Friday, January 1, 2010


1) tacacs user can be an admin on WLC but the ‘shell profile’ needs to have one attribute: role1=ALL (double check if there is no space!!!!)

Authorization Result 
{Type=Authorization; Author-Reply-Status=PassAdd; AVPair=role1=ALL; } 

2) radius user can be an admin on WLC but the user needs to have following attributes:
IETF Service-Type attributes:

  NAS Prompt for readonly
  Administrative for readwrite
  Callback Administrative for lobbyadmin

3) adding a new admin user on WLC:
config mgmtuser add testuser testpAss1 read-write

4) you can have different rules for malicious and trusted networks:
(Cisco Controller) >show rogue rule summary 

Priority Rule Name               State    Type          Match Hit Count
-------- ----------------------- -------- ------------- ----- ---------
1        KNOWN                   Enabled  Friendly      All   0       
2        UNKNOWN                 Enabled  Malicious     Any   0       

(Cisco Controller) >

5) you can manually add (MAC address) which APs are trusted:
(Cisco Controller) >show auth-list 

Authorize MIC APs against AAA ................... enabled
Authorize LSC APs against Auth-List ............. disabled
APs Allowed to Join
  AP with Manufacturing Installed Certificate.... yes
  AP with Self-Signed Certificate................ no
  AP with Locally Significant Certificate........ no

Mac Addr                  Cert Type    Key Hash
-----------------------   ----------   ------------------------------------------
00:06:f6:16:f0:c5         MIC          

(Cisco Controller) >

6) mac filtering per each WLAN

7) exclusion
  • timeout under WLAN
  • policy under security tab
8) flexconnect
  • under WLAN you enable this feature (Advanced tab)
  • under each AP you need to specify 'AP mode’=flexconnect
  • DHCP enabled on local switch:
SW5#show ip dhcp binding 
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name        0100.06f6.16f0.c5       Mar 02 1993 12:28 AM    Automatic         01fc.7516.88bd.19       Mar 02 1993 12:56 AM    Automatic

9) ACL downloaded from ACS

You need to add one Radius attribute:

No comments:

Post a Comment