Solved: limit admin access to specific AP group

phuoc.nt · ‎01-24-2021

Dear everyone,

My system has WLC, ISE, PI. My operator IT want to manage themselves all the APs that are installed inside their building.

On the WLC, we have AP group based on location but I don't know how to limit admin access to a specific AP group.

Could you please share your experience on this issue?

Thank you so much!

phuoc.nt · ‎01-26-2021

Thank you everyone for the clear explanation.

View solution in original post

Mohammed al Baqari · ‎01-24-2021

Hi,

The list of roles in WLC doesn't allow to limit access to single group of
APs. You cannot create custom roles like in other products such as CUCM for
example.

**** please remember to rate useful posts

Panos Bouras · ‎01-25-2021

HI @phuoc.nt

As @Mohammed al Baqari mentioned ISE controls access to WLC in the form of the vertical menus at WLC, so there's no way to limit access to specific AP group or any other sub-menu.

Check this guide also (Device Administration of Cisco WLC using TACACS+)

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-24/215125-device-administration-of-cisco-wlc-using.html

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

thomas · ‎01-25-2021

I assume you are talking about Device Administration with TACACS and not RADIUS for network access.

See https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine-24/215125-device-administration-of-cisco-wlc-using.html where it shows you can only control access to the individual tabs in the WLC. The WLC does not have options for finer control than the tabs in the web GUI.

phuoc.nt · ‎01-26-2021

Thank you everyone for the clear explanation.