Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16497
Views
15
Helpful
12
Replies

WCS/WLC read-only access

mhellman
Level 7
Level 7

‎03-16-2009 06:48 AM - edited ‎07-03-2021 05:19 PM

We use WCS and AAA in our wireless environment. Reading through the WCS user guide (http://www.cisco.com/en/US/docs/wireless/wcs/5.2/configuration/guide/5_2manag.html#wp1089936) , authorization seems awfully course grained. Is there a way to provide a security group with login and read-only rights to all aspects of all wireless components (or at least to WCS and all WLC)? Ideally, the security group would be able to login to any WLC at any time and verify settings, etc.

Labels:
0 Helpful
12 Replies 12

Leo Laohoo
Hall of Fame
Hall of Fame

‎03-16-2009 06:21 PM

Sure you can.

On the WLC, go to Management -> Local Management User -> New -> under User Access Mode, choose ReadOnly.

Does this help?

mhellman
Level 7
Level 7
In response to Leo Laohoo

‎03-17-2009 05:48 AM

No, not really. We're using WCS to manage the infrastructure and we're using AAA authentication. Manually adding local users on a bunch of WLC's isn't really enterprise management.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to mhellman

‎03-17-2009 02:29 PM

So you want a script that will add Guest users, perhaps?

0 Helpful

mhellman
Level 7
Level 7
In response to Leo Laohoo

‎03-18-2009 10:29 AM

no, we use a NAC guest server for that. This is about "management" access to the infrastructure. One group needs full read only access. I'll have to ask our local engineers.

0 Helpful

Daniel Laden
Level 4
Level 4

‎04-02-2009 05:11 PM

You may have already solved this but there is the information I use. I have only setup the WCS and WLC to use TACACS but you should be able to use Radius as well.

Cisco Unified Wireless Network TACACS+ Configuration

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

RADIUS Server Authentication of Management Users on the Controller Configuration Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml

Understanding RADIUS and TACACS+ Authentication on WCS

http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml

-Dan Laden

0 Helpful

mhellman
Level 7
Level 7
In response to Daniel Laden

‎04-03-2009 06:16 AM

here's where I'm struggling. In that doc it says:

-----------

In the text box below Custom attributes, enter this text if the user created needs access only to WLAN, SECURITY and CONTROLLER: role1=WLAN role2=SECURITY role3=CONTROLLER.

If the user needs access only to the SECURITY tab, enter this text: role1=SECURITY.

The role corresponds to the seven menu bar items in the controller web GUI. The menu bar items are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT and COMMAND.

-----------

This seems to imply that I can't grant READ-ONLY access to the MANAGEMENT tab...that it's an all or nothing thing. That's not enterprise thinking.

0 Helpful

serotonin888
Level 1
Level 1
In response to mhellman

‎01-20-2010 08:19 AM

Hi Jamal,

Did you ever find a solution?

I am in the same situation. I need to set up tacacs accounts that have read only access to WLC's.

Thanks


Sero

0 Helpful

Lucien Avramov
Level 10
Level 10

‎01-23-2010 12:28 PM

You can achieve this with Radius with WCS. WCS uses the HTTP protocol with ACS remember. From the config guide check out : Figure 18-11     Export Task List Window:

http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0admin.html#wpmkr1064294

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Lucien Avramov

‎01-24-2010 08:10 AM

Hi,


We need to follow following document to ensure that user with which we are logging in has the appropriate attributes assigned,


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml

What different roles means, please go through following document,


http://www.cisco.com/en/US/docs/wireless/controller/4.1/configuration/guide/c41sol.html#wp1208657


HTH


Regards,

JK


Plz rate helpful posts-

~Jatin
0 Helpful

rtanner
Level 1
Level 1

‎01-28-2010 02:56 PM

For WLCs, by using ROLE1=MONITOR in ACS, you effectively give the user Read Only access to the system. All menu items and settings can be seen, but cannot be changed. They look like they can be changed, but a message "Authorization Failed. Insufficient Privileges" message is returned. Your security group could audit the WLC without being able to change anything.

RYBayramov
Level 1
Level 1
In response to rtanner

‎10-27-2014 01:13 AM

rtanner

Thanks a lot, it is working for me.

 

Regards,

Rizvan

0 Helpful

divanko
Level 1
Level 1

‎03-15-2024 05:34 AM

Here is a document for the 9800 series controllers using TACACS / ISE:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card