In this  post we will see how to control WLC access via RADIUS, where ACS 5.2 used as the RADIUS server.

First you need to add WLC in to your ACS as an AAA device. Ensure shared secret configured for RADIUS option & if you have created a Device Type group or Location Group select those as well.


I have created two user group in ACS ( Users and Identity Store ->Identity Group section as shown below)WLC-Access-RADIUS-01

Then create the two users and assign them to the groups created above. You can do this via “Users & Identity Stores -> Internal Identity Stores -> User ” section as shown below


Since RADIUS only support Authentication/Accounting you have to use  Network Access Authorization Profiles to do this. (In TACACS you have seperate Device Admin section to control this)

So we will create a policy element called “WLCUser”  in Policy Elements -> Authorization & Permissions -> Network Access -> Authorization Profiles section as shown below. RADIUS attribute needs to select is “Service-Type  or ID=6)


Then attribute value needs to be selected. Since this is Read-Only user attribute value should be NAS Prompt. For full admin user this value should be “Administrative” & Lobby Ambassador it should be “Callback Administrative”


It is important to hit “Add^” button to ensure selected values properly configured. If you hit submit button without this step settings will not saved.


Once you hit the “Add” button then you can click submit button as shown below.


You have to follow the similar steps for WLCAdmin profile created for Admin users. As described earlier attribute value should be “Administrative”. Here is the attribute value setting for WLCAdmin profile.


Then in the Access Policies section you have to create a Rule for Admin users & Non-Admin users as shown below. I have selected device type & Identity Group for the conditions.


You can select the previously defined rule & by clicking “Duplicate” button you can easily recreate a rule & modify it to suit the Non-Admin user.


Once you created the Rules you should have something similar to this.


That’s finish the ACS configuration. You have to add ACS as RADIUS server on your WLC and select the correct priority order for Management User of WLC. Below Screen shows how to do this. You have to go to “Security -> AAA -> RADIUS -> Authentication” section to do this.


You have to select priority order ” Local” & then ” RADIUS” to ensure that you will not be lock yourself out in case of wrong configuration with radius. Unless RADIUS server is unreachable you cannot fall-back to local.


Now you can check the WLC access to those two different user. With a “Non Admin-Group” user you should be able to view any WLC config settings, but should not able to modify any configurations. With a “Admin-Group” user credential you would have full administrative access to the WLC.

Related Posts

1. WLC Access via TACACS
2. WLC Access via RADIUS (ISE1.2)