A Cisco WCS virtual domain consists of a set of devices and maps and restricts a user's view to information relevant to these devices and maps.
Through a virtual domain, an administrator can ensure that users are only able to view the devices and maps for which they are responsible. In addition, because of the virtual domain's filters, users are able to configure, view alarms, and generate reports for only their assigned part of the network.
The administrator specifies for each user a set of allowed virtual domains. Only one of these can be active for that user at login. The user can change the current virtual domain by selecting a different allowed virtual domain from the Virtual Domain drop-down list at the top of the screen. All reports, alarms, and other functionality are now filtered by that virtual domain.
Note The following cannot be partitioned in a virtual domain (and are only available from the root partition: Google Earth Maps, Auto Provisioning, Mobility Service Engines).
If there is only one virtual domain defined ("root") in the system AND the user does not have any virtual domains in the custom attributes fields in the TACACS+/RADIUS server, the user is assigned the "root" virtual domain by default.
If there is more than one virtual domain, and the user does not have any specified attributes, then the user is blocked from logging in.
The following tasks are associated with Virtual Domains:
•Creating a Virtual Domain
•Understanding Virtual Domain Hierarchy
•Modifying a Virtual Domain
•Understanding Virtual Domains as a User
Creating a Virtual Domain
Use the Administration > Virtual Domains page to create, edit, or delete virtual domains. Each virtual domain may contain a subset of the elements included with its parent virtual domain. You can assign additional maps, controllers, and access points to the new virtual domain. See "Modifying a Virtual Domain" for more information on managing virtual domains.
Note The maximum number of virtual domains that can be defined in WCS is 124.
•New—Click to create a new virtual domain. See "Creating a New Virtual Domain" for more information.
•Delete—Click to delete the selected virtual domain from the hierarchy.
•Export—Click to configure custom attributes for the selected virtual domain. See "Virtual Domain RADIUS and TACACS+ Attributes" for more information.
Creating a New Virtual Domain
Note See "Modifying a Virtual Domain" for more information.
Follow these steps to create a new virtual domain:
Step 1 Choose Administration > Virtual Domains.
Step 2 From the left Virtual Domain Hierarchy sidebar menu, select to highlight the virtual domain to which you want to add a sub (child) virtual domain.
Note The selected virtual domain becomes the parent virtual domain of the newly-created sub-virtual domain.
Step 3 Click New (see Figure 20-1).
Figure 20-1 Virtual Domains
Step 4 Enter the virtual domain name in the text box.
Step 5 Click Submit to create the virtual domain or Cancel to close the page with no changes.
Note Each virtual domain may contain a subset of the elements included with its parent virtual domain. When a user is assigned a virtual domain, that user may view the same maps, controllers, and access points that are assigned to its parent virtual domain.
Understanding Virtual Domain Hierarchy
Virtual domains are organized hierarchically. Sub-sets of an existing virtual domain contain the network elements that are contained in the parent virtual domain.
Note The default or "root" domain includes all virtual domains.
Because network elements are managed hierarchically some features and components such as report generation, searches, templates, config groups, and alarms are affected.
Note For instance, if you create a virtual domain with only access points and no controllers assigned, you lose some ability to choose controller-based features. For example, some options require you to navigate from the controller to the access point. Because controllers are not in the virtual domain, you are not able to generate the associated report.
Likewise, if you create a partition with only a few controllers and then go to Configure > Access Points and click an individual link in the AP Name column, the complete list of WCS-assigned controllers is displayed for Primary, Secondary, and Tertiary Controllers, rather than the limited number specified in the partition.
Note If a controller's configuration is modified by multiple Virtual Domains, complications may arise. To avoid this, manage each controller from only one Virtual Domain at a time.
See the following sections to better understand the effects of partitioning:
Reports only include components assigned to the current virtual domain. For example, if you create a virtual domain with only access points and no controllers assigned, you lose some ability to choose controller-based features. For example, some report options require you to navigate from controller to access point. If you did not assign controllers when you created the virtual domain, you are not able to generate these kinds of reports.
Note Reports are only visible in the current virtual domain. The parent virtual domain cannot view the reports from its sub-virtual domain.
Client reports such as Client Count only include clients that belong to the current virtual domain.
Note If new clients are assigned to this partition by the administrator, the previous reports do not reflect these additions. Only new reports will reflect the new clients.
Search results only include components that are assigned to the virtual domain in which the search is performed. Search results do not display floor areas when the campus is not assigned to the virtual domain.
Note The saved searches are only visible in the current virtual domain. The parent virtual domain cannot view these search results.
Note WCS does not partition network lists. If you search a controller by network list, all controllers will be returned.
When a component is added to a virtual domain, no previous alarms for that component are visible to that virtual domain. Only newly-generated alarms are visible. For example, when a new controller is added to a virtual domain, any alarms generated for that controller prior to its addition do not appear in the current virtual domain.
Alarms are not deleted from a virtual domain when the associated controllers or access points are deleted from the same virtual domain.
Note In the Alarm Email Notifications parameter, only the root virtual domain can enable Location Notifications, Location Servers, and WCS email notifications.
When you create or discover a template in a virtual domain, it is only available in that virtual domain unless it is applied to a controller. If it is applied to a controller and that controller is assigned to a sub-virtual domain, the template stays with the controller in the new virtual domain.
Note If you create a sub virtual domain and then apply a template to both network elements in the virtual domain, WCS may incorrectly reflect the number of partitions to which the template was applied.
Config groups in a virtual domain can also be viewed by the parent virtual domain. A parent virtual domain can modify config groups for a sub (child) virtual domain. For example, the parent virtual domain can add or delete controllers from a sub virtual domain.
You can only view the maps that your administrator assigned to your current virtual domain.
•When a campus is assigned to a virtual domain, all buildings in that campus are automatically assigned to the same virtual domain.
•When a building is assigned to a virtual domain, it automatically includes all of the floors associated with that building.
•When a floor is assigned, it automatically includes all of the access points associated with that floor.
Note If only floors are assigned to a virtual domain, you lose some ability to choose map-based features. For example, some reports and searches require you to drill down from campus to building to floor. Since campus and buildings are not in the virtual domain, you are not able to generate these kinds of reports or searches.
Note Coverage areas shown in WCS are only applied to campus and buildings. In a floor-only virtual domain, WCS does not display coverage areas.
Note If a floor is directly assigned to a virtual domain, it cannot be deleted from the virtual domain which has the building to which the floor belongs.
Note Search results do not display floor areas when the campus is not assigned to the virtual domain.
When a controller or map is assigned to a virtual domain, the access points associated with the controller or map are automatically assigned as well. Access points or controllers can also be assigned manually (separate from the controller or map) to a virtual domain.
Note If the controller is removed from the virtual domain, all of its associated access points are also removed. If an access point is manually assigned, it remains assigned even if its associated controller is removed from the current virtual domain.
Note If a manually-added access point is removed from a virtual domain but is still associated with a controller or map that is assigned to the same virtual domain, the access point remains visible in the virtual domain. Any alarms associated with this access point are not deleted with the deletion of the access point.
Note When maps are removed from a virtual domain, the access points on the maps can be removed from the virtual domain.
Note If you later move an access point to another partition, some events (such as generated alarms) may reside in the original partition location.
Because network elements are managed hierarchically, controllers may be affected by partitioning. For instance, if you create a partition with only access points and no controllers assigned, all access points in the partition are not shown when you generate an access point report. Likewise, if you create a partition with only a few controllers and then go to Configure > Access Points and click an individual link in the AP Name column, the complete list of WCS-assigned controllers is displayed for Primary, Secondary, and Tertiary Controllers, rather than the limited number specified in the partition.
Email notification can be configured per virtual domain. An email is sent only when alarms occur in that virtual domain.
Modifying a Virtual Domain
Choose a Virtual Domain from the Virtual Domain Hierarchy on the left side to view or edit its assigned maps, controllers, and access points. The Summary page displays with links to view the current logged in virtual domain's available maps, controllers, and access points.
