9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

Implement Secure Access to the WLCs and Access Points

This topic explores the relevant security issues, architectural approaches, and processes to secure access to the
Cisco WLC and AP management interfaces.

An enterprise network can span multiple geographies in different sites and locations. Your IT organization can have
different groups that work together. You may have to work with other organizations such as support, operations, or
front desk (lobby) ambassadors in your company to help them perform their tasks successfully. The administrator
users can spread across different locations. These personnel may need different levels of access privileges to the
same or different sets of devices, depending on their role. Things can get quickly complicated to manage.

What Is Device Administration?

Network and security administrators typically own the task of administering and monitoring network and security
devices in an enterprise. If you are managing only a handful of devices, tracking the admin users, privileges, and
changes to the configuration is not very difficult. However, as the network grows, you can use Cisco Identity
Services Engine (Cisco ISE) to provide automation and smooth workflow. Cisco ISE provides the capability to
automate device administration tasks with clean workflows and monitoring capabilities within a controlled space in
the user interface.

What Are the Key Elements of Device Administration?

As a network administrator or analyst, the first step is to consider how you want to manage your network. Your
network comprises of three basic elements (assets) from a device administration standpoint:
1. Organization across single or multiple locations
2. Access level, which includes admin, helpdesk users, lobby ambassadors, and others
3. Network and security devices

If you are using an external authentication server or some form of strong authentication, you also must know the
security needs of your company for authenticating users. You must also be aware of the audit and compliance

https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 1/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

needs for logging and monitoring changes in the network.

Configure the Cisco WLC and Access Points for Secure Management
Both Cisco Wireless LAN Controllers (Cisco WLCs) and APs have methods to provide management access. You
can manage the Cisco WLCs via the Cisco WLC GUI by using Simple Network Management Protocol (SNMP), via
the CLI by using the command port, or remotely by using Telnet or Secure Shell (SSH). Access points have a
console port and can be configured to be accessed via Telnet or SSH as well. In addition, you can manage the
WLCs via SNMP from Cisco Prime Infrastructure.

You can secure management access to Cisco WLC with a local username and password. Use RADIUS or
TACACS+ to store this information in the database of the Cisco WLC via an authentication, authorization, and
accounting (AAA) server. You will learn about the use of TACACS+ with Cisco ISE as the AAA server.

One local administrative account is created when you install the system. It is best practice to keep this account
secure to use for access in case the AAA servers become unreachable.

Access to the access point management interface is controlled from Cisco WLC and will be distributed to the
access points as they join Cisco WLC.

General Security Best Practices for Administrative Access to Cisco WLC

The following password and user login policies are recommended.

Local Management Password Policies

You must enforce a strong password. The password policies allow enforcement of strong password checks on
newly created passwords for additional management users of the controller and access points. The following
requirements are enforced on the new password:
When you upgrade the controller from an old version, all the old passwords are maintained, even though the
passwords are weak. After the system upgrade, if the strong password checks are enabled, strong passwords
are enforced from that time forward. However, the strength of the previously added passwords will not be
checked or altered.
Depending on the settings that you enter in the Password Policy page, the local management and access point
user configuration is affected.
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 2/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

User Login Policies

The user login policies are provided to limit the number of concurrent logins of the local net users of the controller.
You can limit the number of concurrent logins, and it is best to configure a value greater than the default of 0
(unlimited login). For administrative purposes, this value prevents unlimited access to Cisco WLC with one set of
credentials when it authenticates against the local database.

Be aware that this value could impact network devices that authenticate against the local database. They may be
sharing the same username and password, such as wireless phones with the same user profile for their wireless
connection.

General Security Measures

The following general security measures are recommended:

Disable management over wireless: The Cisco WLC Management over Wireless feature allows operators to
monitor and configure local Cisco WLCs using wireless clients that connect to the controller. It is advisable to
disable the Management over Wireless feature for security reasons.
Enable NTP: Network Time Protocol (NTP) is very important for several features. It is mandatory to use NTP
synchronization on controllers, if you use any of these features: location, SNMPv3, access point authentication,
or Management Frame Protection (MFP). Cisco WLC supports synchronization with NTP with authentication.
Enable secure web access: For increased security, confirm that HTTPS is enabled and HTTP is disabled for
management access (default settings).
SSH/Telnet: Similar to secure web access, confirm that SSH is enabled and Telnet is disabled to the controller
for better security.

Information About TACACS+

TACACS+ is a client/server protocol that provides centralized security for users who attempt to gain management
access to a controller. It serves as a back-end database similar to local and RADIUS. However, local and RADIUS
provide only authentication support and limited authorization support, while TACACS+ provides three services:
Authentication: The process of verifying users when they attempt to log in to the controller.
Authorization: The process of determining the actions that users are allowed to take on the controller based on
their level of access.
Accounting: To keep track of all the changes the user makes.

Users must enter a valid username and password in order for the controller to authenticate users to the TACACS+
server. The authentication and authorization services are tied to one another. For example, if authentication is
performed using the local or RADIUS database, then authorization would use the permissions that are associated
with the user in the local or RADIUS database (which are read-only, read/write, and lobby-admin) and not use
TACACS+. Similarly, when authentication is performed with TACACS+, authorization is tied to TACACS+.

For TACACS+, authorization is based on privilege (or role) rather than specific actions. The available roles
correspond to the seven menu options on the controller GUI: MONITOR, WLAN, CONTROLLER, WIRELESS,
SECURITY, MANAGEMENT, and COMMANDS. An extra role, LOBBY, is available for users who require only lobby
ambassador privileges. You configure the roles to which users are assigned on the TACACS+ server. You can
authorize users for one or more roles.

Both MANAGEMENT and SECURITY roles are necessary for creating local management user and IP Security
(IPsec) profiles. The minimum authorization is MONITOR only, and the maximum is ALL, which authorizes the user
to execute the functionality that is associated with all seven menu options. For example, a user who is assigned the
role of SECURITY can make changes to any items that appear on the Security menu (or are designated as security
commands in the case of the CLI). If users are not authorized for a particular role (such as WLAN), they can still
access that menu option in read-only mode (or the associated CLI show commands). If the TACACS+ authorization
server becomes unreachable or unable to authorize, users are unable to log in to the controller.

TACACS+ Management Timeout

https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 3/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

It is a best practice to increase the retransmit timeout value for TACACS+ authentication, authorization, and
accounting servers if you experience repeated reauthentication attempts or if the controller falls back to the backup
server when the primary server is active and reachable. This scenario is especially true when you are implementing
One-Time Password (OTP).

TACACS+ Flow with AAA

From the TACACS+ flow, you can see the three distinct phases of Authentication, Authorization, and Accounting.
These phases are independent in TACACS+, which means that they use separate transactions (TACACS is a TCP
protocol for port 49) that opens a TCP session for every transaction. This process differs from RADIUS, where an
authorization happens as a sequential process to every authenticated session, and they are tied together. When
you are scaling the service to thousands of network devices, these separate transactions come to play a key role in
performance. You must know the options that you turn on in the network devices that increase the number of
transactions per second (TPS) across many network devices. This awareness is especially important if you are
using Command authorization, for which every command is authorized and accounted. Note that TACACS+
Command Authorization works for Cisco IOS WLCs only. It is not supported on the Cisco AireOS WLCs.

Cisco WLC Configuration for TACACS+ (Cisco AireOS)

To configure TACACS+ in the Cisco WLC controller, you must complete the following:
Add a TACACS+ Authentication server
Add a TACACS+ Authorization server
Add a TACACS+ Accounting server
Configure the priority order of management user authentication

https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 4/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

Add a TACACS+ Authentication Server

Complete these steps to add a TACACS+ Authentication server.

1. From the Cisco WLC GUI, choose Security > AAA > TACACS+ > Authentication and click New.
2. Enter the IP address of the Cisco ISE server as the TACACS+ server and the shared secret key. Make sure that
Server Status is Enabled. You can leave the remaining fields at the default values.
3. Click Apply.

Add a TACACS+ Authorization Server

Complete these steps to add a TACACS+ Authorization server.

