Freeradius + Cisco WLC + Authorisation
mail at moult.com.au
mail at moult.com.au
Thu Jan 15 03:30:48 CET 2015
On 14/01/2015 11:37 pm, Sander Eerdekens wrote:
> Hello,
>
>>> What settings to I need to include in /etc/raddb/users to allow the
>>> correct Authorisation level?
>> ...
>>
>> we looked at using RADIUS but found that cisco still have more bias towards TACACS+
>> so we use that for multi-grained access control to the WCS system (different tasks
>> available for different people on the web interface...not just a 'all admin' switch)
> We actually use radius for this. The Cisco-AVPairs we are using are:
> Cisco-AVPair += "Wireless-WCS:virtual-domain0=root",
> Cisco-AVPair += "Wireless-WCS:role0=Admin",
> Cisco-AVPair += "Wireless-WCS:task0=Users and Groups",
> Cisco-AVPair += "Wireless-WCS:task1=Audit Trails",
> Cisco-AVPair += "Wireless-WCS:task2=TACACS+ Servers",
> Cisco-AVPair += "Wireless-WCS:task3=RADIUS Servers",
> Cisco-AVPair += "Wireless-WCS:task4=Logging",
> Cisco-AVPair += "Wireless-WCS:task5=License Center",
> Cisco-AVPair += "Wireless-WCS:task6=Scheduled Tasks and Data Collection",
> Cisco-AVPair += "Wireless-WCS:task7=User Preferences",
> Cisco-AVPair += "Wireless-WCS:task8=System Settings",
> Cisco-AVPair += "Wireless-WCS:task9=View Alerts and Events",
> Cisco-AVPair += "Wireless-WCS:task10=Email Notification",
> Cisco-AVPair += "Wireless-WCS:task11=Delete and Clear Alerts",
> Cisco-AVPair += "Wireless-WCS:task12=Pick and Unpick Alerts",
> Cisco-AVPair += "Wireless-WCS:task13=Configure Controllers",
> Cisco-AVPair += "Wireless-WCS:task14=Configure Templates",
> Cisco-AVPair += "Wireless-WCS:task15=Configure Config Groups",
> Cisco-AVPair += "Wireless-WCS:task16=Configure Access Points",
> Cisco-AVPair += "Wireless-WCS:task17=Configure Access Point Templates",
> Cisco-AVPair += "Wireless-WCS:task18=Configure Choke Points",
> Cisco-AVPair += "Wireless-WCS:task19=Monitor Controllers",
> Cisco-AVPair += "Wireless-WCS:task20=Monitor Access Points",
> Cisco-AVPair += "Wireless-WCS:task21=Monitor Clients",
> Cisco-AVPair += "Wireless-WCS:task22=Monitor Tags",
> Cisco-AVPair += "Wireless-WCS:task23=Monitor Security",
> Cisco-AVPair += "Wireless-WCS:task24=Monitor Chokepoints",
> Cisco-AVPair += "Wireless-WCS:task25=Mesh Reports",
> Cisco-AVPair += "Wireless-WCS:task26=Client Reports",
> Cisco-AVPair += "Wireless-WCS:task27=Performance Reports",
> Cisco-AVPair += "Wireless-WCS:task28=Security Reports",
> Cisco-AVPair += "Wireless-WCS:task29=Location Server Management",
> Cisco-AVPair += "Wireless-WCS:task30=View Location Notifications",
> Cisco-AVPair += "Wireless-WCS:task31=Maps Read Only",
> Cisco-AVPair += "Wireless-WCS:task32=Maps Read Write",
> Cisco-AVPair += "Wireless-WCS:task33=Client Location",
> Cisco-AVPair += "Wireless-WCS:task34=Rogue Location",
> Cisco-AVPair += "Wireless-WCS:task35=Planning Mode",
> Cisco-AVPair += "Wireless-WCS:task36=Ack and Unack Alerts",
> Cisco-AVPair += "Wireless-WCS:task37=Migration Templates",
> Cisco-AVPair += "Wireless-WCS:task38=Configure Spectrum Experts",
> Cisco-AVPair += "Wireless-WCS:task39=Monitor Spectrum Experts",
> Cisco-AVPair += "Wireless-WCS:task40=Auto Provisioning",
> Cisco-AVPair += "Wireless-WCS:task41=Voice Audit Report",
> Cisco-AVPair += "Wireless-WCS:task42=Virtual Domain Management",
> Cisco-AVPair += "Wireless-WCS:task43=Scheduled Configuration Tasks",
> Cisco-AVPair += "Wireless-WCS:task44=Configure WiFi TDOA Receivers",
> Cisco-AVPair += "Wireless-WCS:task45=Configure ACS View Servers",
> Cisco-AVPair += "Wireless-WCS:task46=Monitor WiFi TDOA Receivers",
> Cisco-AVPair += "Wireless-WCS:task47=RRM Dashboard",
> Cisco-AVPair += "Wireless-WCS:task48=Config Audit Dashboard",
> Cisco-AVPair += "Wireless-WCS:task49=High Availability Configuration",
> Cisco-AVPair += "Wireless-WCS:task50=Health Monitor Details",
> Cisco-AVPair += "Wireless-WCS:task51=Configure WIPS Profiles",
> Cisco-AVPair += "Wireless-WCS:task52=Global SSID Groups",
> Cisco-AVPair += "Wireless-WCS:task53=Configure Lightweight Access Point Templates",
> Cisco-AVPair += "Wireless-WCS:task54=Configure Autonomous Access Point Templates",
> Cisco-AVPair += "Wireless-WCS:task55=Configure Ethernet Switch Ports",
> Cisco-AVPair += "Wireless-WCS:task56=Configure Ethernet Switches",
> Cisco-AVPair += "Wireless-WCS:task57=Device Reports",
> Cisco-AVPair += "Wireless-WCS:task58=Network Summary Reports",
> Cisco-AVPair += "Wireless-WCS:task59=Compliance Reports",
> Cisco-AVPair += "Wireless-WCS:task60=Report Launch Pad",
> Cisco-AVPair += "Wireless-WCS:task61=Run Reports List",
> Cisco-AVPair += "Wireless-WCS:task62=Saved Reports List",
> Cisco-AVPair += "Wireless-WCS:task63=Report Run History",
> Cisco-AVPair += "Wireless-WCS:task64=Ack and Unack Security Index Issues",
> Cisco-AVPair += "Wireless-WCS:task65=View Security Index Issues",
> Cisco-AVPair += "Wireless-WCS:task66=Monitor Media Streams",
> Cisco-AVPair += "Wireless-WCS:task67=Monitor Interferers",
> Cisco-AVPair += "Wireless-WCS:task68=Voice Diagnostics",
> Cisco-AVPair += "Wireless-WCS:task69=CleanAir Reports",
> Cisco-AVPair += "Wireless-WCS:task70=ContextAware Reports",
> Cisco-AVPair += "Wireless-WCS:task71=Automated Feedback",
> Cisco-AVPair += "Wireless-WCS:task72=TAC Case Attachment Tool",
>
> The role can be Admin or System Monitoring.
> Not sure where this came from as a collogue of mine wrote this config.
>
> Kind regards
> Sander Eerdekens
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Sander,
Gave the above a try, but still no luck. I can see the values above
being passed in the Access-Accept packet, but still get the error
"Authorization Failed: No sufficient privileges" when i try and do
something such as save the configuration on the WLC..
More information about the Freeradius-Users
mailing list