Note The following elements can be partitioned in a virtual domain: maps, controllers, access points, and templates.
The Maps, Controllers, and Access Points tabs are used to add or remove components assigned to this virtual domain.
To assign a map, controller, or access point to this domain, follow these steps:
Step 1 Choose Administration > Virtual Domains.
Step 2 From the left Virtual Domain Hierarchy sidebar menu, select to highlight the virtual domain that you want to view or edit.
Note Because all maps, controllers, and access points are included in the partition tree, you should expect it to take several minutes to load. This increases if you have a system with a significant number of controllers and access points.
Step 3 Choose the applicable Maps, Controllers, or Access Points tab (see Figure 20-2).
Figure 20-2 Virtual Domains Maps Tab
Step 4 In the Available (Maps, Controllers, or Access Points) column, click to highlight the new component(s) you want to assign to the virtual domain.
Step 5 Click Add > to move the component(s) to the Selected (Maps, Controllers, or Access Points) column.
Note To remove a component from the virtual domain, click to highlight the component in the Selected (Maps, Controllers, or Access Points) column and click < Remove. The component returns to the Available column.
Step 6 Click Submit to confirm the changes.
Virtual Domain RADIUS and TACACS+ Attributes
The Virtual Domain Custom Attributes page allows you to indicate the appropriate protocol-specific data for each virtual domain. The Export button on the Virtual Domain Hierarchy sidebar pre-formats the virtual domain's RADIUS and TACACS+ attributes. You can copy and paste these attributes into the ACS server. This allows you to copy only the applicable virtual domains into the ACS server screen and ensures that the users only have access to these virtual domains.
To apply the pre-formatted RADIUS and TACACS+ attributes to the ACS server, follow these steps:
Step 1 From the left Virtual Domain Hierarchy sidebar menu, select to highlight the virtual domain for which you want to apply the RADIUS and TACACS+ attributes.
Step 2 Click Export.
Step 3 Highlight the text inside of the RADIUS or TACACS+ Custom Attributes (depending on which one you are currently configuring), go to your browser's menu, and choose Edit > Copy.
Step 4 Log in to ACS.
Step 5 Go to User or Group Setup.
Note If you want to specify virtual domains on a per user basis, then you need to make sure you add ALL the custom attributes (for example, tasks, roles, virtual domains) information into the User custom attribute screen.
Step 6 For the applicable user or group, click Edit Settings.
Step 7 Use your browser's Edit > Paste feature to place the RADIUS or TACACS+ custom attributes into the applicable text box.
Step 8 Click the check boxes to enable these attributes.
Step 9 Click Submit + Restart.
Note For more information on adding RADIUS and TACACS+ attributes to the ACS server, see the "Adding WCS UserGroups into ACS for TACACS+" section on page 18-10 or the "Adding WCS UserGroups into ACS for RADIUS" section on page 18-14.
Understanding Virtual Domains as a User
When you log in, you can access any of the virtual domains that the administrator assigned to you.
Only one virtual domain can be active at login. You can change the current virtual domain by using the Virtual Domain drop-down list at the top of the screen. Only virtual domains that have been assigned to you are available in the drop-down list.
When you select a different virtual domain from the drop-down list, all reports, alarms, and other functionality are filtered by the conditions of the new virtual domain.
Viewing Assigned Virtual Domain Components
To view all components (including maps, controllers, and access points) assigned to the current virtual domain, choose Administration > Virtual Domains (see Figure 20-3). Click a link in the Summary tab page to view the assigned components for your virtual domain.
Figure 20-3 Virtual Domains Summary Tab
Limited Menu Access
Non-root virtual domain users do not have access to the following WCS menus:
•Monitor > RRM
•Configure > Controller Auto- Provisioning
•Configure > ACS View Servers
•Services > Mobility Services
•Services > Synchronize Services
•Administration > Background Tasks
•Administration > Settings
•Administration > User Preferences
•Tools > Voice Audit
•Tools > Config Audit