Guest

Cisco Wireless Control System

Wireless Control System and Prime Network Control System Administration with Secure Access Control Server 5.x Configuration Example

Hierarchical Navigation

Document ID: 113214

PDF Downloads

Wireless Control System and Prime Network Control System Administration with Secure Access Control Server 5.x Configuration Example

Contents

Introduction
Prerequisites
      Requirements
      Components Used
      Conventions
Configuration
      Step 1. Add the WCS to the ACS AAA clients.
      Step 2. Add the Cisco Secure ACS as a TACACS+ server in WCS.
      Step 3. Configure the correct shell profile on ACS.
      Step 4. Configure Cisco Secure ACS to return the attributes.
Cisco Support Community - Featured Conversations
Related Information

Introduction

This document describes how to use Cisco Secure Access Control Server (ACS) 5.x in order to configure Cisco Wireless Control System (WCS) and Cisco Prime Network Control System (NCS) administration.

Note: Although various options and possibilities exist when authenticating WCS/NCS users with Cisco Secure ACS 5.x, not all combinations are described in this document. However, this example provides you with the information necessary to understand how to modify the example to the precise configuration you want to achieve.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Cisco Wireless Control System

  • Cisco Prime Network Control System

  • Cisco Secure Access Control Server

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Wireless Control System 7.0.172.0

  • Cisco Secure ACS 5.x

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for information on document conventions.

Configuration

This sample configuration describes how to authenticate a user with TACACS+.

Step 1. Add the WCS to the ACS AAA clients.

  1. On the Cisco Secure ACS, choose Network Resources > Network Devices and AAA Clients.

    wcs-authentication-acs5-01.gif

  2. Enter a name in the Name field.

  3. Enter the WCS IP address in the IP address field.

  4. Under the Authentication Options area, click the TACACS+ check box in order to enable TACACS+, and then enter a term to be used as a shared secret.

    Note: This example uses cisco as the shared secret; however, for security reasons, you should use a less obvious term.

Step 2. Add the Cisco Secure ACS as a TACACS+ server in WCS.

  1. Log in to WCS, and choose Administration > AAA.

  2. Click TACACS+.

    wcs-authentication-acs5-02.gif

  3. Enter your shared secret term in the Shared Secret and Confirm Shared Secret fields.

  4. Choose the Cisco ACS IP address from the Local Interface IP field.

  5. On the left navigation area, click AAA Mode.

    wcs-authentication-acs5-03.gif

  6. Click the TACACS+ radio button.

    Note: For safety reasons, Cisco recommends that you choose on auth failure or no server response from the Enable fallback to local drop-down list. Choosing this option prevents you from being locked out in case of issues. You can change the option once everything works correctly.

Step 3. Configure the correct shell profile on ACS.

This step describes how to configure Cisco Secure ACS to return the correct attributes in order to determine the user privileges on WCS.

  1. In the left navigation area, click Groups.

    A list of user types appears. This example authenticates a user from the Lobby Ambassador user type.

  2. Click the Task List link next to the LobbyAmbassador group.

    wcs-authentication-acs5-04.gif

    Note: You must configure the user role (Lobby Ambassador for this example) and a list of tasks they can perform and menu items they can access. If you use a recent release of WCS, you must also configure the virtual domain that the user will belong to.

  3. Choose Administration > Virtual domains.

  4. Click Export.

    wcs-authentication-acs5-05.gif

  5. Choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles in order to create a new shell profile.

  6. Etner a meaningful name (such as WCS), and then click the Custom Attributes tab.

  7. Configure the attributes as they exist on WCS.

    wcs-authentication-acs5-06.gif

    Here is an example of how to manually enter the attributes:

    -type “role0” in the “Attribute” field
-type “LobbyAmbassador” in the Value field
-click the “add” button.
Etc… for the other attributes.

    Note: In ACS 4, it was possible to copy/paste the list of attributes from the WCS GUI to the ACS 4 GUI. In ACS 5, they must be entered one by one.

Step 4. Configure Cisco Secure ACS to return the attributes.

  1. Configure a user (this example uses Lobbyad) as a user on ACS.

    wcs-authentication-acs5-07.gif

    Note: For ease of configuration, this example adds the Lobbyad user to the WCS-users group. (This step is optional.)

  2. In Access policies, under Default Device Admin > Authorization, configure a rule to match WCS authentication.

    wcs-authentication-acs5-08.gif

  3. If the user name belongs to WCS-users group, return the wcs shell profile (which contains the group attributes).

  4. If you want to configure other types of users (such as administrators), you must configure another shell profile to return different attributes. From then on, you must group administrators in a different group in order to differentiate and know what shell profile to return.

Cisco Support Community - Featured Conversations

Related Information

Updated: Aug 25, 2011 Document ID: 113214