1. From the Cisco WLC GUI, choose Security > AAA > TACACS+ > Authorization and click New.
2. Add the IP address of the Cisco ISE server as the server IP address and the shared secret key.
3. Click Apply.

Add a TACACS+ Accounting Server

Complete these steps to add a TACACS+ Accounting server.

1. From the Cisco WLC GUI, choose Security > AAA > TACACS+ > Accounting and click New.
2. Enter the IP address of the Cisco ISE server as the server IP address and the shared secret key.
3. Click Apply.

Configure the Priority Order of Management User Authentication

Specify the order of authentication when you configure multiple databases from the Cisco WLC GUI by choosing
Security > Priority Order > Management User. The Priority Order > Management User page appears.

In the Order Used for Authentication text box, specify which servers have priority when the controller attempts to
authenticate management users.

Use the > and < buttons to move servers between the Not Used and Order Used for Authentication text boxes.
After the desired servers appear in the Order Used for Authentication text box, use the Up and Down buttons to
move the priority server to the top of the list. By default, the local database is always queried first. If the username
is not found, the controller switches to the RADIUS server if you configured it for RADIUS or to the TACACS+
server if you configured it for TACACS+. The default setting is LOCAL and then RADIUS.

It is recommended that you have a local authentication method just in case Cisco WLC cannot reach Cisco ISE.
Your administrator should still be able to access Cisco WLC with local authentication as the fallback method.

https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 5/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

Cisco WLC Configuration for TACACS+ (Cisco IOS XE)

Here you see the Configuration tool for Cisco WLC configuration.

Configure AAA Authentication (GUI)

In the Cisco IOS XE wireless GUI, configure AAA authentication by following these steps:
1. Choose Configuration > Security > AAA.
2. In the Authentication section, click Add.
3. In the Quick Setup: AAA Authentication window that displays, enter a name for your method list.
4. Choose the type of authentication you want to perform, before allowing access to the network, in the Type drop-
down list.
5. Choose if you want to assign a group of servers as your access server, or if you want to use a local server to
authenticate access, from the Group Type drop-down list.

Configuring AAA Authentication (CLI)

You can configure the AAA authentication from the CLI by completing these steps:
1. To enable AAA access control, use the aaa new-model command. For example:

Device(config) aaa new-model

2. To define the list of authentication methods at login, use the aaa authentication login command:

aaa authentication login {default | named_authentication_list} group AAA_group_name

In this command, named_authentication_list refers to any name that is not greater than 31 characters.
AAA_group_name refers to the server group name. You must define the server-group server_name at the
beginning itself. For example:

Device(config) aaa authentication login default group group1

3. To create an authorization method list for web-based authorization, use the aaa authorization network
command.

https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 6/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

aaa authorization network {default | named} group AAA_group_name

For example:

Device(config) aaa authorization network default group group1

4. To specify an AAA server, use the tacacs server command.

tacacs server server-name

For example:

Device(config) tacacs server yourserver

5. To configure the IP address for the TACACS server, use the address {ipv4 | ipv6} command.

address {ipv4 | ipv6} ip_address

For example:

Device(config-server-tacacs) address ipv4 10.0.1.12

6. To specify an AAA server, use the tacacs-server host command.

tacacs-server host {hostname | ip_address}

For example:

Device(config) tacacs-server host 10.1.1.1

Configure Console Access to the Access Point (Cisco AireOS)

Cisco IOS access points ship from the factory with Cisco as the default enable password. Because this password
allows users to log on to the nonprivileged mode and enter show and debug commands, it poses a security threat.
You must change the default enable password to prevent unauthorized users from accessing the access point’s
console port and entering configurable commands.

https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 7/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

