In the document Cisco HTTS Wireless engineer "Victor Vasantha Kumar" has explained issue about "Lobby administrator account, also known as a lobby ambassador account user is Unable to authenticate".
We are having 5508 Wireless LAN controller and also using lobby login which is not working and we are getting the below mentioned error.
Lobby Admin user is not getting authenticated.
AAA server ( ACS ) is rejecting the auth request.*tplusTransportThread: Oct XX 14:57:12.XXX: 00000000: XX 01 XX XX 09 XX XX XX 00 00 00 06 XX XX 58 XX ..............X.*tplusTransportThread: Oct XX 14:57:12.XXX: 00000010: XX 5X XX*tplusTransportThread: Oct XX 14:57:12.XXX: tplus auth response: type=1 seq_no=4 session_id=09dcadb8 length=6 encrypted=0*tplusTransportThread: Oct XX 14:57:12.XXX: 00:00:00:XX:00:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:00:00:XX:00:00*tplusTransportThread: Oct XX 14:57:12.XXX: AuthorizationResponse: 0x450e29c4*tplusTransportThread: Oct XX 14:57:12.XXX: structureSize................................32*tplusTransportThread: Oct XX 14:57:12.XXX: resultCode...................................-4*tplusTransportThread: Oct XX 14:57:12.XXX: protocolUsed.................................0xffffffff*tplusTransportThread: Oct XX 14:57:12.XXX: proxyState...................................00:00:00:YY:00:00-00:00*tplusTransportThread: Oct XX 14:57:12.XXX: Packet contains 0 AVPs:*emWeb: Oct XX 14:57:12.XXX: Authentication failed for lobbyadmin
If LOCAL is selected as second priority than user will be authenticated against LOCAL only if first priority is unreachable. In configuration, LOCAL was selected as second priority.
So the authentication for the “lobby-admin” user was hitting only TACACS+ and was not approaching LOCAL Database. After changing LOCAL to first priority, it started to work.
The controller can provide guest user access on WLANs. The first step in creating guest user accounts is to create a lobby administrator account, also known as a lobby ambassador account. Once this account has been created, a lobby ambassador can create and manage guest user accounts on the controller. The lobby ambassador has limited configuration privileges and access only to the web pages used to manage the guest accounts.
The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
The Local user database is limited to a maximum of 2048 entries, which is also the default value (on the Security > AAA > General page). This database is shared by local management users (including lobby ambassadors), local network users (including guest users), MAC filter entries, exclusion list entries, and access point authorization list entries. Together they cannot exceed the configured maximum value.
Creating a Lobby Ambassador Account
You can create a lobby ambassador account on the controller through either the GUI or the CLI.
I am using Mobility Express 8.10.112 with Dynamic Channel Assignment but it is not working as expected and I am experiencieng some problems and disconnections from clients.Three AP's located one above the other on different floors are using the same 2.4 G...
All,I am getting error as below; %DTLS-3-HANDSHAKE_FAILURE: [PA]openssl_dtls.c:3191 Failed to complete DTLS handshake with peer <AP IP> I have few AP's connected over Sat link and this was all online and all of a sudden AP's went off...
Hi,I've got 3x 1562i's all connected to the same SG300-10MPP Switch. All three have AIR-PWRINJ-60RGD2= installed to power them. These are also all joined to a AIR-CT5520-K9 WLC Switch Firmware: 220.127.116.11WLC Firmware: 18.104.22.168 The APs are booting...
I have 300 ap on wlc 5520.Some clients (only iPhones) are disconnected at unspecified times.I did the analysis and the log below was checked.% DOT1X-3-INVALID_WPA_KEY_MSG_STATE: 1x_eapkey.c: 1547 Received invalid EAPOL-key M2 msg in START state-invalid RS...
Hi, New weird issue with the 9800-80 and AP9130. I have about 10 APs up on one edge-switch. 3 of these have joined the WLC and are working as expected. However, the last 7 are nowhere to be seen, even though they have the same DHCP-server (with the s...