WLC management authentication based on RADIUS

This post is a quick reference for configuring management authentication with RADIUS for AirOS and IOS-XE based WLCs.

Platform RADIUS server configuration
AirOS Protocol: PAP_ASCII
Match on: Radius Service-Type equals “Nas Prompt”
Return back: Radius Service-Type = Administrative (full access)
Return back: Radius Service-Type = Nas Prompt (read-only access)
Return back: Radius Service-Type = Call-Back Administrative (lobby admin)
IOS & IOS-XE Protocol: PAP_ASCII
Match on: Radius NAS Port id contains “tty” (for CLI)
Match on: Radius NAS Port Type “Virtual” (for GUI)
Return back: Cisco cisco-av-pair = shell:priv-lvl=15