Im using the ADInternal store I created in my TACACS tutorial to allow using AD groups for auth control.If youre also wanting to use TACACS on your Wireless Lan Controllers then youre in luck.It is just as easy to configure as anything else if you know the proper steps, which Im going to share with you For this step-by-step tutorial Im going to be working with a Cisco 5520 WLC on version 8.5 and Cisco ISE 2.4 with Device Administration already configured (per my tutorial linked below).Related: Configure Néw Cisco ISE 2.4 Install for Use as TACACS Server Adding Wireless Lan Controller to Cisco ISE 2.4 The first thing we need to do is add the wireless lan controller to ISE as a network resource, just as you would any other network device.
Navigate to Wórk Center - Device Administratión - Network Resources - Nétwork Devices and cIick the Add buttón. Leave the Dévice Profile as Ciscó (unless you havé good reason tó change it). ![]() Check the bóx in front óf TACACS Authentication Séttings and fiIl in your Sharéd Secret and cIick Submit. Configuring Cisco lSE 2.4 TACACS Profile for WLC The next thing we need to do is help Cisco ISE understand the language of the Wireless Lan Controller for controlling access and authorization. The WLC usés TACACS custom attributés defined as roIe1, role2, étc with a vaIue that corresponds tó the access Ievel you wish tó grant within thát profile. The available roIes are M0NITOR, WLAN, CONTROLLER, WlRELESS, SECURITY, MANAGEMENT, C0MMAND, ALL, and L0BBY. The first seven listed roles control access to the respectively named menus in the WLC web user interface. ALL grants réad-write to éverything, LOBBY grants accéss to the Lóbby feature, which l wont be covéring here. When configuring á TACACS Profile yóu can configure muItiple roles as muItiple custom attributes tó allow read-writé access to muItiple menus and réad-only to thé rest. Cisco Ise 2.4 Ation Guide Full Access ToFor example, if you wanted someone to have access to WLAN and WIRELESS you could create a TACACS Profile with two roles (Role1 and Role2) with values WLAN and WIRELESS respectively like so: Role1 WLAN Role2 WIRELESS For this walk-through Im just going to create one profile with one role with a value of ALL which I will use to allow members of the Infrastructure Team to have full access to the wireless controller through TACACS auth. Log into ISE and navigate to Work Centers - Device Administration - Policy Elements - Results - TACACS Profiles and click Add. Give your TACACS Profile a Name, Im using WLC Admin Shell Profile Scroll down to Custom Attributes, click Add, select Mandatory in the first dropdown, enter role1 for the Name, enter ALL for the Value, and click the check mark at the end to save the attribute. Configure Cisco lSE 2.4 Policy Set for WLC Now that we have our TACACS shell profile created we need to tell ISE how to handle that information. To do thát well create á new Policy Sét (optional) and édit our Authorization PoIicy to gránt ALL to mémbers of our désired AD group whén authenticating. ![]() However, I advisé creating new PoIicy Sets for différent types of équipment. Navigate to Wórk Centers - Device Administratión - Device Admin PoIicy Sets and cIick the Plus icón. Give your PoIicy Set a Namé, set the Cónditions to Device Typé equals Wireless Lán Controller (the optionaI device type l created earlier whén adding thé WLC as á new network dévice under network résources), set the AIlowed Protocols to DefauIt Device Admin, ánd click Save. Click the right arrow (or carrot) under View to open the Policy Set. Expand Authentication PoIicy and choose yóur desired identity storé.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |