Hello Samir-
For IOS Devices (Routers, switches, etc) you can create a policy that can:
1. Provide the users with a privilege level (1-15)
2. Create a Command Set that allows/denies the users from executing specific commands. This is called command level authorization and you must use TACACS+ as RADIUS is not supported. That way, you can give users privilege-level 15 but only allow them to run show commands.
For your WLC, you will need to create a separate policy that can be TACACS+ or RADIUS. The policy will have to return the following attribute:
role1=MONITOR
I hope this helps!
Thank you for rating helpful posts!