We use WCS and AAA in our wireless environment. Reading through the WCS user guide (http://www.cisco.com/en/US/docs/wireless/wcs/5.2/configuration/guide/5_2manag.html#wp1089936) , authorization seems awfully course grained. Is there a way to provide a security group with login and read-only rights to all aspects of all wireless components (or at least to WCS and all WLC)? Ideally, the security group would be able to login to any WLC at any time and verify settings, etc.
Sure you can.
On the WLC, go to Management -> Local Management User -> New -> under User Access Mode, choose ReadOnly.
Does this help?
No, not really. We're using WCS to manage the infrastructure and we're using AAA authentication. Manually adding local users on a bunch of WLC's isn't really enterprise management.
no, we use a NAC guest server for that. This is about "management" access to the infrastructure. One group needs full read only access. I'll have to ask our local engineers.
You may have already solved this but there is the information I use. I have only setup the WCS and WLC to use TACACS but you should be able to use Radius as well.
Cisco Unified Wireless Network TACACS+ Configuration
RADIUS Server Authentication of Management Users on the Controller Configuration Example
Understanding RADIUS and TACACS+ Authentication on WCS
here's where I'm struggling. In that doc it says:
In the text box below Custom attributes, enter this text if the user created needs access only to WLAN, SECURITY and CONTROLLER: role1=WLAN role2=SECURITY role3=CONTROLLER.
If the user needs access only to the SECURITY tab, enter this text: role1=SECURITY.
The role corresponds to the seven menu bar items in the controller web GUI. The menu bar items are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT and COMMAND.
This seems to imply that I can't grant READ-ONLY access to the MANAGEMENT tab...that it's an all or nothing thing. That's not enterprise thinking.
Did you ever find a solution?
I am in the same situation. I need to set up tacacs accounts that have read only access to WLC's.
You can achieve this with Radius with WCS. WCS uses the HTTP protocol with ACS remember. From the config guide check out : Figure 18-11 Export Task List Window:
We need to follow following document to ensure that user with which we are logging in has the appropriate attributes assigned,
What different roles means, please go through following document,
Plz rate helpful posts-
For WLCs, by using ROLE1=MONITOR in ACS, you effectively give the user Read Only access to the system. All menu items and settings can be seen, but cannot be changed. They look like they can be changed, but a message "Authorization Failed. Insufficient Privileges" message is returned. Your security group could audit the WLC without being able to change anything.