Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
5
Replies

ACS 5.5 and WLC 5508 Management Access via RADIUS Auth

ALIAOF_
Level 6
Level 6

‎05-07-2015 08:37 AM - edited ‎03-10-2019 10:43 PM

We are deploying ACS5.5 and after some work I have been able get this to work but got another issue. 

Currently ACS uses AD authentication

Under Access Policies and Service Selection Rules I crated a rule for the WLC and moved it towards the top and was able to log in as the management user.  However this allows any user to log in as a management user.

If I move the rule down then I can log in as a read only user as I'm getting the default policy.  And other users can also log in as read only users.

 

Any pointers on how to fix this?

Labels:
0 Helpful
5 Replies 5

nspasov
Cisco Employee
Cisco Employee

‎05-07-2015 10:57 AM

Hello Mohammad, can you post a screen shot of your Access Policies. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

ALIAOF_
Level 6
Level 6
In response to nspasov

‎05-07-2015 01:21 PM

Attached is the screen shot.  If I move the WLC-Permit policy towards the top I can log into the WLC via RADIUS auth and can make changes but so can all the other domain users.

Preview file
27 KB
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to ALIAOF_

‎05-11-2015 10:59 AM

Sorry for the delayed reply Mohammad but work has been keeping me busy. Can you also provide a screenshot of the details of your access policy rules. I want to see the actual details. 

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful

ALIAOF_
Level 6
Level 6
In response to nspasov

‎05-27-2015 12:02 PM

No problem same here :), thank you for your help.  So instead of RADIUS I am trying to see if I can keep the management access separate and utilize TACACS instead however that isn't working either.  Let me know if these screen shots are ok.

Preview file
43 KB
Preview file
31 KB
0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to ALIAOF_

‎05-29-2015 09:34 AM

Hi Muhammad. I think your rule #2 is getting hit before your WLC rule. Both, rule-1 and rule-2 are very generic and are only set to match against Radius or Tacacs. As a result, those rules will always be hit first since they are very generic. That is probably why everything works when you put the WLC-Permit rule on the top.

It is recommended that you put your more specific rules towards the top and the less specific rule at the bottom. Hence, the reason the default rule is at the bottom (If nothing else matches then do this)

I hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents