Cisco 5508 Configuration Logging

michael.bartlett17 · ‎05-22-2014

I would like to be able to monitor who makes configuration changes to our 5508 WLC. I have setup the 'archive' feature on Cisco switches in the past however, I can't find a way to do this on our WLC.

I've had a look online for how to set this up but so far, I've had no luck.

Could someone please confirm if this is possible and if so, how I go about enabling the setting?

Thanks

Marvin Rhoads · ‎05-22-2014

You might get better responses by moving your question into the Wireless forum. We network management folks here will advise you to use a tool like Cisco Prime Infrastructure (or SolarWinds NCM) to archive the configurations off-box.

If your authentication is via Cisco ACS, you can also generate reports of who authenticated to the controller.

I'm not strong on the controller itself but don't think it can save prior configurations on-box.

michael.bartlett17 · ‎05-27-2014

Thanks for your reply Marvin.

I'm not look to archive the configurations, I'm hoping I'd be able to setup some logging that tells me who made configuration changes to the controller and what changes they made.

Hopefully someone will be able to advise if this is possible on the 5508.

Thanks

Saurav Lodh · ‎06-10-2014

Configuring RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides centralized security for users attempting to gain management access to a network. It serves as a backend database similar to local and TACACS+ and provides authentication and accounting services:

•Authentication—The process of verifying users when they attempt to log into the controller.

Users must enter a valid username and password in order for the controller to authenticate users to the RADIUS server.

Note When multiple databases are configured, you can use the controller GUI or CLI to specify the sequence in which the backend databases should be tried.

•Accounting—The process of recording user actions and changes.

Whenever a user successfully executes an action, the RADIUS accounting server logs the changed attributes, the user ID of the person who made the change, the remote host where the user is logged in, the date and time when the command was executed, the authorization level of the user, and a description of the action performed and the values provided. If the RADIUS accounting server becomes unreachable, users are able to continue their sessions uninterrupted.

RADIUS uses User Datagram Protocol (UDP) for its transport. It maintains a database and listens on UDP port 1812 for incoming authentication requests and UDP port 1813 for incoming accounting requests. The controller, which requires access control, acts as the client and requests AAA services from the server. The traffic between the controller and the server is encrypted by an algorithm defined in the protocol and a shared secret key configured on both devices.

You can configure up to 17 RADIUS authentication and accounting servers each. For example, you may want to have one central RADIUS authentication server but several RADIUS accounting servers in different regions. If you configure multiple servers of the same type and the first one fails or becomes unreachable, the controller automatically tries the second one, then the third one if necessary, and so on.