This document describes how to use Cisco Secure Access Control Server
(ACS) 5.x in order to configure Cisco Wireless Control System (WCS) and Cisco
Prime Network Control System (NCS) administration.
Cisco recommends that you have knowledge of these topics:
Cisco Wireless Control System
Cisco Prime Network Control System
Cisco Secure Access Control Server
The information in this document is based on these software and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Refer to the Cisco Technical Tips
Conventions for more information on document conventions.
This sample configuration describes how to authenticate a user with
Note: Although various options and possibilities exist when you
authenticate WCS/NCS users with Cisco Secure ACS 5.x, not all combinations are
described in this document. However, this example provides you with the
information necessary to understand how to modify the example to the precise
configuration you want to achieve.
On the Cisco Secure ACS, choose Network Resources >
Network Devices and AAA Clients.
Enter a name in the Name field.
Enter the WCS IP address in the IP address field.
Under the Authentication Options area, click the
TACACS+ check box in order to enable TACACS+, and then enter a
term to be used as a shared secret.
Note: This example uses cisco as the shared secret;
however, for security reasons, you should use a less obvious term.
Log in to WCS, and choose Administration >
Enter your shared secret term in the Shared Secret and Confirm Shared
Choose the Cisco ACS IP address from the Local Interface IP
On the left navigation area, click AAA
Click the TACACS+ radio button.
Note: For safety reasons, Cisco recommends that you choose on
auth failure or no server response from the Enable fallback to local
drop-down list. Choosing this option prevents you from being locked out in case
of issues. You can change the option once everything works correctly.
This step describes how to configure Cisco Secure ACS to return the
correct attributes in order to determine the user privileges on WCS.
In the left navigation area, click Groups.
A list of user types appears. This example authenticates a user from
the Lobby Ambassador user type.
Click the Task List link next to the
Note: You must configure the user role (Lobby Ambassador for this
example) and a list of tasks they can perform and menu items they can access.
If you use a recent release of WCS, you must also configure the virtual domain
that the user will belong to.
Choose Administration > Virtual domains.
Choose Policy Elements > Authorization and Permissions
> Device Administration > Shell Profiles in order to create a
new shell profile.
Enter a meaningful name (such as WCS), and then
click the Custom Attributes tab.
Configure the attributes as they exist on
Note: In versions of ACS earlier than version 5.2 patch 7, you might face
issues when you enter a task that contains the word "alert". This is fixed in
later ACS versions. The same problem exists in Identity Services Engine (ISE)
versions earlier than 1.2.
Here is an example of how to manually enter the attributes:
-type “role0” in the “Attribute” field
-type “LobbyAmbassador” in the Value field
-click the “add” button.
Etc… for the other attributes.
Note: In ACS 4, it was possible to copy/paste the list of attributes from
the WCS GUI to the ACS 4 GUI. In ACS 5, they must be entered one by one.
In NCS and Prime Infrastructure, the attribute must be entered in a
very specific order. The order is virtual domain, role, and the list of tasks.
If entered in the wrong order, NCS/Prime refuses the authentication.
NCS:task0=View Alerts and Events
Configure a user (this example uses Lobbyad) as
a user on ACS.
Note: For ease of configuration, this example adds the Lobbyad user to
the WCS-users group. (This step is optional.)
In Access policies, under Default Device Admin >
Authorization, configure a rule to match WCS
If the user name belongs to WCS-users group,
return the wcs shell profile (which contains the group
If you want to configure other types of users (such as
administrators), you must configure another shell profile to return different
attributes. From then on, you must group administrators in a different group in
order to differentiate and know what shell profile to
There is currently no verification procedure available for this
There is currently no specific troubleshooting information available
for this configuration.