Cisco Wireless Control System

Wireless Control System and Network Control System Administration with ACS 5.x Configuration Example

Document ID: 116004

Updated: Apr 02, 2013

Contributed by Nicholas Darchis, Cisco TAC Engineer.



This document describes how to use Cisco Secure Access Control Server (ACS) 5.x in order to configure Cisco Wireless Control System (WCS) and Cisco Prime Network Control System (NCS) administration.



Cisco recommends that you have knowledge of these topics:

  • Cisco Wireless Control System

  • Cisco Prime Network Control System

  • Cisco Secure Access Control Server

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco Wireless Control System

  • Cisco Secure ACS 5.x

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


Refer to the Cisco Technical Tips Conventions for more information on document conventions.


This sample configuration describes how to authenticate a user with TACACS+.

Note: Although various options and possibilities exist when you authenticate WCS/NCS users with Cisco Secure ACS 5.x, not all combinations are described in this document. However, this example provides you with the information necessary to understand how to modify the example to the precise configuration you want to achieve.

Step 1. Add the WCS to the ACS AAA clients.

  1. On the Cisco Secure ACS, choose Network Resources > Network Devices and AAA Clients.


  2. Enter a name in the Name field.

  3. Enter the WCS IP address in the IP address field.

  4. Under the Authentication Options area, click the TACACS+ check box in order to enable TACACS+, and then enter a term to be used as a shared secret.

    Note: This example uses cisco as the shared secret; however, for security reasons, you should use a less obvious term.

Step 2. Add the Cisco Secure ACS as a TACACS+ server in WCS.

  1. Log in to WCS, and choose Administration > AAA.

  2. Click TACACS+.


  3. Enter your shared secret term in the Shared Secret and Confirm Shared Secret fields.

  4. Choose the Cisco ACS IP address from the Local Interface IP field.

  5. On the left navigation area, click AAA Mode.


  6. Click the TACACS+ radio button.

    Note: For safety reasons, Cisco recommends that you choose on auth failure or no server response from the Enable fallback to local drop-down list. Choosing this option prevents you from being locked out in case of issues. You can change the option once everything works correctly.

Step 3. Configure the correct shell profile on ACS.

This step describes how to configure Cisco Secure ACS to return the correct attributes in order to determine the user privileges on WCS.

  1. In the left navigation area, click Groups.

    A list of user types appears. This example authenticates a user from the Lobby Ambassador user type.

  2. Click the Task List link next to the LobbyAmbassador group.


    Note: You must configure the user role (Lobby Ambassador for this example) and a list of tasks they can perform and menu items they can access. If you use a recent release of WCS, you must also configure the virtual domain that the user will belong to.

  3. Choose Administration > Virtual domains.

  4. Click Export.


  5. Choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles in order to create a new shell profile.

  6. Enter a meaningful name (such as WCS), and then click the Custom Attributes tab.

  7. Configure the attributes as they exist on WCS.


    Note: In versions of ACS earlier than version 5.2 patch 7, you might face issues when you enter a task that contains the word "alert". This is fixed in later ACS versions. The same problem exists in Identity Services Engine (ISE) versions earlier than 1.2.

    Here is an example of how to manually enter the attributes:

    -type “role0” in the “Attribute” field
    -type “LobbyAmbassador” in the Value field
    -click the “add” button.
    Etc… for the other attributes.

    Note: In ACS 4, it was possible to copy/paste the list of attributes from the WCS GUI to the ACS 4 GUI. In ACS 5, they must be entered one by one.

    In NCS and Prime Infrastructure, the attribute must be entered in a very specific order. The order is virtual domain, role, and the list of tasks. If entered in the wrong order, NCS/Prime refuses the authentication.

    NCS:role0=Super Users
    NCS:task0=View Alerts and Events

Step 4. Configure Cisco Secure ACS to return the attributes.

  1. Configure a user (this example uses Lobbyad) as a user on ACS.


    Note: For ease of configuration, this example adds the Lobbyad user to the WCS-users group. (This step is optional.)

  2. In Access policies, under Default Device Admin > Authorization, configure a rule to match WCS authentication.


  3. If the user name belongs to WCS-users group, return the wcs shell profile (which contains the group attributes).

  4. If you want to configure other types of users (such as administrators), you must configure another shell profile to return different attributes. From then on, you must group administrators in a different group in order to differentiate and know what shell profile to return.


There is currently no verification procedure available for this configuration.


There is currently no specific troubleshooting information available for this configuration.

Related Information

Updated: Apr 02, 2013
Document ID: 116004