Introduction
In the document Cisco HTTS Wireless engineer "Victor Vasantha Kumar" has explained issue about "Lobby administrator account, also known as a lobby ambassador account user is Unable to authenticate".
Symptoms
We are having 5508 Wireless LAN controller and also using lobby login which is not working and we are getting the below mentioned error.
Product details
WLC CT-5508-K9
Problem Description
Lobby Admin user is not getting authenticated.
Logs
AAA server ( ACS ) is rejecting the auth request.
*tplusTransportThread: Oct XX 14:57:12.XXX: 00000000: XX 01 XX XX 09 XX XX XX 00 00 00 06 XX XX 58 XX ..............X.
*tplusTransportThread: Oct XX 14:57:12.XXX: 00000010: XX 5X XX
*tplusTransportThread: Oct XX 14:57:12.XXX: tplus auth response: type=1 seq_no=4 session_id=09dcadb8 length=6 encrypted=0
*tplusTransportThread: Oct XX 14:57:12.XXX: 00:00:00:XX:00:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:00:00:XX:00:00
*tplusTransportThread: Oct XX 14:57:12.XXX: AuthorizationResponse: 0x450e29c4
*tplusTransportThread: Oct XX 14:57:12.XXX: structureSize................................32
*tplusTransportThread: Oct XX 14:57:12.XXX: resultCode...................................-4
*tplusTransportThread: Oct XX 14:57:12.XXX: protocolUsed.................................0xffffffff
*tplusTransportThread: Oct XX 14:57:12.XXX: proxyState...................................00:00:00:YY:00:00-00:00
*tplusTransportThread: Oct XX 14:57:12.XXX: Packet contains 0 AVPs:
*emWeb: Oct XX 14:57:12.XXX: Authentication failed for lobbyadminResolution
If LOCAL is selected as second priority than user will be authenticated against LOCAL only if first priority is unreachable. In configuration, LOCAL was selected as second priority.
So the authentication for the “lobby-admin” user was hitting only TACACS+ and was not approaching LOCAL Database. After changing LOCAL to first priority, it started to work.
More Information
The controller can provide guest user access on WLANs. The first step in creating guest user accounts is to create a lobby administrator account, also known as a lobby ambassador account. Once this account has been created, a lobby ambassador can create and manage guest user accounts on the controller. The lobby ambassador has limited configuration privileges and access only to the web pages used to manage the guest accounts.
The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.
The Local user database is limited to a maximum of 2048 entries, which is also the default value (on the Security > AAA > General page). This database is shared by local management users (including lobby ambassadors), local network users (including guest users), MAC filter entries, exclusion list entries, and access point authorization list entries. Together they cannot exceed the configured maximum value.
Creating a Lobby Ambassador Account
You can create a lobby ambassador account on the controller through either the GUI or the CLI.
