We don’t have the same TACACS config and results with 9800 as we do with AireOS, with 9800, there is difference between the CLI and GUI, the monitor in GUI give you read only access (no difference between privileges 1 to 14) while the CLI can be different for privileges (2 to 14) as any Cisco Switch by customization considering the default privilege access levels (0 “cli exec mode only without read access and no access to gui” , 1 “Read Only in both cli and gui” , 15 “Admin in both cli and gui”)
You can also have Lobby admin with GUI (There is no lobby-admin concept in CLI) and the Lobby admin can be local to the 9800 or remote thru AAA
Lobby admin local configs example below: (will not be able to access the CLI)
user-name lobby_admin_local
type lobby-admin
password 0 password
Lobby admin remote aaa example below: (Will be able to access the CLI so it’s better to give it priv 0), GUI will only show (Guest User) and (Allowed Users) tabs and the lobby admin can add/delete guests and can’t do anything from cli.
(( add Cisco-av-pair on radius or tacacs user-type=lobby-admin and shell:priv-lvl=0 ))
aaa authentication login <method-list> group radius/tacacs
aaa remote username <remote-lobby-admin>
Note: Check this enhancement "CSCvu29748 - External lobby admin enhancement request to avoid using aaa remote command” https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvu29748 this is included in 17.3.3 and 17.5.1. So, there is no need to configure “aaa remote username <remote-lobby-admin>” in config and WLC can apply lobby-admin attribute from AAA (Radius/Tacacs). If you configure “aaa remote username <remote-lobby-admin>” with lobby-admin attribute from AAA then you will not be able to login using that user from GUI or CLI.