The following are some guidelines to configure global credentials for access points:
You can set a global username, password, and enable password that all access points inherit, including devices
that are currently joined to the controller and any that join in the future, as they join Cisco WLC. If you desire,
you can override the global credentials and assign a unique username, password, and enable password for a
specific access point.
After an access point joins Cisco WLC, the access point enables console port security, and you are prompted
for your username and password whenever you log in to the access point’s console port. You are in
nonprivileged mode when you log on, and you must enter the enable password to use the privileged mode.
The global credentials that you configure on Cisco WLC are retained across Cisco WLC and access point
reboots. They are overwritten only if the access point joins a new Cisco WLC that is configured with a global
username and password. If the new controller is not configured with global credentials, the access point retains
the global username and password that you configured for the first Cisco WLC.
You must keep track of the credentials that the access points use. Otherwise, you might not be able to log on to
the console port of the access point. If you must return the access points to the default Cisco-Cisco username
and password, you must clear the controller’s configuration and the access point’s configuration to return them
to factory-default settings.
To clear the controller’s configuration, choose Commands > Reset to Factory Default > Reset on the
controller GUI or use the clear config command on the Cisco WLC CLI.
To clear the access point’s configuration, choose Wireless > Access Points > All APs, click the access point’s
name, and click Clear All Config on the controller GUI. Or, you can use the clear ap config command.

Test TACACS+ User Access

Once you complete the Cisco WLC configuration for device administration, you must validate the configuration.

Once you complete the Cisco WLC configuration for device administration, you must validate the configuration.

https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 8/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

Log in to Cisco WLC as various users who belong to the different groups and access different devices.

When you log in, verify that the user has access to the right tabs. Some features require certain permissions for
their usage. If a feature is unavailable, or the user is not allowed to perform a specific task, you may need to adjust
their permissions. Regardless of the level of access, any administrator account can modify or delete objects for
which it has permission, on any page that it can access.

For a user who is a helpdesk user, navigate to the different tabs and try to add, modify, or delete objects. For
example, go to WLANs and try to delete one of the WLANs. As this user has only MONITOR access, the operation
should be denied with the following error “Authorization Failed. No Sufficient privileges.”

Enable Secure Access for Cisco Prime Infrastructure

This figure illustrates the Admin Access page where you perform the administrative user configuration procedure.

Implement Role-Based Access Control in Cisco ISE

Cisco ISE provides role-based access control (RBAC) policies that ensure security by restricting administrative
privileges. RBAC policies associate with default administrative groups to define roles and permissions. A standard
set of permissions (for menu and data access) pairs with each of the predefined admin groups and aligns with the
associated role and job function.

RBAC restricts system access to authorized users by using roles that then associate with administrative groups. An
RBAC policy defines permissions that allow each administrative group to perform certain tasks. Policies restrict or
allow a person the permission to perform tasks that are based on the administrative group (or groups) to which that
person is assigned. You can be assigned to multiple roles that provide you with the privileges for each role to which
you are assigned.

A specialized administrator role has the ability to customize permissions and administrative groups and to create
custom policies. The default Cisco ISE RBAC policies cannot be modified.

Some features in the user interface require certain permissions for their usage. If a feature is unavailable or you are
not allowed to perform a specific task, your administrative group may not have the necessary permissions to
perform the task that utilizes the feature.

Follow this procedure to implement RBAC in Cisco ISE:

1. Examine the built-in admin groups. View the built-in groups by choosing Administration > System > Admin
Access > Administrators > Admin Groups, as shown in the figure. Click the Edit button to examine their
attributes.
2. Edit an admin group.
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 9/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

3. Create an admin group.

4. Configure an administrator user.
5. Edit an administrator account.
6. Delete an administrator account.

All these steps are optional, because one administrator account has been configured with the setup utility during
system installation.

Examine a Built-In, Edit or Create an Admin Group

The administrator group can be internal or external. In an internal group, the administrators authenticate against
the credentials that are specified in the Cisco ISE internal database. The external groups are used for authorizing
users in external identity databases: Active Directory and Lightweight Directory Access Protocol (LDAP) servers.

The authorization is performed based on the Active Directory or LDAP group membership. In the external groups,
the administrators authenticate against the credentials that are contained in the external identity store that you
specify in the attribute selector. After choosing the external type, you must specify the identity store from which
Cisco ISE should import the external group information.

Configure Administrator User

You can add an administrator user by navigating to the Administration > System > Admin Access >
Administrators menu and clicking the Add button. The administrator accounts have a host of attributes, such as
the status, type, password, user information, description, and the admin group.

https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 10/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

In the Admin User configuration page, you can enter the administrator attributes of status, email, external attribute,
password, user information, account options, and the admin group. If you check the External check box, the
password and re-enter password fields will not be used.

