Showing results for 
Search instead for 
Did you mean: 
Vinay Sharma
Rising star
Rising star




    In the document Cisco HTTS Wireless engineer "Victor Vasantha Kumar" has explained issue about "Lobby administrator account, also known as a lobby ambassador account user is Unable to authenticate".




    We are having 5508 Wireless LAN controller and also using lobby login which is not working and we are getting the below mentioned error.

    Product details

    WLC CT-5508-K9



    Problem Description

    Lobby Admin user is not getting authenticated.


    AAA server ( ACS ) is rejecting the auth request.
    *tplusTransportThread: Oct XX 14:57:12.XXX: 00000000: XX 01 XX XX 09 XX XX XX 00 00 00 06 XX XX 58 XX ..............X.
    *tplusTransportThread: Oct XX 14:57:12.XXX: 00000010: XX 5X XX
    *tplusTransportThread: Oct XX 14:57:12.XXX: tplus auth response: type=1 seq_no=4 session_id=09dcadb8 length=6 encrypted=0
    *tplusTransportThread: Oct XX 14:57:12.XXX: 00:00:00:XX:00:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:00:00:XX:00:00
    *tplusTransportThread: Oct XX 14:57:12.XXX: AuthorizationResponse: 0x450e29c4
    *tplusTransportThread: Oct XX 14:57:12.XXX: structureSize................................32
    *tplusTransportThread: Oct XX 14:57:12.XXX: resultCode...................................-4
    *tplusTransportThread: Oct XX 14:57:12.XXX: protocolUsed.................................0xffffffff
    *tplusTransportThread: Oct XX 14:57:12.XXX: proxyState...................................00:00:00:YY:00:00-00:00
    *tplusTransportThread: Oct XX 14:57:12.XXX: Packet contains 0 AVPs:
    *emWeb: Oct XX 14:57:12.XXX: Authentication failed for lobbyadmin


    If LOCAL is selected as second priority than user will be authenticated against LOCAL only if first priority is unreachable. In configuration, LOCAL was selected as second priority.

    So the authentication for the “lobby-admin” user was hitting only TACACS+ and was not approaching LOCAL Database. After changing LOCAL to first priority, it started to work.

    More Information

    The controller can provide guest user access on WLANs. The first step in creating guest user accounts is to create a lobby administrator account, also known as a lobby ambassador account. Once this account has been created, a lobby ambassador can create and manage guest user accounts on the controller. The lobby ambassador has limited configuration privileges and access only to the web pages used to manage the guest accounts.

    The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.

    The Local user database is limited to a maximum of 2048 entries, which is also the default value (on the Security > AAA > General page). This database is shared by local management users (including lobby ambassadors), local network users (including guest users), MAC filter entries, exclusion list entries, and access point authorization list entries. Together they cannot exceed the configured maximum value.

    Creating a Lobby Ambassador Account

    You can create a lobby ambassador account on the controller through either the GUI or the CLI.

    Related Information


    What is AAA authentication failure?
    Event 113005 is generated when the AAA authentication on a connection fails. The username is hidden when invalid or unknown, but appears when valid, or the 'no logging hide username' command has been configured




    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: