Buy or Renew
Buy or Renew
NEW: Try the Beta AI Summary feature on posts in the Routing and SD-WAN forum. Click to go to the forum.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
4
Helpful
8
Replies

Login to WLC Using Https

Go to solution
jmorton1
Level 3
Level 3

‎06-09-2026 09:35 PM

We have already implemented TACACS+ in order to log into the CLI of our WLC using our domain admin creds. We are looking to do the same thing for web ui of the wlc. We already tried going under AAA Advanced and setting authentication and authorization to the same AAA group as SSH, along with creating an authorization policy in ISE that has the WLC ALL TACACS+ Profile. However, the authorization profile is actually blocking authorization for SSH access and when we do log into web ui, it is coming up with read-only access. What do we need to be doing differently?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jmorton1
Level 3
Level 3

‎06-15-2026 07:30 PM

I figured it out, and it was due to me failing to read the first few lines of the document concerning read-only access.
The existing SSH Admin Access policy we had in place for the CLI had priv 1 as default and priv 15 as the maximum in order to force us to have to enter an enable password. However, this was causing the web ui to load with priv 1 and not 15. Once I changed the default to privilege level 15 then I was able to log into the web ui with full admin.

Thanks everyone!
 

View solution in original post

8 Replies 8

Go to solution
Mark Elsen
Hall of Fame
Hall of Fame

‎06-09-2026 10:49 PM

 

  - @jmorton1             Have a look at : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html
                                  For troubleshooting :  https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html#toc-hId--898159109

  M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎06-10-2026 01:48 AM

what version WLC IOS XE CODE, and is this AAA is ISE

check below guide and post what errors you getting on ISE to understand the issue.

https://www.wiresandwi.fi/blog/cisco-wlc-9800-aaa-tacacs-device-administration-configuration-cli

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
jmorton1
Level 3
Level 3

‎06-12-2026 11:19 AM - edited ‎06-12-2026 11:22 AM

There are no errors related to this. The WLC is on IOS XE 26.1.1 and ISE is on 3.5 Patch 3

0 Helpful

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star

‎06-12-2026 11:44 AM

 

You just need to configure your device admin authorization policy similar to this.

aleabrahao_0-1781289506673.png

Remember to set the tacacs profile with privilege 15.

aleabrahao_1-1781289651404.png

 

After that, you just need to define the auth list in the WLC's HTTPS management configuration.

aleabrahao_2-1781289763450.png

 

 Take a look at the documentation,

 

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

 

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Go to solution
jmorton1
Level 3
Level 3
In response to aleabrahao

‎06-12-2026 12:46 PM

I have been going through this guide and I seem to have things configured the way it suggests, but when I sign into https, it still only gives me WLC Monitor view. For the authorization, it is hitting the Device Admin Policy that allows Privilege 15 for SSH for members of a certain AD group. I tried setting up a separate policy in device admin with a shell profile with WLC ALL, but devices are not hitting that policy when trying to sign in with https. If I move that policy to the top of the list, then it blocks authorization to SSH.

0 Helpful

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to jmorton1

‎06-12-2026 12:52 PM

You're probably forgetting something. I suggest you review everything and check the TACACS logs in ISE; you'll usually find the cause of the problem there.

Good luck.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Go to solution
aleabrahao
Meraki Community All-Star
Meraki Community All-Star
In response to jmorton1

‎06-12-2026 12:58 PM

Another detail: on the 9800 you don't need a separate policy for SSH and web access; the same policy serves for both. It's very likely you're encountering a different policy.

If the details of your configuration and logs aren't clear, there's not much to say.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Helpful

Go to solution
jmorton1
Level 3
Level 3

‎06-15-2026 07:30 PM

I figured it out, and it was due to me failing to read the first few lines of the document concerning read-only access.
The existing SSH Admin Access policy we had in place for the CLI had priv 1 as default and priv 15 as the maximum in order to force us to have to enter an enable password. However, this was causing the web ui to load with priv 1 and not 15. Once I changed the default to privilege level 15 then I was able to log into the web ui with full admin.

Thanks everyone!
 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card