Professional Documents
Culture Documents
4 Implement Secure Access To The WLCs and Access Points
4 Implement Secure Access To The WLCs and Access Points
An enterprise network can span multiple geographies in different sites and locations. Your IT organization can have
different groups that work together. You may have to work with other organizations such as support, operations, or
front desk (lobby) ambassadors in your company to help them perform their tasks successfully. The administrator
users can spread across different locations. These personnel may need different levels of access privileges to the
same or different sets of devices, depending on their role. Things can get quickly complicated to manage.
If you are using an external authentication server or some form of strong authentication, you also must know the
security needs of your company for authenticating users. You must also be aware of the audit and compliance
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 1/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide
Configure the Cisco WLC and Access Points for Secure Management
Both Cisco Wireless LAN Controllers (Cisco WLCs) and APs have methods to provide management access. You
can manage the Cisco WLCs via the Cisco WLC GUI by using Simple Network Management Protocol (SNMP), via
the CLI by using the command port, or remotely by using Telnet or Secure Shell (SSH). Access points have a
console port and can be configured to be accessed via Telnet or SSH as well. In addition, you can manage the
WLCs via SNMP from Cisco Prime Infrastructure.
You can secure management access to Cisco WLC with a local username and password. Use RADIUS or
TACACS+ to store this information in the database of the Cisco WLC via an authentication, authorization, and
accounting (AAA) server. You will learn about the use of TACACS+ with Cisco ISE as the AAA server.
One local administrative account is created when you install the system. It is best practice to keep this account
secure to use for access in case the AAA servers become unreachable.
Access to the access point management interface is controlled from Cisco WLC and will be distributed to the
access points as they join Cisco WLC.
You must enforce a strong password. The password policies allow enforcement of strong password checks on
newly created passwords for additional management users of the controller and access points. The following
requirements are enforced on the new password:
When you upgrade the controller from an old version, all the old passwords are maintained, even though the
passwords are weak. After the system upgrade, if the strong password checks are enabled, strong passwords
are enforced from that time forward. However, the strength of the previously added passwords will not be
checked or altered.
Depending on the settings that you enter in the Password Policy page, the local management and access point
user configuration is affected.
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 2/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide
Be aware that this value could impact network devices that authenticate against the local database. They may be
sharing the same username and password, such as wireless phones with the same user profile for their wireless
connection.
Users must enter a valid username and password in order for the controller to authenticate users to the TACACS+
server. The authentication and authorization services are tied to one another. For example, if authentication is
performed using the local or RADIUS database, then authorization would use the permissions that are associated
with the user in the local or RADIUS database (which are read-only, read/write, and lobby-admin) and not use
TACACS+. Similarly, when authentication is performed with TACACS+, authorization is tied to TACACS+.
For TACACS+, authorization is based on privilege (or role) rather than specific actions. The available roles
correspond to the seven menu options on the controller GUI: MONITOR, WLAN, CONTROLLER, WIRELESS,
SECURITY, MANAGEMENT, and COMMANDS. An extra role, LOBBY, is available for users who require only lobby
ambassador privileges. You configure the roles to which users are assigned on the TACACS+ server. You can
authorize users for one or more roles.
Both MANAGEMENT and SECURITY roles are necessary for creating local management user and IP Security
(IPsec) profiles. The minimum authorization is MONITOR only, and the maximum is ALL, which authorizes the user
to execute the functionality that is associated with all seven menu options. For example, a user who is assigned the
role of SECURITY can make changes to any items that appear on the Security menu (or are designated as security
commands in the case of the CLI). If users are not authorized for a particular role (such as WLAN), they can still
access that menu option in read-only mode (or the associated CLI show commands). If the TACACS+ authorization
server becomes unreachable or unable to authorize, users are unable to log in to the controller.
It is a best practice to increase the retransmit timeout value for TACACS+ authentication, authorization, and
accounting servers if you experience repeated reauthentication attempts or if the controller falls back to the backup
server when the primary server is active and reachable. This scenario is especially true when you are implementing
One-Time Password (OTP).
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 4/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide
In the Order Used for Authentication text box, specify which servers have priority when the controller attempts to
authenticate management users.
