TACACs+ on Cisco WLCs

In this third post in the TACACS+ series, I’ll cover using TACACS+ for administering a Cisco WLC device.

Cisco WLC

Server Config

			
group = wlc {
  service = ciscowlc {
    role1 = ALL
  } 
}

group = wlc-read-only {
  cmd = show {
    permit .*
  }
  cmd = ping {
    permit .*
  }
  cmd = traceroute {
    permit .*
  }
  service = exec {
    priv-lvl = 15
  }   
  service = ciscowlc {
    role1 = ALL
  }   
}

Client Config

This is fairly trivial and best done through the GUI. Just go to¬†security->tacacs+¬†and add the servers and keys for Authentication and Authorization. I didn’t find the Accounting data very useful so left that off. To work out the server settings I ran the daemon in debugging mode and looked at what the WCS was sending. Something like:

# tac_plus -C /path/to/tac_plus.conf -g -d <level>

One thought on “TACACs+ on Cisco WLCs

  1. Patrick

    wow!! what a nice document.
    his fixed my issue… been searching since last 4 hours to make it works and your solution works like a charm

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *