EMAIL SUPPORT
dclessons@dclessons.comLOCATION
USConfiguring AAA on Cisco WLC
AAA Configuration for WLC
In this, make sure that Network device object is configured correctly and is assigned to appropriate Network Device Groups. Once it is done, next step would be create authorization results and Configure WLC policy.
Prepare Network Device
In order to configure Network Device object, Go to Work Centers | Device Administration | Network Resources | Network Device Groups.
Below figure correctly describes the NGD Hierarchy.
Now in order to configure WLC as network object in ISE, use below steps:
Work Centers | Device Administration | Network Resources | Network Devices| Click the WLC or click Add to create a new object.
Ensure that the NDGs are assigned properly and the TACACS+ shared secret is configured correctly.
Configure Policy Results
- Here we will configure policy result for two profile, Dclessons_WLC_NetAdmin and dclessons_WLC_Employee.
- Go to Work Centers | Device Administration | Policy Elements | Results | TACACS Profiles and see the default profile created.
Create Dclessons_WLC_NetAdmin Profile
Click Add | Name the profile | From the Common Task Type drop-down list, choose WLC | Click the All | Click Submit.
Create Employee Profile
From the TACACS Profiles screen | Click Add | Name the profile dclessons_WLC_Employee | Click the Lobby | Click Submit.
Configure Policy Set
Now here we will see the WLC device administration policy set.
Configure Authorization rule for Network Admin.
- Work Centers | Device Administration| Device Admin Policy Sets | Click the previously created Wireless Controllerspolicy set.
- Insert a new authorization rule above the Tacacs_Default rule | Name the rule
- Set the condition to be an external group from AD| There are no command sets for the WLC, so you can ignore that option.
- For the shell profile, select Dclessons_WLC_NetAdmin | Click Done | Click Save.
Configure Authorization rule for Rest of Employee
- Insert a rule above the Tacacs_Default rule| Name the rule
- Set the condition to be an external group from AD | for the shell profile, select dclessons_WLC_Employee | Click Done | Click Save.
Adding ISE to WLC TACACS+ Servers
Here we will configure WLC to authenticate and authorize users. Here ISE needs to add to WLC as a TACACS+ servers for authentication, Authorization and Accounting.
- Go to Security | AAA | TACACS+ | Authentication | Click New.
- Complete the Server IP Address and Shared Secret/Confirm Shared Secret text boxes | Click Apply.
Use same method for authorization and accounting.
Now we will configure WLC to use TACACS+ for administrative access.
- Security | Priority Order | Management User.
- Ensure that TACACS+ is at the top of the Order Used for Authentication list | Click Apply
Comment
TABLE OF CONTENTS
- How to Install ISE 2.4 VM
- Initial ISE Setup
- ISE Certificate Installation
- ISE AD Integration
- Configure ISE Policy Set
- Configure Guest Access
- Guest Access With HotSpot Portal
- Guest Self-Registration for Guest Access
- Enable Self Registration with Sponsor Approval
- Configure ISE Profiling
- Customize ISE Profiling Configuration
- Configure BYOD
- Configuring ISE Compliance Services
- Configure Client Provisioning
- Configure Posture Policies
- Test & Monitor Client Based Access
RECENT POSTS
- What is Docker and Why is It Important?
- Learn Python 3.0 Programming for Network Automation
- Cisco ACI Data Centre: A Comprehensive Overview
- How to Prepare for the Microsoft Azure AZ-305 Exam
- AWS Training Certification Course for Solutions Architect
- Cisco SASE Architecture
- SASE vs SD-WAN
- What is SASE
- Accessing Amazon S3 using AWS private Link in Secure hybrid method.
- Cisco Smart Licensing Policy
LEAVE A COMMENT
Please login here to comment.