Use the > and < buttons to move servers between the Not Used and Order Used for Authentication text boxes.
After the desired servers appear in the Order Used for Authentication text box, use the Up and Down buttons to
move the priority server to the top of the list. By default, the local database is always queried first. If the username
is not found, the controller switches to the RADIUS server if you configured it for RADIUS or to the TACACS+
server if you configured it for TACACS+. The default setting is LOCAL and then RADIUS.
It is recommended that you have a local authentication method just in case Cisco WLC cannot reach Cisco ISE.
Your administrator should still be able to access Cisco WLC with local authentication as the fallback method.
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 5/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide
In the Cisco IOS XE wireless GUI, configure AAA authentication by following these steps:
1. Choose Configuration > Security > AAA.
2. In the Authentication section, click Add.
3. In the Quick Setup: AAA Authentication window that displays, enter a name for your method list.
4. Choose the type of authentication you want to perform, before allowing access to the network, in the Type drop-
down list.
5. Choose if you want to assign a group of servers as your access server, or if you want to use a local server to
authenticate access, from the Group Type drop-down list.
You can configure the AAA authentication from the CLI by completing these steps:
1. To enable AAA access control, use the aaa new-model command. For example:
2. To define the list of authentication methods at login, use the aaa authentication login command:
In this command, named_authentication_list refers to any name that is not greater than 31 characters.
AAA_group_name refers to the server group name. You must define the server-group server_name at the
beginning itself. For example:
3. To create an authorization method list for web-based authorization, use the aaa authorization network
command.
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 6/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide
For example:
For example:
5. To configure the IP address for the TACACS server, use the address {ipv4 | ipv6} command.
For example:
For example:
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 7/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide
The following are some guidelines to configure global credentials for access points:
You can set a global username, password, and enable password that all access points inherit, including devices
that are currently joined to the controller and any that join in the future, as they join Cisco WLC. If you desire,
you can override the global credentials and assign a unique username, password, and enable password for a
specific access point.
After an access point joins Cisco WLC, the access point enables console port security, and you are prompted
for your username and password whenever you log in to the access point’s console port. You are in
nonprivileged mode when you log on, and you must enter the enable password to use the privileged mode.
The global credentials that you configure on Cisco WLC are retained across Cisco WLC and access point
reboots. They are overwritten only if the access point joins a new Cisco WLC that is configured with a global
username and password. If the new controller is not configured with global credentials, the access point retains
the global username and password that you configured for the first Cisco WLC.
You must keep track of the credentials that the access points use. Otherwise, you might not be able to log on to
the console port of the access point. If you must return the access points to the default Cisco-Cisco username
and password, you must clear the controller’s configuration and the access point’s configuration to return them
to factory-default settings.
To clear the controller’s configuration, choose Commands > Reset to Factory Default > Reset on the
controller GUI or use the clear config command on the Cisco WLC CLI.
To clear the access point’s configuration, choose Wireless > Access Points > All APs, click the access point’s
name, and click Clear All Config on the controller GUI. Or, you can use the clear ap config command.
Once you complete the Cisco WLC configuration for device administration, you must validate the configuration.
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 8/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide
Log in to Cisco WLC as various users who belong to the different groups and access different devices.
When you log in, verify that the user has access to the right tabs. Some features require certain permissions for
their usage. If a feature is unavailable, or the user is not allowed to perform a specific task, you may need to adjust
their permissions. Regardless of the level of access, any administrator account can modify or delete objects for
which it has permission, on any page that it can access.
For a user who is a helpdesk user, navigate to the different tabs and try to add, modify, or delete objects. For
example, go to WLANs and try to delete one of the WLANs. As this user has only MONITOR access, the operation
should be denied with the following error “Authorization Failed. No Sufficient privileges.”
RBAC restricts system access to authorized users by using roles that then associate with administrative groups. An
RBAC policy defines permissions that allow each administrative group to perform certain tasks. Policies restrict or
allow a person the permission to perform tasks that are based on the administrative group (or groups) to which that
person is assigned. You can be assigned to multiple roles that provide you with the privileges for each role to which
you are assigned.
