know in ACS 4.x there is a way to add custom attributes on a device but i do not see how to set that up on the ACS Express 5.0 as it requires. Type Attribute etc to send as a response back and there is no table i can find. So either the WLC does not like TACACS over Radius / not supported or there has to ba a way to do this with RADIUS. Any thoughts?

Ryan Curry Tue, 07/06/2010 - 12:18
User Badges:

I'm having similar challenges on my side.  I can see that ACS is authenticating me but the controller is looking for a certain service type.  If I come across a solution, I'll post it since the solution seems rather tough to come across (at least in terms of "google-ing it".)

Ryan Curry Tue, 07/06/2010 - 14:46
User Badges:

Bob, I was able to figure it out.  I created a new Authorization Policy with my conditions, and then in the results I created a new shell profile (named WLC_Access).  In this profile, only go into the Custom Attributes and add a custom attribute named "role1" (no quotes) and the value is "ALL" (again, no quotes), this should give you access to the WLC.  I was hung up on setting the default Privilege Level to 15 which was causing grief.

Hope this helps, if you need a better explanation or screenshots let me know.


This Discussion