Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

RBAC (Roles Based Access Control) "Broken" in WCS

In my opinion, RBAC in WCS is broken. They have taken a good concept and implemented it wrong. The way it is currently working is as follows. Roles are defined in WCS. In ACS (or whatever Radius server you want to use), you have to first set up a new "Service" in the TACACS "Interface" configuration called "Wireless-WCS". All this is good. In WCS you then have to go to the "role" or Group that you want, click on task list and it will give you both a TACACs and Radius output that you have to take and then paste into the "Wireless-WCS" custom attribute box in ACS. An example for "SuperUser" role would be a list like below, note the real list is 48 different "tasks", I shortened it here.


task0=Users and Groups



task46=Auto Provisioning

task47=Voice Audit Report

Here is the problem. Why, if you have the role defined in WCS, do you have to repeat its definition in ACS? Why can't you simply pass the first line ("role0=SuperUsers") and have it use the defined role in WCS? This just seems silly. They changed the role of the "SuperUser" in the new 5.0 code too, which means if you assigned these at the user level, you would have to potentially go update a ton of User accounts in ACS so people would have access to their appropriate roles.

The last time I complained I was told that the reason for it was "The reason it had to be done that way is b/c WCS is not IOS based and the code dictates that it must be done that way.". Seems like a silly reason for not doing things in a good way...

Just letting everyone know so they can complain when they come across it. Maybe with enough complaints they'll fix it.. 8-)

CreatePlease to create content