Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3720
Views
11
Helpful
6
Replies

ISE 2.6 and Cat9800 tacacs+ config for Lobby Admin

Go to solution
Jan81
Level 1
Level 1

‎06-18-2020 05:11 AM

Hello,  we are currently in the migration phase to a catalyst 9800 wlc. I am currently working on the tacacs configuration and I making no progress with setting up the lobby admins tacacs profile.

 

With the old airos wlc you could simply select "Lobby Admin" in the tacacs profile, but with the new IOSXE-based  wlc the profile don't work.

 

A profile for admin access is working fine at privilege level 15. Can anyone help me with that?

 

Best regards Jan

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to Jan81

‎06-18-2020 11:15 PM

Set the TACACS to return the following:

Default Privilege: priv-lvl=15

Custom attributes: Type= Mandatory, Name=user-type, Value= lobby-admin

 

On WLC, configure the username:

aaa remote username <remote-lobby-admin-username>

 

View solution in original post

6 Replies 6

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎06-18-2020 09:42 AM

Check if you are running into below issue:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvs87163

 

If the lobby admin user is getting full access?

 

Go to solution
Jan81
Level 1
Level 1
In response to poongarg

‎06-18-2020 10:44 PM

Thanks, I have checked the aaa config and reconfigure the authorization and authentication settings.

 

But my problem is to configure the tacacs profile and command sets. For admin access it works fine with priv level 15. But for lobby admin access I don´t know what I must configure. For the old airos wlc it was easy to choose the right value, but his won´t work for catalyst 9800 wlc.

 

If I add a local lobby admin account on the wlc, I see that the user has the following settings.

 

user-name lobby
 view LobbyAdminView
 type lobby-admin

But when I configure this as custom attributes in the tacacs profiles it won´t work.

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to Jan81

‎06-18-2020 11:15 PM

Set the TACACS to return the following:

Default Privilege: priv-lvl=15

Custom attributes: Type= Mandatory, Name=user-type, Value= lobby-admin

 

On WLC, configure the username:

aaa remote username <remote-lobby-admin-username>

 

Go to solution
Jan81
Level 1
Level 1
In response to poongarg

‎06-19-2020 01:09 AM

Thanks, that works, but I point the authorization policy in the ise config to an active directory group. Must I configure for each user in the group the "aaa remote username"?

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to Jan81

‎06-19-2020 01:36 AM

The username created on AD or ISE local DB for the Lobby Ambassador has to be defined as a remote username on the WLC. If the remote username is not defined in the WLC, the authentication will go through correctly, however, the user will be granted with full access to the WLC instead of only access to the Lobby Ambassador privileges.
0 Helpful

Go to solution
Jan81
Level 1
Level 1
In response to poongarg

‎06-19-2020 01:39 AM

Okay, thanks for your help! Greetings Jan

0 Helpful
Customers Also Viewed These Support Documents