Configuring AAA on Cisco WLC
AAA Configuration for WLC
In this, make sure that Network device object is configured correctly and is assigned to appropriate Network Device Groups. Once it is done, next step would be create authorization results and Configure WLC policy.
Prepare Network Device
In order to configure Network Device object, Go to Work Centers | Device Administration | Network Resources | Network Device Groups.
Below figure correctly describes the NGD Hierarchy.
Now in order to configure WLC as network object in ISE, use below steps:
Work Centers | Device Administration | Network Resources | Network Devices| Click the WLC or click Add to create a new object.
Ensure that the NDGs are assigned properly and the TACACS+ shared secret is configured correctly.
Configure Policy Results
- Here we will configure policy result for two profile, Dclessons_WLC_NetAdmin and dclessons_WLC_Employee.
- Go to Work Centers | Device Administration | Policy Elements | Results | TACACS Profiles and see the default profile created.
Create Dclessons_WLC_NetAdmin Profile
Click Add | Name the profile | From the Common Task Type drop-down list, choose WLC | Click the All | Click Submit.
Create Employee Profile
From the TACACS Profiles screen | Click Add | Name the profile dclessons_WLC_Employee | Click the Lobby | Click Submit.
Configure Policy Set
Now here we will see the WLC device administration policy set.
Configure Authorization rule for Network Admin.
- Work Centers | Device Administration| Device Admin Policy Sets | Click the previously created Wireless Controllerspolicy set.
- Insert a new authorization rule above the Tacacs_Default rule | Name the rule
- Set the condition to be an external group from AD| There are no command sets for the WLC, so you can ignore that option.
- For the shell profile, select Dclessons_WLC_NetAdmin | Click Done | Click Save.
Configure Authorization rule for Rest of Employee
- Insert a rule above the Tacacs_Default rule| Name the rule
- Set the condition to be an external group from AD | for the shell profile, select dclessons_WLC_Employee | Click Done | Click Save.
Adding ISE to WLC TACACS+ Servers
Here we will configure WLC to authenticate and authorize users. Here ISE needs to add to WLC as a TACACS+ servers for authentication, Authorization and Accounting.
- Go to Security | AAA | TACACS+ | Authentication | Click New.
- Complete the Server IP Address and Shared Secret/Confirm Shared Secret text boxes | Click Apply.
Use same method for authorization and accounting.
Now we will configure WLC to use TACACS+ for administrative access.
- Security | Priority Order | Management User.
- Ensure that TACACS+ is at the top of the Order Used for Authentication list | Click Apply