A specialized administrator role has the ability to customize permissions and administrative groups and to create
custom policies. The default Cisco ISE RBAC policies cannot be modified.
Some features in the user interface require certain permissions for their usage. If a feature is unavailable or you are
not allowed to perform a specific task, your administrative group may not have the necessary permissions to
perform the task that utilizes the feature.
All these steps are optional, because one administrator account has been configured with the setup utility during
system installation.
The authorization is performed based on the Active Directory or LDAP group membership. In the external groups,
the administrators authenticate against the credentials that are contained in the external identity store that you
specify in the attribute selector. After choosing the external type, you must specify the identity store from which
Cisco ISE should import the external group information.
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 10/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide
In the Admin User configuration page, you can enter the administrator attributes of status, email, external attribute,
password, user information, account options, and the admin group. If you check the External check box, the
password and re-enter password fields will not be used.
The users of type “external” are created internally for authorization of administrators that have been defined on an
external RSA SecurID server. The username of such an external administrator must be defined locally on Cisco
ISE as an external user type. Users of type external do not have a password that is configured on Cisco ISE.
Two views are available in the TACACS Profiles page (Work Centers > Device Administration > Policy
Elements > Results > TACACS Profiles)—Task Attribute View and Raw View. You can enter common tasks
with the Task Attribute View and create custom attributes in the Task Attribute View and the Raw View.
Before configuring TACACS profiles, make sure that you add Cisco WLC as a network device (AAA client) and
associate network device group based on device type, location, and other attributes.
Access privileges in Cisco WLC are based on the administrator roles. Cisco WLC uses attributes that you must
define in TACACS profiles. The available roles in Cisco WLC are MONITOR, WLAN, CONTROLLER, WIRELESS,
SECURITY, MANAGEMENT, COMMAND, ALL, and LOBBY. The first seven correspond to the menu options on the
Cisco WLC admin web user interface. You may enter one or more roles to allow read and write access to the
particular features and read-only for the rest. The Cisco ISE user interface has templates for TACACS profiles with
a very similar structure to simplify configuration.
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 11/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide
In the example that you see here, the definition for the three TACACS profiles is based on the access privileges
that are required by the administrator.
WLC_Monitor_Only: For helpdesk with access to the Monitor tab.
WLC_Security_Access: For security operators with access to the Security and Commands tabs.
WLC_Admin: For administrators with full access.
To grant read and write access to WLAN, SECURITY, and CONTROLLER, you need the following attributes and
values to be sent.
In the Cisco ISE GUI, choose Work Centers > Device Administration > Policy Results > TACACS Profiles. Add
a new TACACS profile called WLC_Monitor_Only. Scroll down to the Custom Attributes section to define access
only to Monitor. You can check the Raw View for the exact attribute and associated value. Click the Submit button
to save the profile.
Add another profile called WLC_Security_Access. Choose Selected to provide access to the SECURITY and
COMMANDS. Click Submit to save the profile.
Add a third profile called WLC_Admin. Choose All from the selection. This choice provides access to all the tabs
with an attribute and value of role1=ALL.
The number in the bottom of the menu changes from 0x0 for MONITOR to 0xfffffff8 for ALL. This debug value is
used by Cisco WLC in the logs for each role. This value helps you to troubleshoot access issues to Cisco WLC.
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 12/13
9/22/21, 12:33 PM Implementing Cisco Enterprise Wireless Networks - Student Learning Guide
To add a new policy set, choose Work Centers > Device Administration > Device Admin Policy Sets. Name the
policy set WirelessLanControllers with the condition.
Create the authentication policy. For authentication, it is best to use Active Directory (demoAD) as the ID store.
Next, you define the authorization policy with the user's group in Active Directory and the location of the user. For
example, the users in the Active Directory group in each location can access only the devices that are located in
that region, whereas other administrator users cannot.
Which three of the following should you add to configure TACACS+ in the Cisco WLC controller? (Choose
three.)
© 2021 Cisco and/or its affiliates. All rights reserved. Printed contents of ademasres3@gmail.com
https://learningspace.cisco.com/dkitserver/content/show?x=N8zM9vryvDCthzTy&isLatest=false 13/13