There are many configuration guides on the Cisco website with details about configuring RADIUS and TACACS+ on a Cisco Firepower Chassis Manager. See this link for the configuration guide for 2.0(1).
In this document, you can read the following comment:
|Remote User Role Policy
||Controls what happens when a user attempts to log in and the remote authentication provider does not supply a user role with the authentication information:
- Assign Default Role—The user is allowed to log in with a read-only user role.
- No-Login—The user is not allowed to log in to the system, even if the username and password are correct.
But… it’s very hard to find what attributes are needed to assign a user the administrator role.
It took some time this morning for configuring a RADIUS or TACACS server for management access to a Cisco WLC. So, let’s write a short how-to:
- Login into the WLC and click Security – AAA – TACACS+ (or Radius) – Authentication
- Click New and enter:
- Server IP Address – IP address of the TACACS server
- Shared secret – The configured shared secret on the TACACS server
- If you’re using TACACS, click Authorization and enter the same Server IP address and Shared Secret. Configuring accounting is optional
- Click Security – Priority order – Management user and make sure TACACS (or radius) is in top of the list
This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 7: Configuring wireless network devices
First, add the WLC as a radius client.
Click: Administration – Network Resources – Network Devices. Click Add and create a network device object.
Click Select Existing condition from library, select condition, navigate to Compound condition and select wireless_802.1x.
Click Select Network Access, Allowed Protocols – Default network access. Make sure PEAP is available in this network access rule.
For the authorization profiles, click Policy – Policy Elements – Results
Make sure you select the correct Airespace ACL name.
Create an authorization policy that assigns the authorization profile. Click Policy – Authorization. Insert a new row.
Create a new rule, select the “wireless_802.1X” compound condition from the library. To check if the user is also a domain member, add another attribute. Click Select Attribute – <domain> – <usergroup>
Browse to the WLC webinterface.