Solved: Wireless 5508

CiscoDOJones · ‎11-27-2018

Hello,

I'm pretty sure this is not possible, but would love to be proved wrong, or an alternative solution be available.

We have Cisco 5508 WLC with nearly 500 APs. We are about to provide a managed WiFi service at a remote site and will use the Flexconnect feature on the APs for local switching. The site IT guys would like access to the controller to add new SSIDs, password resets and other low level changes.

Is there a way to only allow this access to only their APs at site ? we are running version 8.0.121.0

User Access Modes are read/write, read and Lobby. I do not believe there is any other modes or granular access available.

I've had a read on ISE, which i do not think will work, and Cisco DNA Centre, although good will not provide this solution.

thanks everyone.

Mikey Boy · ‎11-27-2018

If you have Cisco Prime you can create "scripts" that automate those changes.

For example you create a script that only has permissions over the PSK SSID at site X. You would then create a virtual domain in Prime and then assign the site IT to that domain.

They could log into prime and see the script you made and change the PSK from there. I have a similar scenario set up for a customer, it is not exactly as you describe but I am pretty sure I could get it 99% of the way to what you want.

Cisco Prime is the crux of it though.

View solution in original post

patoberli · ‎11-27-2018

No that's not possible with just the WLC.
There is also the product Prime Infrastructure, which allows more fine grained control, but I don't know of your exact scenario is covered.

Regarding password resets, do you work with local WLC users? If not, then those password resets have to be done on the Radius/AD servers anyway and not on the WLC.

The only solution I'd see, depending on the amount of APs, would be to provide them with their own WLC, maybe a 3504, but I don't recommend that, as you want to provide a "manage WiFi service".

Mikey Boy · ‎11-27-2018

If you have Cisco Prime you can create "scripts" that automate those changes.

For example you create a script that only has permissions over the PSK SSID at site X. You would then create a virtual domain in Prime and then assign the site IT to that domain.

They could log into prime and see the script you made and change the PSK from there. I have a similar scenario set up for a customer, it is not exactly as you describe but I am pretty sure I could get it 99% of the way to what you want.

Cisco Prime is the crux of it though.

CiscoDOJones · ‎11-27-2018

Hi Mikey Boy,

We do have Prime, but did not think that would be a viable option. thanks for the pointer of using the Virtual domain. I will look into this further.

Their current WLC are end of life, and I think they do not want to loose the control of local admin at their multi-floor, multi-tenant building. They are hiding behind there being an extra step in the chain to slow things down, making them less re-active, to customer requests and needs. Once done, after the initial "buzz" I'll check the logs, I bet they never login!!! :)

cheers again

Mikey Boy · ‎11-27-2018

Hi, no problem. I generally find that Prime can be a bit of a pain to get working how you want so a lot of customers don't get as much from it as they should do.

If you look under Features and technologies -> CLI scripts. I would be looking to make scripts under here that perform main tasks on the WLC. The IT staff do not necessarily need access to the whole WLC config so this sounds like a good route.

For example, the script below would present the user with a text box asking for a PSK.

config wlan disable 15
config wlan security wpa akm psk set-key ascii $charKey 15
config wlan enable 15

If they enter the PSK and deploy it it will update WLAN ID 15 with the new PSK on the WLC that they are granted permission over.

The field the user would see of the above script would be:

Regards