I have setup RADIUS authentication for Management AND network users, on my NM-WLC (running 5.2) against ACS 5.1
My Question is :-
For Admin users to login, I need to return "Service-Type=Administrative-User" in order for it to work.
Since the ACS sees all requests coming in from the same device (WLC) for Admin as well as Network users,
the way I am currently handling this is by creating a filter based on user-name
So, users that contain "admin" in their user-id, use one set of
Network Access Authorization Policy, which has an associated Authorization Profile, with RADIUS attributes.
Normal users, have a different "Network Access Authorization Policy Rule", with another Profile.
While this DOES WORK fine, I am still left wondering if there is a better way to do this, rather than create a rule,
based on user-name.
I could use TACACS+ for Management, but I dont think ACS allows the same AAA client (WLC) to use both protocols.
I think this is a very common way for things to be done
You may notice that out of the box ACS 5 comes preinstalled with a service selection policy that differentiates requests based on the protocol and directs either to a "Default Network Access" or "Default Device Admin" service
If you only want to do RADIUS can either disable or delete the rule for TACACS+ requests or not select TACACS+ in device definitions