Showing results for 
Search instead for 
Did you mean: 

ACS 5.2 and WLC "Allow AAA Override" question

Level 7
Level 7


Using ACS 5.2 to authenticate wireless users (wireless setup is Cisco LWAPP APs and WLC). An ACS Service Policy authenticates/authorizes wireless users and sends the following RADIUS-IETF attributes back to the WLC:

Tunnel-Type: VLAN

Tunnel-Medium-Type: 802

Tunnel-Private-Group-ID: VLAN_NAME

The WLC SSID has "Allow AAA Override" enabled and places authenticated users into the VLAN specified by the ACS attributes - this works ok.

If i have a WLC SSID with "Allow AAA Override" disabled (ie i want the WLC to set the VLAN) - i configure the ACS Service Policy authorization profile to simply "Permit Access". The user is authenticated ok but isn't placed in the VLAN specified by the WCS. If i configure the authorization policy to send the 3 "Tunnel" attributes shown above, the WLC 'ignores' these attributes and successfully places users into the correct VLAN.

Question is - if i have an SSID with "Allow AAA Override" disabled, should i still configure the ACS to return the 3 "Tunnel" attributes even though the WLC will ignore them?



2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

Allow AAA Override gives the AAA Override precedence over the parameters set in the controller; if there are no AAA Overrides available for a given parameter, the operating system uses the parameters already in the controller. This AAA (RADIUS or other) Override can be used as a finer version of AAA Override, but only takes precedence over parameters when Allow AAA Override is enabled. When its disabled, it should always the parameters defined on the controller itself.



Do rate helpful posts~


hello Jatin

thanks for the reply - yes, that was my understanding of how AAA override worked. the problem i was having was due to the ssid - i ended up deleting and recreating it (cisco wlc4404 running ver after that, the aaa override worked perfectly.