Lobby Ambassador- Guest User Creation

Similar Messages

• WCS 4.1.91 Guest User creation error

  When I try to add a guest user using my LobbyAmbassador operator account, I consistently get an error stating "End date can not be older than start date".
  The user is a limited life time, and we are trying to set end time using calendar, setting life to 48 hours basically. Just this week I upgraded to WCS4.1.91 and WLC4400's wo 4.1.185.0.
  Thanks in advance for your help.

  Hi Darcy,
  It looks like you are hitting this bug;
  CSCsi79726 Bug
  Creating scheduled user - message confusing -end date
  Symptom:Cannot create scheduled guest users with the lobby ambassador because of error "the end date cannot be older than the start date"
  Conditions:version 4.1.83.0
  Workaround:Upgrade to version 4.1.91.0
  Further Problem Description:The creation is failing because
  of the difference between the server and the client times. Initially user UI's
  are populated by considering server times and user selections are evaluated
  against client timings. The lifetime calculated is invalid because of
  difference between client and the server timings.
  It looks like WCS 4.1.91 was supposed to fix this issue, so if it is still happening you should really open a TAC case :(
  Hope this helps!
  Rob

• WCS - Guest User Creation

  Hello. I have a question related to the Lobby Ambassador login in WCS and creating user accounts in an environment using a guest Anchor controller. Specifically, if a 'lobby ambassador' is logged into WCS from 2 timezones away (anchor is in same location as WCS) creating a user, they will see the local time of the WCS (for start/stop times), correct? Is there a way to make it present the local time to the lobby ambassador so they don't have to figure out the correct start/stop times for their location?
  Hopefully this question makes sense.
  Thank you for your time and assistance,
  Jeff

  Lobby admins created guest users are always in the WCS timezone. If controllers are in another timezone, the lobby admin needs to adjust the time accordingly while creating guest users.

• Disabling the unlimited Lifetime option in Cisco WCS Guest User Creation

  Is there  a way to disable the unlimited Lifetime option in Cisco WCS Guest User Add/Schedule tab.If i make those fields uneditable, it just takes out the option to schedule any meetings in future.Using Cisco WCS version 7.0.220.0.

  i'm also searching for an solution to disable the unlimited lifetime button for the Lobby Ambassador.
  could it that Cisco introduces this maybe a future release?
  couldn't be that there are only few people who are disappointed with this solution.
  My Customer is thinking now that cisco isn't the right solution for him.

• Lobby ambassador guest acounts

  When creating a guest user account using lobby ambassador on wcs 4.2 the guest account defaults to 8 hours. I would like to change the default time to 1 day. Does anyone know how i can do this?
  Thanks!

  Great. Also, I noticed that when using ACS to authenticate the user that creates guest accounts the lobby ambassador default settings don't apply to this user. Any ideas on how to correct this? Any estimated date when 5.1 will be released?
  Thanks!

• Guest user creation via API

  I think I read somewhere there is an API for creating guest users on a WCS/WLC.
  I am looking for a way to intergrating the creation into a intranet page.
  Can somebody confirm such API and maybe point to a place to find it?

  That is great news.
  I ende up sniffing the traffic from the WCS to the WLC with wireshark and saw the reuqiered SNMP OID's for making a guest user.
  So I have made a little (ugly) perl script that make a guest user on the WLC, send a email to a sponsor and send a SMS via kannel.
  Ugly, but its cover our need for now.
  But a API will make life (and the perl script) alot nicer.
  Thanks for the info.

• WLC SNMP Guest User Creation

  I have a system that I'm trying to tie into WLC (4.1 / 4.2) for wireless guest access. I would like to make it so that when someone creates an account in a registration system I can do a snmpset command to create the person an account on the WLC for wireless access. I have found the OID (.1.3.6.1.4.1.14179.2.5.10.1.1) but am unsure as to how to actually create an entry. Does anyone happen to have an example they can send my way as to how to create a guest user using snmp?
  Thanks!

