A client of mine recently requested that device authentication for everything is through RADIUS/AD for auditing purposes. As a result a specific AD group has been set aside for users with Lobby Ambassador permissions and it works great using the task list. The problem we've run into is that now these accounts are able to edit the guest account defaults and create users with no restrictions. Previously the shared Lobby Admin had the "defaults editable" field unchecked. Does anyone know how to duplicate that functionality for RADIUS authenticated users?
The following are the only task permissions returned by RADIUS:
task0=Configure Guest Users
task1=Lobby Ambassador User Preferences
I've tried removing task1 but that is just the display preferences of the page.
Did you find a resolution for this? We're experiencing the same behavior.
Also, it would be nice to define what defaults to be editable to enable lobby admins to schedule guest users in the future.
I know ISE you can set different lobby sponsor privileges depending on AD Group or internal ISE Groups. ISE though will host the splash page and the wlc only redirects to ISE.
Sent from my iPhone