https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4105772#M561294 <P>Check if you are running into below issue:</P> <P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs87163" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs87163</A></P> <P>&nbsp;</P> <P>If the lobby admin user is getting full access?</P> <P>&nbsp;</P> Thu, 18 Jun 2020 16:42:19 GMT poongarg 2020-06-18T16:42:19Z https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4105578#M561289 <P>Hello,&nbsp; we are currently in the migration phase to a catalyst 9800 wlc. I am currently working on the tacacs configuration and I making no progress with setting up the lobby admins tacacs profile.</P><P>&nbsp;</P><P>With the old airos wlc you could simply select "Lobby Admin" in the tacacs profile, but with the new IOSXE-based&nbsp; wlc the profile don't work.</P><P>&nbsp;</P><P>A profile for admin access is working fine at privilege level 15. Can anyone help me with that?</P><P>&nbsp;</P><P>Best regards Jan</P> Thu, 18 Jun 2020 12:11:22 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4105578#M561289 Jan81 2020-06-18T12:11:22Z https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4105772#M561294 <P>Check if you are running into below issue:</P> <P><A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs87163" target="_blank">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs87163</A></P> <P>&nbsp;</P> <P>If the lobby admin user is getting full access?</P> <P>&nbsp;</P> Thu, 18 Jun 2020 16:42:19 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4105772#M561294 poongarg 2020-06-18T16:42:19Z https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4106129#M561303 <P>Thanks, I have checked the aaa config and reconfigure the&nbsp;<SPAN>authorization and authentication settings.</SPAN></P><P>&nbsp;</P><P><SPAN>But my problem is to configure the tacacs profile and command sets. For admin access it works fine with priv level 15. But for lobby admin access I don´t know what I must configure. For the old airos wlc it was easy to choose the right value, but his won´t work for catalyst 9800 wlc.</SPAN></P><P>&nbsp;</P><P><SPAN>If I add a local lobby admin account on the wlc, I see that the user has the following settings.</SPAN></P><P>&nbsp;</P><PRE>user-name lobby view LobbyAdminView type lobby-admin</PRE><P><SPAN>But when I configure this as custom attributes in the tacacs profiles it won´t work.</SPAN></P> Fri, 19 Jun 2020 05:44:10 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4106129#M561303 Jan81 2020-06-19T05:44:10Z https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4106143#M561304 <P>Set the TACACS to return the following:</P> <P>Default Privilege: priv-lvl=15</P> <P>Custom attributes: Type= <STRONG>Mandatory</STRONG>, Name=<STRONG>user-type</STRONG>, Value= <STRONG>lobby-admin</STRONG></P> <P>&nbsp;</P> <P>On WLC, configure the username:</P> <P>aaa remote username &lt;remote-lobby-admin-username&gt;</P> <P>&nbsp;</P> Fri, 19 Jun 2020 06:15:12 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4106143#M561304 poongarg 2020-06-19T06:15:12Z https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4106183#M561311 <P>Thanks, that works, but I point the authorization policy in the ise config to an active directory group. Must I configure for each user in the group the "aaa remote username"?</P> Fri, 19 Jun 2020 08:09:21 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4106183#M561311 Jan81 2020-06-19T08:09:21Z https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4106196#M561313 The username created on AD or ISE local DB for the Lobby Ambassador has to be defined as a remote username on the WLC. If the remote username is not defined in the WLC, the authentication will go through correctly, however, the user will be granted with full access to the WLC instead of only access to the Lobby Ambassador privileges. Fri, 19 Jun 2020 08:36:16 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4106196#M561313 poongarg 2020-06-19T08:36:16Z https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4106200#M561314 <P>Okay, thanks for your help! Greetings Jan</P> Fri, 19 Jun 2020 08:39:30 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/4106200#M561314 Jan81 2020-06-19T08:39:30Z https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/5350434#M599107 <P>&nbsp;</P> <P>Hi,</P> <P>This solution works well, thank you.</P> <P>However, I have observed that users are getting full CLI access to the WLC, whereas the GUI access functions as expected. Do you have any suggestions on how to restrict or manage CLI access with LobbyAdmin User?</P> Thu, 27 Nov 2025 11:08:10 GMT https://community.cisco.com/t5/network-access-control/ise-2-6-and-cat9800-tacacs-config-for-lobby-admin/m-p/5350434#M599107 Nieo 2025-11-27T11:08:10Z