  Okay so i honesty I got a lot of help from Brad Hanson on this, but to summarise....
  -In Local Users are stored in the WLC.
  -Once created the timer starts to tick, regards if the user is logged on or not.
  -The Local Users can be listed by polling the OID positions:
  .1.3.6.1.4.1.14179.2.5.10.1.1 (username)
  .1.3.6.1.4.1.14179.2.5.10.1.2 (WLAN)
  .1.3.6.1.4.1.14179.2.5.10.1.3 (password)
  .1.3.6.1.4.1.14179.2.5.10.1.4 (description)
  .1.3.6.1.4.1.14179.2.5.10.1.5 (time left)  (100's of seconds)
  Example command: snmpwalk -c READSTRING -C c IPADDRESS  1.3.6.1.4.1.14179.2.5.10.1
  -The OID positions are unique by extending the OID using the ASCII value of the username specified and the number of characters in that user name
  Example User 'Test' is 4 characters long and made up of ASCII 84 = T, 101 = e, 115 = s, 116 = t.
  Therefore 'time left' for Test would be OID + ID = .1.3.6.1.4.1.14179.2.5.10.1.5.4.84.101.115.116
  -When making a new account remotely user must construct the users name out of ASCII, count the number of characters and in a single SNMP commands set the first five parameters of the new account.
  Example. Makes an account called 'z'.
  snmpset -c WRITESTRING IPADDRESS .1.3.6.1.4.1.14179.2.5.10.1.24.1.122 i 4  .1.3.6.1.4.1.14179.2.5.10.1.1.1.122  s "z"  .1.3.6.1.4.1.14179.2.5.10.1.2.1.122 i 5 .1.3.6.1.4.1.14179.2.5.10.1.3.1.122 s "z"  .1.3.6.1.4.1.14179.2.5.10.1.4.1.122 s "maybe" .1.3.6.1.4.1.14179.2.5.10.1.4.1.122 s  "z1" .1.3.6.1.4.1.14179.2.5.10.1.5.1.122 i 86400
  Spot the '.24' OID is always set to integer 4… this asks the WLC to create a new account and the rest of the parameters are to follow.
  -Once the new account is created the you must force it to a Guest Account by setting guest option to integer 1.
  Example for user 'z'  snmpset -c WRITESTRING IPADDRESS .1.3.6.1.4.1.9.9.515.2.3.1.1.2.1.122 i 1
  -NB. Minimum time allowed to be set is 6000 = 60 seconds.
  -To delete account OID '.24' to integer 6
  Example for user 'z' snmpset -c WRITESTRING IPADDRESS  .1.3.6.1.4.1.14179.2.5.10.1.24.1.122 i 6

• Lobby Ambassador Managment of Users that have expired.

  Hi there all :)
  When you set users up on LA and you set a user to a "controller list", the entry on the listing always shows the account as active from the front menu even if the time has expired.
  You then go into the account and you can see the date has expired, and if you test the account, yes, you cant login.
  Is this a bug?
  I am running WCS version 4.2.62.11.
  Also, I would like a function on LA to allow me to delete all expired users in one go. Is this possible?
  As the above indicates that the users is not expired but active, at the moment, you have to go into every account, check the expiry date and then delete the account one by one.
  Painful?
  Many thx indeed,
  Ken

  Hey Ken,
  Is it time for a beer yet??
  In answer to your first question, I think you are seeing this bug;
  CSCsk17497 Bug Details
  D3WCS:lobby ambassador-guest user account expiry not shown clearly
  Symptom:
  After successful scheduling the Guest account, the detail page for the created account doesn't show the expiry time details.
  Conditions:
  This condition arrives only when the browsed account is the scheduled account.
  Workaround:
  The detail page has the 'start' and 'end' time selection, which can be used for the expiry detail.
  Further Problem Description:
  Status
  Fixed
  Severity
  3 - moderate
  Last Modified
  Any Time
  Product
  Cisco Wireless Control System
  Technology
  1st Found-In
  4.2(47.0)
  Fixed-In
  5.0(28.0)
  Hope this helps bud!
  Rob

• Lobby Ambassador - WCS Logging of Guest Account Creation

  Hello all,
  If I am user "admin-ken" and I setup an guest user account "guestuser1" via the WCS controller templates > Guest User (which takes me into lobby ambassador), is there a log file that indicates that "admin-ken" had setup "guestuser1" guest account?
  Many thx indeed,
  Kind regards,
  Ken

  HiKen,
  Hope all is well :)
  Maybe this is what you are looking for;
  Logging the Lobby Ambassador Activities
  The following activities are logged for each lobby ambassador account:
  •Lobby ambassador login: WCS logs the authentication operation results for all users.
  •Guest user creation: When a lobby ambassador creates a guest user account, WCS logs the guest user name.
  •Guest user deletion: When a lobby ambassador deletes the guest user account, WCS logs the deleted guest user name.
  •Account updates: WCS logs the details of any updates made to the guest user account. For example, increasing the life time.
  Follow these steps to view the lobby ambassador activities.
  Note You must have superuser status to open this window.
  Step 1 Log into the Navigator or WCS user interface as an administrator.
  Step 2 Click Administration > AAA, then click Groups in the left sidebar menu to display the All Groups window.
  Step 3 On the All Groups windows, click the Audit Trail icon for the lobby ambassador account you want to view. The Audit Trail window for the lobby ambassador displays.
  This window enables you to view a list of lobby ambassador activities over time.
  •User: User login name
  •Operation: Type of operation audited
  •Time: Time operation was audited
  •Status: Success or failure
  Step 4 To clear the audit trail, choose Clear Audit Trail from the Select a command drop-down menu and click GO.
  http://www.cisco.com/en/US/docs/wireless/wcs/4.2/configuration/guide/wcsmanag.html#wp1076868
  http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html#wp1001609
  Hope this helps!
  Rob

• Prime Lobby Ambassador defaults

  I can't figure out if it's possible to standardize the configuration for Guest User creation for users who are authenticated using RADIUS and assigned to the Lobby Ambassador group.
  Any help?
  Thanks!

  I went through this nightmare before as well if memory serves.  Unfortunately, it doesn't appear it's possible.  
  If I'm incorrect, someone please pipe up as I don't believe I was ever able to find a way either.

• Lobby Ambassador Profiles in ACS 5.3

  We've set our WCS up to do AAA through our ACS 5.3 which works great. So in order to log into the WCS for Administration or as a Lobby Ambassador (to create guest users etc) the AAA is all done by the ACS, GREAT!
  I have assigned a set of users the Lobby Ambassador role as passed that back through TACACS to the WCS, so those users have their role setup as Lobby Ambassador and are limited from doing anything else, as expected.
  What I want to know is: With normal local AAA on the WCS, when you created a Lobby Ambassador account, you could give the account a set of defaults for any guests accounts created by that Lobby Ambassador account, which was good, so Lobby Ambassadors couldn't set up unlimited time accounts and stuff like that.
  What I want to know now is that since I'm now doing all the AAA on the ACS, is there an attribute I can pass to the WCS in the Shell Profile, along with the roles etc telling the WCS what the guest user creation defaults for the Lobby Ambassador account is, so that we can continue to limit the defaults of any guest account that the Lobby Ambassador accounts create, as it used to be? We'd really like different lobby ambassadors to be able to do different things as well. i.e., Lobby Ambassador X can only create accounts for one region. Lobby Ambassador Y can create Unlimited time accounts where the others can not. We used to do this by assigning different guest user creation defaults to different lobby ambassador accounts on the WCS.
  Help appreciated        

  Hi,
  at the moment the only solution for your requirement is to create local NCS/WCS accounts with exactly the same username as existing in your ACS, no matter what password. Authentication will happen via TACACS+ while the defaults will be taken from the local user account. Please be aware that this mechanism is case sensitive.
  Regards
  Stefan

• Customize Lobby Ambassador View

  Hi all,
  I have a problem with the following situation:
  - Cisco Prime Infrastructure 2.0 (2.0.0.0.294)
  - Cisco ACS 5.4 (5.4.0.46.0a)
  - 2x Cisco WLAN Controller 5508 in SSO mode
  - x APs 2600 Series
  All devices are configured properly, I can see the WLC on Prime, etc.
  Prime and WLC are added to ACS for TACACS+ Authentication.
  Admin users are able to login to Prime with full feature set (root permission).
  Lobby Ambassadors can also login to Prime for Guest User creation.
  Therefore I have created two Shell Profiles on ACS.
  Now I want to create WLAN Guest User with Lobby Ambassador Account (TACACS-authenticated!).
  I want to customize the Default Guest User Creation page with a company logo and some default settings (WLAN Profile, Apply to Controller List, set "generate password" to fixed, etc.) to fixed values.
  Only thing what Lobby Ambassador can change should be setting the password period (with hours or using calender), guest user name and description.
  If I configure a local user on Prime, I can customize the page.
  However if I use TACACS user, I am not able to use the customized page.
  Can anybody help me with this issue?
  THANKS a lot!!!!
  edit: problem solved by workaround...
  https://supportforums.cisco.com/thread/2201703
  BR, Stefan

  You will not be able to unless you build a back-end that does it and sends the commands to the WLC. Other than that, you can't customize the lobby ambassador page.
  Sent from Cisco Technical Support iPhone App

• Prime Lobby Ambassador defaults scheduling guest users

  Hi.
  I'm actually testing Prime Infrastructure and one important thing there for me is the Lobby Ambassador feature.
  I want to give our colleagues from other sites the possibility to create guest accounts on their own, but with some defaults already set. They should only be able to create accounts with a lifetime of 14 days ( not editable ), but with the possibility to schedule the accounts.
  If I now set the defaults of the Lobby Ambassador to 14 days lifetime and make them not editable, the Lobby Ambassador can’t schedule the guest user. If they choose “Schedule Guest User” from dropdown, they get the message “The creation will be scheduled 5 minutes after the current server time.”
  Is there a way to get that working?
  Best would be to have the defaults partially not editable, so that you can make some things default ( e.g. lifetime, generate password, controller config group ) and some things editable ( e.g. description, disclaimer, scheduling ).
  Regards,
  Sven Lindeke

  I went through this nightmare before as well if memory serves.  Unfortunately, it doesn't appear it's possible.  
  If I'm incorrect, someone please pipe up as I don't believe I was ever able to find a way either.

• WCS - Lobby Ambassador users don't see each other's guest users

  Hi, we currently have the problem with WCS 5.2 that a user of the group "Lobby Ambassador" cannot see guest users that have been created by another user of that group. The user can only see his own created guest users. All are in the same virtual domain which is the root-domain.
  I believe this behaviour was not this way in previous versions, here all guest users were visible to all Lobby Ambassador users.
  I couldn't find any hint in the documentation about this.
  Is this simply a change in behaviour (works as designed) or is this maybe a bug?

  You will get this error:
  Error(s): You must correct the following error(s) before proceeding:
  Error:A Guest User account with the name ''lobby user'' has already been created by you or another WCS Lobby Ambassador user. Please choose a different User Name for this Guest account.

• Lobby Ambassador TACACS denied to create Guest Users

  Hi,
  I read some threads but I found no answer.
  I use WCS 7.0.172.0 an ACS 5.2
  I configured in ACS a Shell Profile for Lobby Ambassador Accs like I did for Admins.
  If I login as such lobby ambassador, I see just what i have to see. But if i'm going to create a guest user I got the message:
  Permission Denied
  You do not have privileges for the requested  operation.
  After Forum reading I created a local user with exact the same name, differnt pw, with no success.
  The shell profile:
  role0 | mandtory | LobbyAmbassador
  task0 | mandtory | Configure Guest Users
  task1 | mandtory | Lobby Ambassador User Preferences
  Thx 4 reading!
  btw: I just can authenticate with tacas+/pap, if I configure chap I've got a failure. chap is allowed in ACS...

  OK I fixed it.
  I had to add:
  virtual-domain0 | mandatory | root
  to the top of the shell profile, like described in:
  http://www.cisco.com/en/US/docs/wireless/wcs/7.0/configuration/guide/7_0admin.html
  now it works...
  The WCS "Task List" output of the group hasn't list it...
  But the CHAP probleme still wasn't fixed. Anyone who use TACACS/CHAP auth?