The users of type “external” are created internally for authorization of administrators that have been defined on an
external RSA SecurID server. The username of such an external administrator must be defined locally on Cisco
ISE as an external user type. Users of type external do not have a password that is configured on Cisco ISE.

Configure TACACS+ Profiles

TACACS profiles control the initial login session of the device administrator. A session refers to each individual
authentication, authorization, or accounting request. A session authorization request to a network device elicits a
Cisco ISE response. The response includes a token that is interpreted by the network device, which limits the
commands that you may execute during a session. The authorization policy for a device administration access
service can contain a single shell profile and multiple command sets.

The TACACS+ profile definitions are split into two components:

Common tasks
Custom attributes

Two views are available in the TACACS Profiles page (Work Centers > Device Administration > Policy
Elements > Results > TACACS Profiles)—Task Attribute View and Raw View. You can enter common tasks
with the Task Attribute View and create custom attributes in the Task Attribute View and the Raw View.

Before configuring TACACS profiles, make sure that you add Cisco WLC as a network device (AAA client) and
associate network device group based on device type, location, and other attributes.

Access privileges in Cisco WLC are based on the administrator roles. Cisco WLC uses attributes that you must
define in TACACS profiles. The available roles in Cisco WLC are MONITOR, WLAN, CONTROLLER, WIRELESS,
SECURITY, MANAGEMENT, COMMAND, ALL, and LOBBY. The first seven correspond to the menu options on the
Cisco WLC admin web user interface. You may enter one or more roles to allow read and write access to the
particular features and read-only for the rest. The Cisco ISE user interface has templates for TACACS profiles with
a very similar structure to simplify configuration.

https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 11/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

In the example that you see here, the definition for the three TACACS profiles is based on the access privileges
that are required by the administrator.
WLC_Monitor_Only: For helpdesk with access to the Monitor tab.
WLC_Security_Access: For security operators with access to the Security and Commands tabs.
WLC_Admin: For administrators with full access.

To grant read and write access to WLAN, SECURITY, and CONTROLLER, you need the following attributes and
values to be sent.

In the Cisco ISE GUI, choose Work Centers > Device Administration > Policy Results > TACACS Profiles. Add
a new TACACS profile called WLC_Monitor_Only. Scroll down to the Custom Attributes section to define access
only to Monitor. You can check the Raw View for the exact attribute and associated value. Click the Submit button
to save the profile.

Add another profile called WLC_Security_Access. Choose Selected to provide access to the SECURITY and
COMMANDS. Click Submit to save the profile.

Add a third profile called WLC_Admin. Choose All from the selection. This choice provides access to all the tabs
with an attribute and value of role1=ALL.

The number in the bottom of the menu changes from 0x0 for MONITOR to 0xfffffff8 for ALL. This debug value is
used by Cisco WLC in the logs for each role. This value helps you to troubleshoot access issues to Cisco WLC.

Device Admin Policy Sets

Policy sets are enabled by default for device administration. Policy sets can divide policies based on the device
types to ease application of TACACS profiles. For example, Cisco IOS devices use privilege levels or command
sets (or both), whereas Cisco WLC devices use custom attributes.

https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 12/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide

To add a new policy set, choose Work Centers > Device Administration > Device Admin Policy Sets. Name the
policy set WirelessLanControllers with the condition.

Create the authentication policy. For authentication, it is best to use Active Directory (demoAD) as the ID store.

Next, you define the authorization policy with the user's group in Active Directory and the location of the user. For
example, the users in the Active Directory group in each location can access only the devices that are located in
that region, whereas other administrator users cannot.

Which three of the following should you add to configure TACACS+ in the Cisco WLC controller? (Choose
three.)

TACACS+ Authentication server

TACACS+ Authorization server

TACACS+ Access server

TACACS+ Accounting server

© 2021 Cisco and/or its affiliates. All rights reserved. Printed contents of ademasres3@gmail.com

https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 13/13