WCS 6.0 ACS 5.1

Answered Question
Mar 26th, 2010

Has anyone been able to add WCS 6.0 and any WLCs running 6 code to an ACS 5.1 box yet? I cannot find any documents for 5.1 on how to add these.

I have this problem too.
0 votes
Correct Answer by sschmidt about 6 years 7 months ago

I checked with the wireless guys and he said that wlc 6.x should be fine with acs 5.1.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
sschmidt Fri, 03/26/2010 - 08:28

WCS 6.x integrated with ACS 5.x is not currently supported but should be supported in the WCS 7.x release.

nshoe18 Fri, 03/26/2010 - 08:31

What about version 6 of the Controller code and ACS 5.1?

Correct Answer
sschmidt Fri, 03/26/2010 - 08:37

I checked with the wireless guys and he said that wlc 6.x should be fine with acs 5.1.

nshoe18 Fri, 03/26/2010 - 08:41

Where can I get something on how to setup the WLC to talk with ACS 5.1?

sschmidt Fri, 03/26/2010 - 08:48

I checked the config guide for the 6.x WLC code and it still shows the older version of ACS in the guide.  I would assume the 7.x versions will get the new screenshots.  If you can open a ticket the folks in AAA should be able to assist though.  I have not done a 5.1 config or I'd be happy to help.

kmcsweeg Sun, 03/28/2010 - 10:45

I worked with TAC on this yesterday, we were able to get my WLCs working with ACS 5.1 using Radius....NOT Tacacs,

this only remaining issue i have is with WCS, trying to  match the correct Auth policy, if i match to enable priv 15 , all cisco hardware authenicates

fine, but cant auth to my WCS, if i move the WCS policy up with its custom attributes i can get into the WCS, but the cisco hardware fails.

Almost there, any ideas, so far i really like acs 5.1, big improvement from my MCS 7800's running 4.0 acs.

kmcsweeg Sun, 03/28/2010 - 11:41

GOT IT, i added another match condtion (NDG) in the Device Administration Authorization Policy, and then for my rule-1 which enabled Priv 15, i added

not in NDG device type WCS, this way everything matched on it except my WCS server, so it used the custom attibutes i created for it.

volven.didata Tue, 04/06/2010 - 17:58


Please can you elaborate the steps taken to Integrate WCS 6.0 with ACS 5.1?



kmcsweeg Wed, 04/07/2010 - 06:13


          Starting on the WCS server, Administration/TACACS, i added a server,

AAA mode was then set to TACACS.

On my ACS server i added the WCS server under network devices and AAA clients, using the same shared tacacs key.

Next under Policy elements/Authorization and permissions/Device Administration/Shell Profile i created a new shell profile

called WCS Custom, open the custom attributes tab.

the following needs to be added exactly in this order

task0=Users and Groups
task1=Audit Trails
task2=TACACS+ Servers
task3=RADIUS Servers
task5=License Center
task6=Scheduled Tasks and Data Collection
task7=User Preferences
task8=System Settings
task9=View Alerts and Events
task10=Email Notification
task11=Delete and Clear Alerts
task12=Pick and Unpick Alerts
task13=Ack and Unack Alerts
task14=Configure Controllers
task15=Configure Templates
task16=Configure Config Groups
task17=Configure Access Points
task18=Configure Access Point Templates
task19=Migration Templates
task20=Configure Choke Points
task21=Configure Spectrum Experts
task22=Auto Provisioning
task23=Monitor Controllers
task24=Monitor Access Points
task25=Monitor Clients
task26=Monitor Tags
task27=Monitor Security
task28=Monitor Chokepoints
task29=Monitor Spectrum Experts
task30=Interferers Search
task31=Mesh Reports
task32=Client Reports
task33=Performance Reports
task34=Security Reports
task35=Voice Audit Report
task36=Maps Read Only
task37=Maps Read Write
task38=Client Location
task39=Rogue Location
task40=Planning Mode
task41=Virtual Domain Management
task42=High Availability Configuration
task43=Health Monitor Details
task44=Configure WIPS Profiles
task45=Global SSID Groups
task46=WIPS Service
task47=Configure Lightweight Access Point Templates
task48=Configure Autonomous Access Point Templates
task49=Scheduled Configuration Tasks
task50=Configure Location Sensors
task51=Configure ACS View Servers
task52=Monitor Location Sensors
task53=RRM Dashboard
task54=Compliance Assistance Reports
task55=Config Audit Dashboard
task56=Guest Reports
task57=Configure Ethernet Switch Ports
task58=Configure Ethernet Switches
task59=Device Reports
task60=Network Summary Reports
task61=Compliance Reports
task62=Report Launch Pad
task63=Run Reports List
task64=Saved Reports List
task65=Report Run History

Finally under Access policies/Default device admin/authorization i created a new rule called WCS, matching on tacacs as the protocol and under results i called the new WCS Custom profile we created earlier, under command sets i selected Allow ALL.

If you move this rule up it will work, i got around having to move it by excluding WCS as i stating in my earlier post,

I've added some screenshots to support my ramblings

Good Luck

volven.didata Wed, 04/07/2010 - 06:39


Thanks for your response, actually I have done exactly as what you have suggested, the only difference being I have created the Root Group. Every time i try to login an error gets reported regarding Groups not being defined.

I currently have no access to the ACS, however will send more snapshots tomorrow.



volven.didata Wed, 04/07/2010 - 19:12

Attached are my snapshots, I have included the LobbyAmbassador role created in ACS and snapshots of the corresponding configs in the ACS and WCS. Also included is the error message i receive.



volven.didata Fri, 04/09/2010 - 00:55

Got it working..

Seems to be a BUG, had to follow a crazy procedure.

Before adding any attributes i had to add the Virtual Domain attribute even though i have only the root domain and than follow it up with the role and tasks list. Once saved, I had to go back and delete the Virtual Domain attribute and than it works fine. Tested this by creating different roles and it only worked by first creating the virtual domain attribute and than deleting it.

Hope someone else facing a similar issue finds this useful. The versions i am using are..


ACS - 5-1-0-44-2



pvzcisco07 Thu, 04/19/2012 - 21:46

Thx Heaps for your comment. I was fiddling around with the attributes for about 4 hours before I found this post. I followed your tip and it worked perfectly! Now I've got to do the same for the WLCs!

eoinwhite Wed, 06/23/2010 - 07:10

"If you move this rule up it will work, i got around having to move it by  excluding WCS as i stating in my earlier post"

Hey kmcsweeg,

I got TACACS on WLC tpo work but only by moving it up to the top. However when I do this it breaks TACACS for my switches, firewalls e.t.c. Can you elaborate on how you got it to work by "exluding the WCS" ?



Jason Aarons Fri, 07/30/2010 - 17:53

I had this same issue with WCS and ACS, added task41=Virtual Domain Management but

had to leave it there for Lobby access to work.

Is there a Cisco Bug id for this?

Jason Aarons Wed, 03/09/2011 - 14:38

So WCS has been out awhile, have there been any improvements for using WCS 7.x with ACS 5.2 ?  Or do I still need to setup all these taskx= in the ACS server?

Andrius Ajauskas Mon, 12/06/2010 - 02:37


Have we to write task0,,,n  one by one ? it takes quit a lot of time .

or can we just take copy paste ? like in ACS4.X ?


This Discussion



Trending Topics - Security & Network