Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACS 5 Express and WLC 4400 device login

I am trying to get a WLC4404-100 to use a ACS Express 5.0 for authentication to the WLC for administration. I have the device in the ACs but it does not authenticate any users. If i switch to RADIUS on the WLC with Local as secondary in the priority list i can login with ACS local users database but then i get not privilege level of 15 on the WLC.

Does any one know how to setup a ACS Express 5.0 to authenticate users to manage a WLC4404 running 6.x code and be able to have full admin rights on the WLC?

4 REPLIES

Re: ACS 5 Express and WLC 4400 device login

New Member

Re: ACS 5 Express and WLC 4400 device login

thank you, i had already reviewed those docs prior to posting my message. I have the RADIUS piece working to let me authenticate but it does not send back to the WLC the privilege level for administering the WLC at level 15 or all level access. There is no doc i can find on customizing the RADIUS responses back to the WLC to tell it to give what privilege levels. And with TACACS as the priority the WLC login doe snot get authenticated at all even with a valid config on the ACS Express 5.0 appliance.

Is there anything else i can refer to to customize a RADIUS response back to the WLC. I know in ACS 4.x there is a way to add custom attributes on a device but i do not see how to set that up on the ACS Express 5.0 as it requires. Type Attribute etc to send as a response back and there is no table i can find. So either the WLC does not like TACACS over Radius / not supported or there has to ba a way to do this with RADIUS. Any thoughts?

New Member

Re: ACS 5 Express and WLC 4400 device login

I'm having similar challenges on my side.  I can see that ACS is authenticating me but the controller is looking for a certain service type.  If I come across a solution, I'll post it since the solution seems rather tough to come across (at least in terms of "google-ing it".)

New Member

Re: ACS 5 Express and WLC 4400 device login

Bob, I was able to figure it out.  I created a new Authorization Policy with my conditions, and then in the results I created a new shell profile (named WLC_Access).  In this profile, only go into the Custom Attributes and add a custom attribute named "role1" (no quotes) and the value is "ALL" (again, no quotes), this should give you access to the WLC.  I was hung up on setting the default Privilege Level to 15 which was causing grief.

Hope this helps, if you need a better explanation or screenshots let me know.

459
Views
0
Helpful
4
Replies