Tacacs Authorization on a WLC using ACS


First we’re going to create the Tacacs authorization server on the WLC.
And make sure that Tacacs is being used for authorization. So an authorization server must be provided.
We can do that by reordering the Priority Order of the Management User.
Make sure that Tacacs is at the top.

If we’re saving the configuration and we’re trying to login, it will fail, due to the fact that the WLC can connect to the ACS server, but there isn’t any user yet configured.
If the ACS server is NOT reachable, we can login with our local credentials.

On the ACS server we configure an AAA Client with the ip Address of the WLC and select Tacacs+ (Cisco IOS)

At the Interfaces of the ACS we’ll configure the Tacacs+ Services.

We’ll configure the service : ciscowlc and protocol common.

Now we’re going to create an user.
And scroll down to the bottom en fillin the Ciscowlc common attributes.

The attributes can be :
ALL
LOBBY
MONITOR

If you enabled the Passed authentification you can see in the logging that everything is succesfull.
Maybe it’s wise to create also the admin user on the ACS that you’re using locally on the WLC. In this case you can always use the accountname with or without the ACS.

About Joost van der Made

Me

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: