When integrating a Cisco Wireless LAN Controller (WLC) with a TACACS+ server for administrative access, specific attribute-value pairs must be configured in the user's shell profile on the server. The WLC maps these attributes to its internal management user roles. For a user requiring read-only permissions, the role attribute must be set to the value MONITOR. This value grants the user the ability to view all configurations, monitor status, and see logs on the WLC, but prohibits them from making any configuration changes, which directly corresponds to read-only access.

A. ADMIN: This value grants full read-write administrative privileges, which is more than the required read-only access.

B. MANAGEMENT: This is not a standard, predefined role value used by the WLC for TACACS+ integration.

D. READ: While descriptive, "READ" is not the specific keyword the WLC expects. The correct value for this access level is MONITOR.

1. Cisco Wireless Controller Configuration Guide

Release 8.5

"Configuring Security Solutions" Chapter

"Information About TACACS+" section: This guide explicitly lists the TACACS+ custom attributes for management user roles. It states

"For Read-Only role

the attribute is role=MONITOR."

Source: Cisco. (2017). Cisco Wireless Controller Configuration Guide

Release 8.5. Retrieved from Cisco.com. Specifically

the table detailing TACACS+ custom attributes for management user roles.

2. Security Configuration Guide

Cisco Wireless Controller

Release 8.10

"Configuring TACACS+" section: This document confirms the required attribute-value pairs for different access levels. It specifies that for a user to have Read-Only access

the TACACS+ server must return the cisco-av-pair shell:role=MONITOR.

Source: Cisco. (2021). Security Configuration Guide

Cisco Wireless Controller

Release 8.10. Retrieved from Cisco.com. The section on "Configuring TACACS+ (GUI)" details the required attributes.