Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Issue with TACACS+ on 9800 WLC


We are trying to correctly configure TACACS+ on our 9800 WLCs, so that we can manage CLI and GUI rights.

Device details :

  • AAA Server : Cisco ISE
  • WLC for testing : 9800-L 16.12.4a


Here's the story :

  • When we use a Policy Set like one we use for Switches, it works well for CLI, no problem. But for GUI, there's absolutely no access control. An account that have read-only access through CLI will have Full read and write access through GUI.
  • Then we try to see on ISE why and I saw something very strange : with a read and write account, I can see on ISE logs what is configured on 9800 through CLI, but through GUI, I can only see the "show" commands generated by GUI browsing, but absolutely no configuring commands are logged. It just hit our Shell Profile Priv 15, but absolutely no TACACS Command Set, which is a non-sense because we have a shell profile AND a TACACS command set attached to every Authorization Rule on ISE.


My questions :

  • Do we have to create another custom Policy Set, Auth Profiles, Command Sets... that are not mentioned by Cisco ? If yes, what should be their content (like some Custom attributes) and how can we differentiate CLI traffic from GUI traffic on ISE ?
  • Do I miss a part or should we reconsider our Policy/Auth Rules designs (I can tell you the details) so that we can make it work ?
  • Is there a ongoing bug (didn't find any) for our versions ?


To anticipate one of your questions : I understand that these 9800 are working like switches (from TACACS point of view) because they are running IOS XE. So no problem we do not use again the same Policy Sets, Auth profiles, etc. as we use for AireOS WLC.

Every time we try to reach Cisco TAC, they directly close the case and share to us the official guide for configuring TACACS and RADIUS on 9800 :

Of course we followed this guide many times and it just don't work as expected.

Thank you for your help !



 I never had a chance to play with 9800 series but, under the read only shell profile can you add this to your existing attributes and test?




Thank you for your help.

Already tested (because we have this attribute for AireOS WLC) and it just doesn't work, we still have full read and write access thourgh GUI.


Are you using the shell priv for  level 15 ? did you try the level 7 ?

Greg Gibbs
Cisco Employee

If you're looking for full read-only access to the WLC 9800 GUI, this does not currently exist.

See this enhancement bug for info -


Recognize Your Peers
Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel