Encryption options on a Lobby Ambassador implementation
Hi all,
I'm in the middle of configuring a guest wireless network using the lobby ambassador feature. I have things up and running using Open Encryption at L2 and WebAuth at L3 - The Controller doesn't like any L2 security that I try to add and I'm uneasy at just using WebAuth, has anyone implemented something similar? Were you able to add any kind of encryption?
Thanks,
Denis
By it's very nature, the WebAuth feature will not allow any encryption. This is a feature very much like a hot-spot that you'd see in a coffee shop. In order to allow any user to access the authentication splash page, the WLAN has to be completely open.
If security is required, then it really has to come from higher layers of the stack (ie, IPSEC, HTTPS, SSH, etc).
So to answer your question, yes I have implemented a number of Web Auth WLANs, and no, it is absolutely not possible to implement any kind of encryption on the WLAN.
Hope this helps!
Richard.
Similar Messages
-
WCS Lobby Ambassador audit report for a specific period of time
Hi all,
I know there is an WCS audit report for each lobby ambassador activities. But the problem is that I see only activities from Nov 9 to the present. I don't know what the reason is, whether somebody erased that information before Nov 9 or something else happened.
Is there any option to manually configure a specific period of time, for example obtain all activities for last 3 months?
Thanks for any hint.
JozefHi Koti,
What error did you meet when you used audit report from Oct 16 to Oct 31?
Please check the log file to find more information about this issue. The path of the log file is: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\LOGS. You can check the log file whose modified date is from Oct 16 to Oct 31.
In addition, please deactivate and reactivate Reporting feature at site collection level.
A similar post for your reference:
http://sharepointknowledgebase.blogspot.com/2012/07/unexpected-error-when-trying-to-view.html#.VG2cFouUeog
About audit log report, please take a look at:
https://support.office.com/en-us/article/Configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2?ui=en-US&rs=en-US&ad=US
Best Regards,
Wendy
Wendy Li
TechNet Community Support -
WCS Lobby Ambassador with AAA Authentication
We are using WCS 7.0.164.0. I configured a user as local lobby ambassador with special defaults and also with a special guest login logo. If I use this user to create guest accounts everything is alright. Now I want to change the authentication to radius, so I export the cisco lobby ambassador attributes to the radius server and extend these network policies. Now I can login as user, authenticated from the radius server and I create guest accounts in the same way as before with local login, BUT !!! Our special guest login logo isn't shown and there is now way to upload or configure this special logo. Is there a way to configure these options for users authenticated with AAA ? Thanks for any Help Bernhard
Hi Bernhard,
I used following doc-link: http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml
The trick I used is to configure same username on tacacs+ and local, but different passwords.
local-user: configure your special attributes like logo
tacacs+: configure the authentication and group
local-user password is not the same like tacacs+ password.
I configured Authentication in WCS section: Administration > AAA > AAA Mode Settings
Enable fallback to local == on auth failure or no server response
Maybe if you deselect Enable fallback to local you can only authenticate to tacacs+. But now I can authenticate with local user/password and tacacs+ user/password.
Attributes for tacacs+ or radius server can be exported in WCS section: Administration > AAA > All Groups; Export Task List
Attributes for tacacs+ server:
virtual-domain0=root
role0=LobbyAmbassador
task0=Configure Guest Users
task1=Lobby Ambassador User Preferences
Attributes for Radius (I never tried radius):
Wireless-WCS:role0=LobbyAmbassador
Wireless-WCS:task0=Configure Guest Users
Wireless-WCS:task1=Lobby Ambassador User Preferences
==> I think also virtual-domain can be set. -
Lobby Ambassador- Guest User Creation
Hi all,
I am currently implementing the use of the lobby ambassador for guest account creation, however I am looking to see if some features exist. I would like to be able to tie into AD to create lobby ambassador's to have further control of who can and cannot create guest accounts. I am also looking if there is a way to put restrictions on the time frame a guest account can remain active for when created by the lobby ambassador. An example of what I am trying to do is to not have a guest account created by an ambassador to go over a day for it's time frame.
Thanks in advance,
ChrisYes and yes. From WCS you can pull the role for lobby admin and use that to create the group with the proper attributes.
Then on the WCS you build the template you want them to use. There you can create the restrictions of how long.
Steve
Sent from Cisco Technical Support iPhone App -
Hello all,
In WCS by default the lobby ambassador has option to generate manual or auto (random) password for guest user account.
Is there any way that we can restrict lobby ambassador to generate manual password for guest user ?
Regards,
AnisNo not exactly ,
We dont want lobby admin's to create manuall passwords for there guest. Loby admin should have option to generate the random passwords only.
Regards,
Anis -
Can't setup a Lobby Ambassador account??
I've just installed a new WLC4402 (50AP) and am trying to set up guest WLAN access.
So far I have a seperate VLAN and WLAN configured and have secured the VLAN to allow only access to the internet after web-auth.
I go to the 'Management> Local Management Users> New Page'
But the only types of account available are 'Read/Write' and 'Read Only', Should the 'lobby Ambassador' be listed here, or am I missing something?
All the best to all the Forum users for the season.
DanHi Dan,
It should be there if you are running 4.0+ software. If you are running 4.0+ then you could try adding the user via CLI to see if it's an option:
config mgmtuser lobby-admin
If you are running 3.2 or earlier, then that's the problem.
-Ben -
WCS Lobby Ambassador and Monitor User
I'm running our WCS authentication through ACS with TACACS and it's working fine. However, I currently have my Help Desk setup with a monitor user so they can login and view WCS, but this does not give them the Lobby Ambassador of course. How can I get a user to have both WCS and Lobby access with having to login with seperate user identities?
It's either admin either lobby account, you can not have both, the http pages are completly different and dont intermix.
Your solution is to have 2 users on your TACACS where one is the admin and one the lobby.
Here are the step by step config lines:
http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0admin.html#wpmkr1064288 -
I want to be able to tie the registering users into the visitor registration section of a segregated guest network. I want to have a link that would appear in the front end after you register a visitor which would direct you to this program which is the lobby ambassador. Any non guest user could be able to register a guest and be provided a temp logon for the guest for a period of time.
Anyone has an idea of how I can achieve this using a Cisco lobby ambassadorYou should be able to expand it to something bigger. On the controller go to Security, AAA, General. Increase this number, it will require a reboot. I'm not sure the maximum you can increase it to (could be controller dependent).
-
Lobby Ambassador can't email guest user accounts via WCS
WCS is configured with SMTP server under Administration-Settings-Mail Server Configuration and test is successful and it sends e-mail alerts out no problem. However, when Lobby Ambassador creates a new guest account and clicks on the e-mail link to email it out, this message pops-up: 'Email Server is not configured.Contact Network Administrator'.
Any ideas?by poking around I've found an answer. Even though we have a single email server, right after I've added the same server as a secondary email server, notifications started working. Seems to be a WCS bug.
-
WCS - Lobby Ambassador users don't see each other's guest users
Hi, we currently have the problem with WCS 5.2 that a user of the group "Lobby Ambassador" cannot see guest users that have been created by another user of that group. The user can only see his own created guest users. All are in the same virtual domain which is the root-domain.
I believe this behaviour was not this way in previous versions, here all guest users were visible to all Lobby Ambassador users.
I couldn't find any hint in the documentation about this.
Is this simply a change in behaviour (works as designed) or is this maybe a bug?You will get this error:
Error(s): You must correct the following error(s) before proceeding:
Error:A Guest User account with the name ''lobby user'' has already been created by you or another WCS Lobby Ambassador user. Please choose a different User Name for this Guest account. -
Lobby Ambassador - WCS Logging of Guest Account Creation
Hello all,
If I am user "admin-ken" and I setup an guest user account "guestuser1" via the WCS controller templates > Guest User (which takes me into lobby ambassador), is there a log file that indicates that "admin-ken" had setup "guestuser1" guest account?
Many thx indeed,
Kind regards,
KenHiKen,
Hope all is well :)
Maybe this is what you are looking for;
Logging the Lobby Ambassador Activities
The following activities are logged for each lobby ambassador account:
â¢Lobby ambassador login: WCS logs the authentication operation results for all users.
â¢Guest user creation: When a lobby ambassador creates a guest user account, WCS logs the guest user name.
â¢Guest user deletion: When a lobby ambassador deletes the guest user account, WCS logs the deleted guest user name.
â¢Account updates: WCS logs the details of any updates made to the guest user account. For example, increasing the life time.
Follow these steps to view the lobby ambassador activities.
Note You must have superuser status to open this window.
Step 1 Log into the Navigator or WCS user interface as an administrator.
Step 2 Click Administration > AAA, then click Groups in the left sidebar menu to display the All Groups window.
Step 3 On the All Groups windows, click the Audit Trail icon for the lobby ambassador account you want to view. The Audit Trail window for the lobby ambassador displays.
This window enables you to view a list of lobby ambassador activities over time.
â¢User: User login name
â¢Operation: Type of operation audited
â¢Time: Time operation was audited
â¢Status: Success or failure
Step 4 To clear the audit trail, choose Clear Audit Trail from the Select a command drop-down menu and click GO.
http://www.cisco.com/en/US/docs/wireless/wcs/4.2/configuration/guide/wcsmanag.html#wp1076868
http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html#wp1001609
Hope this helps!
Rob -
Logging the Lobby Ambassador Activities on WLC
Dear all,
we interested in "Logging the Lobby Ambassador Activities on WLC",
we found resusurces that explain hot to do this using WCS, but we want to konw if it's
possible without WCS.
More in general, we give the possibilities to oue employee to create guest account, using
the Radius to autenticate as Lobby Admin.
We are intereset to identify who creates the particular guest account, in case of
incident investigation.
Thanks, for any suggestion on regard.
byeThis is not possible with just the WLC. You would want to look at ISE or NAC Guest Server.
-
Prime Lobby Ambassador defaults
I can't figure out if it's possible to standardize the configuration for Guest User creation for users who are authenticated using RADIUS and assigned to the Lobby Ambassador group.
Any help?
Thanks!I went through this nightmare before as well if memory serves. Unfortunately, it doesn't appear it's possible.
If I'm incorrect, someone please pipe up as I don't believe I was ever able to find a way either. -
Prime Lobby Ambassador defaults scheduling guest users
Hi.
I'm actually testing Prime Infrastructure and one important thing there for me is the Lobby Ambassador feature.
I want to give our colleagues from other sites the possibility to create guest accounts on their own, but with some defaults already set. They should only be able to create accounts with a lifetime of 14 days ( not editable ), but with the possibility to schedule the accounts.
If I now set the defaults of the Lobby Ambassador to 14 days lifetime and make them not editable, the Lobby Ambassador can’t schedule the guest user. If they choose “Schedule Guest User” from dropdown, they get the message “The creation will be scheduled 5 minutes after the current server time.”
Is there a way to get that working?
Best would be to have the defaults partially not editable, so that you can make some things default ( e.g. lifetime, generate password, controller config group ) and some things editable ( e.g. description, disclaimer, scheduling ).
Regards,
Sven LindekeI went through this nightmare before as well if memory serves. Unfortunately, it doesn't appear it's possible.
If I'm incorrect, someone please pipe up as I don't believe I was ever able to find a way either. -
WCS setup RADIUS users Lobby Ambassador Defaults
Hi
I'm using RADIUS so my users can use their active directory credentials to login WCS and generate guest users accounts...
But I would like to setup some Lobby Ambassador Defaults, I can easily do ths for local users on the WCS system, but how to setup defaults for RADIUS users?
Best Regards,
Steffen.Hi Scott
Tanks for your reply.
I've allready read the article, but I can't see that it says anything about setting up Defaults for the users, only which task the should be able to do...
I would like to setup defaults for the radius users, so when they are authenticated as lobby abassadors the do not need to select which SSID the a generating a guest user account for and so on...
This is possible for local WCS users, but i need to setup these defaults for my RADIUS authenticated users.
Best Reards
Steffen
And btw.. this dicussion was started by me.. https://supportforums.cisco.com/thread/2115616
Maybe you are looking for
-
Hi Whenever i import an Mp3 file from a CD or my hard drive i tunes does not recognise it as an imported file via I Tunes. Therefore i can't get any Track Names etc and am fed up of having to put them in myself. Is there any way to aviod this??
-
View Objects in the shared application module is not refreshing
Hi , I have view objects defined shared apps module. This view objects are used for creating lovs which won't change very frequently. I have set the AutoRefresh=true for this view objects. I do have a UI to update the underline table for these lovs.
-
Spfile in Oracle 9.2.0
One of the steps for manual oracle database upgrade from 8.1.7 to 9.2.0 include creation of spfile. My question is: Do we really need to use spfile (server parameter file) and if yes - what the advantage(es) for using it? Thank you, Yelena
-
Webservice deployed on Sun Java System Application Server PE 8.2 (b06-fcs)
I have deployed a simple web service on Sun One AS PE 8.2 (Can see the WSDL file on URL invocation). I am getting the following server side runtime exception when a standalone client tries to invoke the web service endpoint. A similar exception is re
-
Website as a donation to nonprofit
Im wondering if anyone has encountered this. I built a website for a non-profit and they gave me a receipt for my taxes for the donation. However - it seems you cannot take any deductions for anything that is "value of your time". so i am frustrated