In this post we will see how to control access to WLC for different type of users using TACACS (ACS 5.2).

I will create 3 different user type (Admin, User, Guest) where “Admin” user have full access to WLC (modify, add, delete, etc), “User” having access to “WLAN” & “WIRELESS” section of the WLC to modify. All other area only read only view. For Guest users only have access to “Monitor” section of WLC.

First make sure your WLC is configured with ACS for AAA (Authentication/Accounting/Authorization). Here is the screenshot of WLC configured ACS for Authentication. You have to do this for Accounting & Authorization as well.


Then change the Priority order for management user ( in Security -> Priority Order -> Management User Section). Ensure that TACACS+ is check first & then local.


In ACS first you have to add your WLC ( in Network Resources -> Network Devices & AAA Clients section as shown below. You can create Location Group & Device Type group if you require more granular conditions in later on. I have created “HQ” location group & “WLC ” Device type group for this. Used the same shared secret key used for WLC.


Then we will create Identity Groups for those 3 different type of users


Then create 3 different users each in the 3 separate groups created.


Then go to Policy Element to define 3 different policy for this. Here is how you create it ( Policy Elements -> Authorization & Permissions -> Device Administration -> Shell Profile” . Once you give a Name & Description under the General tab, you have to go to Custom Attributes to specify the roles.

For Admin user “role1” should be “ALL” (unfortunately these are case sensitive & ensure no spaces, etc). I tried with Role1 & did not work. Therefore ALL, WLAN, MONITOR, SECURITY should be as it is.


Remember to click Add buttone before hit submit button.


Here is the setting for Non-Admin User ( Access to WLAN & WIRELESS sections of WLC)


Here is the Guest user policy only permitting “MONITOR” section of WLC.


In the same section (Device Administration -> Command Set) you have to create a commnad sets. But in here we allow all TACACS commands since shell profile we created limited the user scope.


Now you can define rule set for each type of users request. For WLCAdmin rule, you can match TACACS request coming from “WLC” device group where users belong to “Admin-Group”. Once this condition match it will select “WLCAdmin” shell profile you created in the early step.


So here is the rules for WLCUser.


Here is the rule created for WLCGuest.


Once you do this your rule set should appear like this. you can change the order by hitting UP or Down Arrow button as shown.(to ensure more specific rules are first)


Now it is time to test. First with WLCGuest user called “mrnguest”. If you try to modify any settings & try to apply you will get an error message like this.


But if you log in as WLCUser called “mrnuser” you can modify any settings under WLAN & WIRELESS tab of WLC. But if you try to modify any setting otherthan these two you will get the similar error message.


For WLCAdmin user called “mrnadmin” you will see he can do any thing and no error messages.

If you go to ACS you can verify successful login of these 3 different users.

Related Posts

1. Configuring Local EAP on WLC
2. Configuring EAP-TLC on WLC
3. Configuring EAP-TLS on ACS
4. Configuring RADIUS on WLC
5. Configuring TACACS on WLC
6. WLC Admin Access via RADIUS