Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
434
Views
1
Helpful
3
Replies

CLI Auvik user for a WLC 9800-L

Go to solution
rtudon
Level 1
Level 1

‎11-14-2024 12:17 PM

Hi Guys! Recently we are implementing Auvik in our environment, we want to create a user to unblock some features of this Auvik tool.

But, since our WLC have configured ISE, it always attempts to authenticate with it, should be create this service auvik user directly to ISE or how could I make that the auvik user don't try to authenticate with ISE?

Thank you guys!

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP
In response to rtudon

‎11-14-2024 05:07 PM - edited ‎11-14-2024 05:11 PM

@rtudon now I got it.

 The best approach here is you to create a service user on your Active Directory, supposing you are using it integrated with ISE, and then, give this user to Auvik to authenticate via ISE when accessing  the WLC. This service user password should not expired like normal user. This is the safer way to handle this.

Now, if this is not possible, you can create local user on the WLC.

username <username> privilege 15 secret <password>

Then, you need to create some kind of fallback in order to the WLC look local first and then go to ISE if local is not found.

 

aaa authentication login tacacs-authe-method local group TACACS-Group (replace TACACS-Group accordingly)
aaa authorization exec tacacs-autho-method local group TACACS-Group

You can also do the opposite. First the WLC look at ISE and if not found, it will look locally.

 

aaa authentication login tacacs-authe-method group TACACS-Group local

 https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

 

View solution in original post

3 Replies 3

Go to solution
Flavio Miranda
VIP
VIP

‎11-14-2024 04:32 PM - edited ‎11-14-2024 04:33 PM

@rtudon 

 A bit unclear. Which kind of user we are talking about? Radius? TACACS?  Auvik as I could see is a management tool, correct? What you are try to manage with that? WLC health?  Wireless users? 

 You can create local user on the WLC and those users will not use ISE, if we are talking about TACACS here. Or you can create PSK SSID and those SSID will not use ISE, if we are talking about RADIUS here. 

0 Helpful

Go to solution
rtudon
Level 1
Level 1
In response to Flavio Miranda

‎11-14-2024 04:54 PM

I want to apologize, I didn't explain very well: This tool (Auvik) needs CLI access to the WLC, it needs it to see the health of the device and other data. Well, I generated a local user in the WLC to be used by the tool. The problem is that, currently the WLC authentication works with TACACS and this local user that I generated does not authenticate and I do not know why.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to rtudon

‎11-14-2024 05:07 PM - edited ‎11-14-2024 05:11 PM

@rtudon now I got it.

 The best approach here is you to create a service user on your Active Directory, supposing you are using it integrated with ISE, and then, give this user to Auvik to authenticate via ISE when accessing  the WLC. This service user password should not expired like normal user. This is the safer way to handle this.

Now, if this is not possible, you can create local user on the WLC.

username <username> privilege 15 secret <password>

Then, you need to create some kind of fallback in order to the WLC look local first and then go to ISE if local is not found.

 

aaa authentication login tacacs-authe-method local group TACACS-Group (replace TACACS-Group accordingly)
aaa authorization exec tacacs-autho-method local group TACACS-Group

You can also do the opposite. First the WLC look at ISE and if not found, it will look locally.

 

aaa authentication login tacacs-authe-method group TACACS-Group local

 https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

 

Customers Also Viewed These Support Documents