topic Re: WCS/WLC read-only access in Wireless

WCS/WLC read-only access

mhellman — Sun, 04 Jul 2021 00:19:31 GMT

We use WCS and AAA in our wireless environment. Reading through the WCS user guide (http://www.cisco.com/en/US/docs/wireless/wcs/5.2/configuration/guide/5_2manag.html#wp1089936) , authorization seems awfully course grained. Is there a way to provide a security group with login and read-only rights to all aspects of all wireless components (or at least to WCS and all WLC)? Ideally, the security group would be able to login to any WLC at any time and verify settings, etc.

Re: WCS/WLC read-only access

Leo Laohoo — Tue, 17 Mar 2009 01:21:08 GMT

Sure you can.

On the WLC, go to Management -> Local Management User -> New -> under User Access Mode, choose ReadOnly.

Does this help?

Re: WCS/WLC read-only access

mhellman — Tue, 17 Mar 2009 12:48:50 GMT

No, not really. We're using WCS to manage the infrastructure and we're using AAA authentication. Manually adding local users on a bunch of WLC's isn't really enterprise management.

Re: WCS/WLC read-only access

Leo Laohoo — Tue, 17 Mar 2009 21:29:13 GMT

So you want a script that will add Guest users, perhaps?

Re: WCS/WLC read-only access

mhellman — Wed, 18 Mar 2009 17:29:35 GMT

no, we use a NAC guest server for that. This is about "management" access to the infrastructure. One group needs full read only access. I'll have to ask our local engineers.

Re: WCS/WLC read-only access

Daniel Laden — Fri, 03 Apr 2009 00:11:09 GMT

You may have already solved this but there is the information I use. I have only setup the WCS and WLC to use TACACS but you should be able to use Radius as well.

Cisco Unified Wireless Network TACACS+ Configuration

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

RADIUS Server Authentication of Management Users on the Controller Configuration Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml

Understanding RADIUS and TACACS+ Authentication on WCS

http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml

-Dan Laden

Re: WCS/WLC read-only access

mhellman — Fri, 03 Apr 2009 13:16:54 GMT

here's where I'm struggling. In that doc it says:

-----------

In the text box below Custom attributes, enter this text if the user created needs access only to WLAN, SECURITY and CONTROLLER: role1=WLAN role2=SECURITY role3=CONTROLLER.

If the user needs access only to the SECURITY tab, enter this text: role1=SECURITY.

The role corresponds to the seven menu bar items in the controller web GUI. The menu bar items are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT and COMMAND.

-----------

This seems to imply that I can't grant READ-ONLY access to the MANAGEMENT tab...that it's an all or nothing thing. That's not enterprise thinking.

Re: WCS/WLC read-only access

serotonin888 — Wed, 20 Jan 2010 16:19:56 GMT

Hi Jamal,

Did you ever find a solution?

I am in the same situation. I need to set up tacacs accounts that have read only access to WLC's.

Thanks

Sero

Re: WCS/WLC read-only access

Lucien Avramov — Sat, 23 Jan 2010 20:28:58 GMT

You can achieve this with Radius with WCS. WCS uses the HTTP protocol with ACS remember. From the config guide check out : Figure 18-11 Export Task List Window:

http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0admin.html#wpmkr1064294

Re: WCS/WLC read-only access

Jatin Katyal — Sun, 24 Jan 2010 16:10:27 GMT

Hi,

We need to follow following document to ensure that user with which we are logging in has the appropriate attributes assigned,

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

What different roles means, please go through following document,

http://www.cisco.com/en/US/docs/wireless/controller/4.1/configuration/guide/c41sol.html#wp1208657

HTH

Regards,

Plz rate helpful posts-

Re: WCS/WLC read-only access

rtanner — Thu, 28 Jan 2010 22:56:13 GMT

For WLCs, by using ROLE1=MONITOR in ACS, you effectively give the user Read Only access to the system. All menu items and settings can be seen, but cannot be changed. They look like they can be changed, but a message "Authorization Failed. Insufficient Privileges" message is returned. Your security group could audit the WLC without being able to change anything.

rtannerThanks a lot, it is

RYBayramov — Mon, 27 Oct 2014 08:13:00 GMT

rtanner

Thanks a lot, it is working for me.

Regards,

Rizvan

Re: WCS/WLC read-only access

divanko — Fri, 15 Mar 2024 12:34:26 GMT

Here is a document for the 9800 series controllers using TACACS / ISE:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html