Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Gold

WCS/WLC read-only access

We use WCS and AAA in our wireless environment. Reading through the WCS user guide (http://www.cisco.com/en/US/docs/wireless/wcs/5.2/configuration/guide/5_2manag.html#wp1089936) , authorization seems awfully course grained. Is there a way to provide a security group with login and read-only rights to all aspects of all wireless components (or at least to WCS and all WLC)? Ideally, the security group would be able to login to any WLC at any time and verify settings, etc.

11 REPLIES
Hall of Fame Super Gold

Re: WCS/WLC read-only access

Sure you can.

On the WLC, go to Management -> Local Management User -> New -> under User Access Mode, choose ReadOnly.

Does this help?

Gold

Re: WCS/WLC read-only access

No, not really. We're using WCS to manage the infrastructure and we're using AAA authentication. Manually adding local users on a bunch of WLC's isn't really enterprise management.

Hall of Fame Super Gold

Re: WCS/WLC read-only access

So you want a script that will add Guest users, perhaps?

Gold

Re: WCS/WLC read-only access

no, we use a NAC guest server for that. This is about "management" access to the infrastructure. One group needs full read only access. I'll have to ask our local engineers.

Re: WCS/WLC read-only access

You may have already solved this but there is the information I use. I have only setup the WCS and WLC to use TACACS but you should be able to use Radius as well.

Cisco Unified Wireless Network TACACS+ Configuration

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

RADIUS Server Authentication of Management Users on the Controller Configuration Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml

Understanding RADIUS and TACACS+ Authentication on WCS

http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml

-Dan Laden

Gold

Re: WCS/WLC read-only access

here's where I'm struggling. In that doc it says:

-----------

In the text box below Custom attributes, enter this text if the user created needs access only to WLAN, SECURITY and CONTROLLER: role1=WLAN role2=SECURITY role3=CONTROLLER.

If the user needs access only to the SECURITY tab, enter this text: role1=SECURITY.

The role corresponds to the seven menu bar items in the controller web GUI. The menu bar items are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT and COMMAND.

-----------

This seems to imply that I can't grant READ-ONLY access to the MANAGEMENT tab...that it's an all or nothing thing. That's not enterprise thinking.

New Member

Re: WCS/WLC read-only access

Hi Jamal,

Did you ever find a solution?

I am in the same situation. I need to set up tacacs accounts that have read only access to WLC's.

Thanks


Sero

Re: WCS/WLC read-only access

You can achieve this with Radius with WCS. WCS uses the HTTP protocol with ACS remember. From the config guide check out : Figure 18-11     Export Task List Window:

http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0admin.html#wpmkr1064294

Cisco Employee

Re: WCS/WLC read-only access

Hi,


We need to follow following document to ensure that user with which we are logging in has the appropriate attributes assigned,


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

What different roles means, please go through following document,


http://www.cisco.com/en/US/docs/wireless/controller/4.1/configuration/guide/c41sol.html#wp1208657


HTH


Regards,

JK


Plz rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: WCS/WLC read-only access

For WLCs, by using ROLE1=MONITOR in ACS, you effectively give the user Read Only access to the system. All menu items and settings can be seen, but cannot be changed. They look like they can be changed, but a message "Authorization Failed. Insufficient Privileges" message is returned. Your security group could audit the WLC without being able to change anything.

New Member

rtannerThanks a lot, it is

rtanner

Thanks a lot, it is working for me.

 

Regards,

Rizvan

10561
Views
15
Helpful
11
Replies