Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
0
Helpful
1
Replies

Wireless role back access control

remysyaku
Beginner
Beginner

‎08-14-2012 06:33 PM - edited ‎07-03-2021 10:32 PM

Hi,

We need to create one user for wireless management which only can do specific command on wireless controller. What we can find out is only join the controller to ACS(TACACS+) which only can perform below:

The available roles are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, COMMANDS, ALL, and LOBBY.

Is there any other way to drill down on specifi command? Example we need the local admin ONLY to configure mac filtering

Labels:
0 Helpful
1 Reply 1

Amjad Abdullah
Engager
Engager

‎08-15-2012 02:46 AM

Unfortunately, per command authorization is not available with WLC. You can authorize only based on the roles.

Authorization—The process of determining the actions that users are allowed to take on the controller based on their level of access.


For TACACS+, authorization is based on privilege (or role) rather than specific actions. The available roles correspond to the seven menu options on the controller GUI: MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, and COMMANDS. An additional role, LOBBY, is available for users who require only lobby ambassador privileges. The roles to which users are assigned are configured on the TACACS+ server. Users can be authorized for one or more roles. The minimum authorization is MONITOR only, and the maximum is ALL, which authorizes the user to execute the functionality associated with all seven menu options. For example, a user who is assigned the role of SECURITY can make changes to any items appearing on the Security menu (or designated as security commands in the case of the CLI). If users are not authorized for a particular role (such as WLAN), they can still access that menu option in read-only mode (or the associated CLI show commands). If the TACACS+ authorization server becomes unreachable or unable to authorize, users are unable to log into the controller.







Note If users attempt to make changes on a controller GUI page that are not permitted for their assigned role, a message appears indicating that they do not have sufficient privilege. If users enter a controller CLI command that is not permitted for their assigned role, a message may appear indicating that the command was successfully executed although it was not. In this case, the following additional message appears to inform users that they lack sufficient privileges to successfully execute the command: "Insufficient Privilege! Cannot execute command!"

reference: http://tiny.cc/3ct2iw

You may assign a user security privilege and that will give him privilege for mac filter addition.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents