There are various options and possibilities when WCS users authenticate with ACS, not all combinations are explained in this document. However by reading one example, you should understand all the mechanisms to modify the example yourself to the precise configuration you want to achieve.
Example A:- Authenticating Lobby Ambassadors with TACACS+
Step1:- Adding the WCS in ACS AAA clients
On ACS, go to “Network Resources” => “Network devices and AAA clients”.
Create a new entry. Enter any name, the WCS ip address and enable TACACS with the shared secret you like (here we chose “Cisco”, which obviously is to be avoided for security reasons).
Step2:- Adding the ACS as tacacs server in WCS
Login to WCS. Go to Administration-> AAA.
There go to “TACACS+”. You can add a new server.
Enter the ACS ip address, the same shared secret as above and leave the rest as default.
On the left menu, click now on “AAA mode”.
Set it to TACACS+.
For safety reasons, it’s best to select “enable fallback to local on authentication failure or server no response”. This way we won't be locked out incase of problem. Once all is working you can always change this option later.
Step3:- Configuring the right shell profile on ACS
We now need ACS to return the right attributes to determine the user privileges on WCS.
WCS will actually tell you which attributes to configure.
Go to “Groups” (still under Administration->AAA).
You will see the list of user types. Since we are looking to authenticate Lobby Ambassadors, check the line of the “LobbyAmbassador” group. On the right you will see a link called “task list”. Click on it”.
It should give you this screen:-
Basically, you will have to return the user role (here Lobby ambassador) and a list of task they can do (it relates to menus they can access).
If you are return a recent release of WCS, you will also have to tell in which Virtual Domain the user will be.
Go to “Administration”->Virtual domains.
Click “Export. You will get a similar screen giving you the attributes to enter for each virtual domain:-
Let’s go and configure those attributes in ACS.
Go to “Policy Elements” -> “Authorization and Permissions” -> “Device Administration” -> Shell Profiles.
Create a new one. Give it a meaningful name (like “WCS” for example). And go to the “custom attributes” tab.
Configure the attributes like they were shown on WCS. IT should give something like this :
The way to enter the attributes is usually a source of confusion. As an example, to enter those attributes, we had to:-
type “role0” in the “Attribute” field
type “LobbyAmbassador” in the Value field
click the “add” button.
Etc… for the other attributes.
In ACS 4, it was possible to copy/paste the list of attributes from the WCS GUI to the ACS 4 GUI. They have to be entered one by one on ACS 5 and this can take some time. The future releases of ACS 5 will try to tackle this problem.
Step4: Configuring ACS to return the attributes
Having just a shell profile configured will not do the trick. We need more steps:-
Configure a user. We configure Lobbyad as a user on ACS and for ease of configuration we put him in the group “WCS-users” (but this is not required).
2. In “Access policies”, under Default Device Admin->Authorization, we configured a rule to match WCS authentication :
If the username belongs to WCS-users group, then we will return the “wcs” shell profile (which contains all the attributes we configured).
3. In case you want to configure other types of users like administrators, you will need another shell profile returning different attributes. From there on, you need to group administrators in a different group in order to differentiate and know what shell profile to return.
I would like to get some clarification regarding the user idle timeout WLAN configuration checkbox. I read on here that if you don't configure a idle time-out value within the WLAN the global system parameter will be used instead (which is 300 ...
Hi team,I pulled report from NCS for AP utilization, it gives multiple instance for same AP in AP Client statistics summary. ANy specific reason why its giving multiple instance. We are fine if its give two, becaus eof readio but single AP gives for insta...
Hello for everybody. There is a network of 5 remote sites and a central data center. We plan to implement the following wifi scheme - there are two wlc 3504 (high availability - one active and one standby ) in the central dc, to which all ap 2800 ser...
Hi Friends I have more Cisco Ap(Air-Cap-2702 E-E-K9 int my company everthing is ok but i have 2 problem1) When some user connect to specialy one AP these users after 2-3 minute disconnect from wifi what is reason? 2.4Ghz and 5GHZ is active . i ...
When connecting to the wireless network I have noticed that the clients will often skip an AP 10 feet away and connect to one two floors up and 100+ feet away. That doesn't sound very efficient and data rates are pretty poor.Can this be fixed?My test clie...