How to Configure Cisco WLC 8.5 to use TACACS+ with Cisco ISE 2.4

How to Configure Cisco WLC to use TACACS+ with Cisco ISE 2.4

If you’ve followed along with my other Cisco ISE (Identity Services Engine) 2.4 and TACACS+ tutorials then you should be pretty familiar with how much more convenient and secure using TACACS+ on your equipment is versus relying only on local credentials.

If you’re also wanting to use TACACS+ on your Wireless Lan Controllers then you’re in luck. It is just as easy to configure as anything else if you know the proper steps, which I’m going to share with you!

For this step-by-step tutorial I’m going to be working with a Cisco 5520 WLC on version 8.5 and Cisco ISE 2.4 with Device Administration already configured (per my tutorial linked below).

Related: Configure New Cisco ISE 2.4 Install for Use as TACACS+ Server

Adding Wireless Lan Controller to Cisco ISE 2.4

The first thing we need to do is add the wireless lan controller to ISE as a network resource, just as you would any other network device.

  1. Navigate to Work Center -> Device Administration -> Network Resources -> Network Devices and click the +Add button.
  2. Enter your controller’s name and IP address. Leave the Device Profile as Cisco (unless you have good reason to change it). Optionally configure a Location and Device Type and set those. I created a Wireless Lan Controllers Device Type.
  3. Check the box in front of TACACS Authentication Settings and fill in your Shared Secret and click Submit.

Configuring Cisco ISE 2.4 TACACS Profile for WLC

The next thing we need to do is help Cisco ISE understand the language of the Wireless Lan Controller for controlling access and authorization.

The WLC uses TACACS+ custom attributes defined as role1, role2, etc… with a value that corresponds to the access level you wish to grant within that profile. The available roles are MONITOR, WLAN, CONTROLLER, WIRELESS, SECURITY, MANAGEMENT, COMMAND, ALL, and LOBBY.

The first seven listed roles control access to the respectively named menus in the WLC web user interface. ALL grants read-write to everything, LOBBY grants access to the Lobby feature, which I won’t be covering here.

When configuring a TACACS Profile you can configure multiple roles as multiple custom attributes to allow read-write access to multiple menus and read-only to the rest. For example, if you wanted someone to have access to WLAN and WIRELESS you could create a TACACS Profile with two roles (Role1 and Role2) with values WLAN and WIRELESS respectively like so:

Role1 = WLAN

For this walk-through I’m just going to create one profile with one role with a value of ALL which I will use to allow members of the Infrastructure Team to have full access to the wireless controller through TACACS+ auth.

  1. Log into ISE and navigate to Work Centers -> Device Administration -> Policy Elements -> Results -> TACACS Profiles and click Add.
  2. Give your TACACS Profile a Name, I’m using “WLC Admin Shell Profile”
  3. Scroll down to Custom Attributes, click Add, select Mandatory in the first dropdown, enter role1 for the Name, enter ALL for the Value, and click the check mark at the end to save the attribute.
  4. Click Submit to create the TACACS Shell Profile.

Configure Cisco ISE 2.4 Policy Set for WLC

Now that we have our TACACS shell profile created we need to tell ISE how to handle that information. To do that we’ll create a new Policy Set (optional) and edit our Authorization Policy to grant ALL to members of our desired AD group when authenticating.

I say creating a new Policy Set is optional because you can just as easily stuff your Authorization Policy rules into your default policy and it will work. However, I advise creating new Policy Sets for different types of equipment. It keeps things organized. So that’s the steps we’ll take here.

  1. Navigate to Work Centers -> Device Administration -> Device Admin Policy Sets and click the Plus icon.
  2. Give your Policy Set a Name, set the Conditions to Device Type equals Wireless Lan Controller (the optional device type I created earlier when adding the WLC as a new network device under network resources), set the Allowed Protocols to Default Device Admin, and click Save.
  3. Click the right arrow (or carrot) under View to open the Policy Set.
  4. Expand Authentication Policy and choose your desired identity store. I’m using the AD_Internal store I created in my TACACS+ tutorial to allow using AD groups for auth control.
  5. Expand Authorization Policy and click the Plus Icon.
  6. Enter a Rule Name, Condition, choose Permit All from the Command Set, and select the TACACS Shell Profile we created earlier. In my case I’m choosing to use AD Group Equals Infrastructure Team and the command set I named WLC Admin Shell Profile.
  7. Click Save.

Since the Authorization Policy Rules and work in a top down precedence we don’t need to remove the default rule of DenyAllCommands and Deny All Shell Profile. Much like a firewall, this is kind of a catchall rule and will only be hit if nothing matches the rules above it.

Configure Cisco Wireless Lan Controller to Use TACACS+

Now that we have all our profiles, policy sets, and rules are in place, we just need to tell the wireless controller to use TACACS+ for auth.

  1. Log into your WLC web gui and navigate to Advanced -> Security -> AAA -> TACACS+ -> Authentication and click on New… in the upper right corner.
  2. Enter the IP of your Cisco ISE server as well as your Shared Secret and click Apply.
  3. Optionally repeat step 2 for the Accounting screen.
  4. Expand Priority Order and move TACACS+ to the top of the Order Used for Authentication and click Apply.

At this point we should be able to log into the WLC as our AD account through TACACS. I opened a new browser and logged in with my user successfully. I was even able to verify the type of access I had by navigating to Advanced -> Monitor -> Summary and looking under the Most Recent Traps to see the following message:

This is exactly what I was expecting. Hopefully you achieved similar results. Be sure to check out my other Cisco ISE 2.4 and TACACS+ articles!

Related: Configure Cisco Prime TACACS+ Authentication w/ ISE 2.4

Recommended for You: Solarwinds Network Performance Monitor (NPM)

Do you know the health of your networking equipment? Know when something goes down before a user reports problems? Know where your bandwidth is going or where you’re losing your packets?

Automate data collection and alerting of your networking infrastructure with Solarwinds NPM so you know exactly what is going on in your network and can sleep easy.

Unlike other tools, NPM is ready to out of the box with most common makes and models of networking equipment. No messing around with custom templates, xml files, or code to extract important information.

Chase Smith, CCNP

Chase Smith, CCNP is a Network Engineer III who has spent the last decade elbow deep in enterprise system administration and networking. He can usually be found trying to warm up behind the storage in the datacenter.

Leave a Reply

Your email address will not be published. Required fields are marked *