Configuring the radius authentication with Cisco Wireless Control System

When I tried to make a radius based authentication system with our Cisco Wireless Control System (WCS) I was hit by the lack of documentation of this feature. The only valid links I have found is this one:

It is pretty old (Dec 12, 2007) & it did not fitted entirely with my new WCS installation. And as a result I made this one so anybody else could cover the holes.

The inside of the process:

WCS is contacting the radius server to verify the credentials. If the radius server accepts the credentials it will need to send back also the group task list, so WCS will see what role the authenticated user needs to take.

The phases:

We will start by creating a new Radius client in the MS IAS, set the shared secret to whatever password you want and the Client Vendor to Cisco:

Then we create a new Access Policy and set the conditions to:

–    Client friendly name – WCS server name (or whatever is your standard)

–    Authentication type – PAP:

–    Windows groups – select the active directory user group that will access the WCS:

–    Give them the GRANT permission, to allow them to access the WCS:

–    Finally, edit the profile and under advanced delete all attributes and add

the cisco-av-pair attribute:

Populate this with all the attributes found under the WCS -> Administration -> AAA ->

-> All Groups -> Export Task List page for the group you want to give access to the WCS station.

Here is an example:

– Adding the values under IAS:

– Getting the values from the WCS:

Click ok -> ok -> and be sure that there is no policy before this one that has the same conditions or your clients won’t be able to connect to your server via radius.

Also be sure that you have added your radius server under Administration -> AAA -> RADIUS with Pap authentication and the correct radius port configured on your radius server.

This tutorial might not work with newer versions of WCS. Mine was

That’s all!

Mihai out!

Copyright (c) 2010 Mihai Radoveanu. All Rights Reserved.Note: Copying this article to your website is strictly NOT allowed.

One thought on “Configuring the radius authentication with Cisco Wireless Control System

  1. Thomas

    Thanks for this tutorial. By the way, the same procedure works with Prime Infrastructure 1.2 and Win 2008’s NPS.


Leave a Reply