In the document Cisco HTTS Wireless engineer "Victor Vasantha Kumar" has explained issue about "Lobby administrator account, also known as a lobby ambassador account user is Unable to authenticate".
We are having 5508 Wireless LAN controller and also using lobby login which is not working and we are getting the below mentioned error.
Lobby Admin user is not getting authenticated.
AAA server ( ACS ) is rejecting the auth request.*tplusTransportThread: Oct XX 14:57:12.XXX: 00000000: XX 01 XX XX 09 XX XX XX 00 00 00 06 XX XX 58 XX ..............X.*tplusTransportThread: Oct XX 14:57:12.XXX: 00000010: XX 5X XX*tplusTransportThread: Oct XX 14:57:12.XXX: tplus auth response: type=1 seq_no=4 session_id=09dcadb8 length=6 encrypted=0*tplusTransportThread: Oct XX 14:57:12.XXX: 00:00:00:XX:00:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:00:00:XX:00:00*tplusTransportThread: Oct XX 14:57:12.XXX: AuthorizationResponse: 0x450e29c4*tplusTransportThread: Oct XX 14:57:12.XXX: structureSize................................32*tplusTransportThread: Oct XX 14:57:12.XXX: resultCode...................................-4*tplusTransportThread: Oct XX 14:57:12.XXX: protocolUsed.................................0xffffffff*tplusTransportThread: Oct XX 14:57:12.XXX: proxyState...................................00:00:00:YY:00:00-00:00*tplusTransportThread: Oct XX 14:57:12.XXX: Packet contains 0 AVPs:*emWeb: Oct XX 14:57:12.XXX: Authentication failed for lobbyadmin
If LOCAL is selected as second priority than user will be authenticated against LOCAL only if first priority is unreachable. In configuration, LOCAL was selected as second priority.
So the authentication for the “lobby-admin” user was hitting only TACACS+ and was not approaching LOCAL Database. After changing LOCAL to first priority, it started to work.
The controller can provide guest user access on WLANs. The first step in creating guest user accounts is to create a lobby administrator account, also known as a lobby ambassador account. Once this account has been created, a lobby ambassador can create and manage guest user accounts on the controller. The lobby ambassador has limited configuration privileges and access only to the web pages used to manage the guest accounts.
The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
The Local user database is limited to a maximum of 2048 entries, which is also the default value (on the Security > AAA > General page). This database is shared by local management users (including lobby ambassadors), local network users (including guest users), MAC filter entries, exclusion list entries, and access point authorization list entries. Together they cannot exceed the configured maximum value.
Creating a Lobby Ambassador Account
You can create a lobby ambassador account on the controller through either the GUI or the CLI.
Hi All I have been working on existing WLC 2500 with a single individual interface with a handful wlan Ids.The interface is the management 192.168.120.0/25 192.168.121.10 the management interfaceI wanted to create an additional ID that would be dishi...
Hello All. i have 3 AP's cisco aironet 1815i (A, B, C) A is the controller.A and B working perfectly i can get an ip from dhcp and i can access my Network and the internet either,but the problem is with C i can access it with SSH connection and...
Hi all, I managed to block specific machines from connecting to my ssid by blocking their mac addresses on my 3504 WLC via "security->AAA->Disabld CLients->Manual Disable" I also manage to verify the logs via CLI using "client debug mac...
I have a 3800 running as a ME and its running as a controller, which works fine. I have added additional 1832i which is converted and image is matching that of 3800. To power the 1832i i am using the AIR-PWR-C= but it won't join the...