Lobby Ambassador TACACS denied to create Guest Users

Similar Messages

• Create guest user accounts

  Hi,
  I'm looking for a solution (WLC 4400) which enables employees to browse to a custom made webpage, where they can create an account for company vistors to access the internet. It's important for the employees not use any login credentials, they arrive on a webpage where they specify the login & password which the vistor will enter to browse the internet. Is there any good link to documention about this topic? Any feedback is welcome

  Hi Tim,
  Here are few links that may help you -
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml#c1
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
  docs are bit old but helpful. Plz let us know if you have any doubt.
  Plz do not forget to rate useful post.
  Thanks

• Prime Lobby Ambassador defaults scheduling guest users

  Hi.
  I'm actually testing Prime Infrastructure and one important thing there for me is the Lobby Ambassador feature.
  I want to give our colleagues from other sites the possibility to create guest accounts on their own, but with some defaults already set. They should only be able to create accounts with a lifetime of 14 days ( not editable ), but with the possibility to schedule the accounts.
  If I now set the defaults of the Lobby Ambassador to 14 days lifetime and make them not editable, the Lobby Ambassador can’t schedule the guest user. If they choose “Schedule Guest User” from dropdown, they get the message “The creation will be scheduled 5 minutes after the current server time.”
  Is there a way to get that working?
  Best would be to have the defaults partially not editable, so that you can make some things default ( e.g. lifetime, generate password, controller config group ) and some things editable ( e.g. description, disclaimer, scheduling ).
  Regards,
  Sven Lindeke

  I went through this nightmare before as well if memory serves.  Unfortunately, it doesn't appear it's possible.  
  If I'm incorrect, someone please pipe up as I don't believe I was ever able to find a way either.

• Lobby ambassador can't see controller

  have added a new WLC to the WCS which has the same setup like others
  But when the lobby ambassador wants to add a guest user - he can't find this controller in the choice box
  what is missing?

  Please check if tha tWLC has the GUEST WLAN configured?? if not it will not come is wat i beleive.. on top of that..
  http://www.cisco.com/en/US/partner/docs/wireless/wcs/release/notes/WCS_RN7_0_220.html#wp68364
  7.0.172 WCS does not support 7.0.220 WLC..
  Regards
  Surendra

• WCS - Lobby Ambassador users don't see each other's guest users

  Hi, we currently have the problem with WCS 5.2 that a user of the group "Lobby Ambassador" cannot see guest users that have been created by another user of that group. The user can only see his own created guest users. All are in the same virtual domain which is the root-domain.
  I believe this behaviour was not this way in previous versions, here all guest users were visible to all Lobby Ambassador users.
  I couldn't find any hint in the documentation about this.
  Is this simply a change in behaviour (works as designed) or is this maybe a bug?

  You will get this error:
  Error(s): You must correct the following error(s) before proceeding:
  Error:A Guest User account with the name ''lobby user'' has already been created by you or another WCS Lobby Ambassador user. Please choose a different User Name for this Guest account.

• Lobby Ambassador Profiles in ACS 5.3

  We've set our WCS up to do AAA through our ACS 5.3 which works great. So in order to log into the WCS for Administration or as a Lobby Ambassador (to create guest users etc) the AAA is all done by the ACS, GREAT!
  I have assigned a set of users the Lobby Ambassador role as passed that back through TACACS to the WCS, so those users have their role setup as Lobby Ambassador and are limited from doing anything else, as expected.
  What I want to know is: With normal local AAA on the WCS, when you created a Lobby Ambassador account, you could give the account a set of defaults for any guests accounts created by that Lobby Ambassador account, which was good, so Lobby Ambassadors couldn't set up unlimited time accounts and stuff like that.
  What I want to know now is that since I'm now doing all the AAA on the ACS, is there an attribute I can pass to the WCS in the Shell Profile, along with the roles etc telling the WCS what the guest user creation defaults for the Lobby Ambassador account is, so that we can continue to limit the defaults of any guest account that the Lobby Ambassador accounts create, as it used to be? We'd really like different lobby ambassadors to be able to do different things as well. i.e., Lobby Ambassador X can only create accounts for one region. Lobby Ambassador Y can create Unlimited time accounts where the others can not. We used to do this by assigning different guest user creation defaults to different lobby ambassador accounts on the WCS.
  Help appreciated        

  Hi,
  at the moment the only solution for your requirement is to create local NCS/WCS accounts with exactly the same username as existing in your ACS, no matter what password. Authentication will happen via TACACS+ while the defaults will be taken from the local user account. Please be aware that this mechanism is case sensitive.
  Regards
  Stefan

• WCS - Guest User Creation

  Hello. I have a question related to the Lobby Ambassador login in WCS and creating user accounts in an environment using a guest Anchor controller. Specifically, if a 'lobby ambassador' is logged into WCS from 2 timezones away (anchor is in same location as WCS) creating a user, they will see the local time of the WCS (for start/stop times), correct? Is there a way to make it present the local time to the lobby ambassador so they don't have to figure out the correct start/stop times for their location?
  Hopefully this question makes sense.
  Thank you for your time and assistance,
  Jeff

  Lobby admins created guest users are always in the WCS timezone. If controllers are in another timezone, the lobby admin needs to adjust the time accordingly while creating guest users.

• Cisco WCS guest user expires after few days

  1) Hardware we are using:
  WCS version 6.0.196.
  WLC version 6.0
  2) Configuration steps we carried out:
  We have created guest user using Lobby admin account having for accessing WLC which we are having in network. it works fine for some days but after that we have observed the particular guest user account status showing expired on WCS. Wanted to mention we have used Unlimited tab for life time while creating guest user account. The Account life time for guest user at the point of configuration was showing ( status -- Active, Account Lifetime -- Never Expire)
  The document we followed.
  http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0manag.html#wp1086189
  3) Problem we are facing.
  After some days(we are not sure about how many days) the guest users account shows "Expired"
  4) Requirement.
  Configuration of particular user with account life time as never exipre.
  Regards,
  Pramod.

  During the point of problem from WCS logs I observed the "Guestuser Service" is giving problem, below is the error. The detailed log is attached herewith.
  14:11:39.488 ERROR[general] [24] [GuestUserService] User does not belong to group 'Lobby Ambassador' or defaults are not set COMMON-11,LobbyAmbDefaults
  The issue is associated with mentioned bug
  CSCti79856
  Symptom:
  WCS deletes the Guest User Template when trying to de-provision it from a controller. Instead of deleting the guest user from the selected controllers, the user is removed from all controllers and the template deleted from WCS.
  Conditions:
  Using the delete functionality on the Guest User Template Page
  After upgrading WCS version from 6.0.196.0 to 7.0.172.0 issue was resolved. Thanks..

• Lobby Ambassador - Selecting Profile

  We have a WCS version 5.2.130 and WLC version 4.2.130.0
  Not very familiar with it. The issue here is although the WLC is reachable from WCS, I can't seems to select a profile when we want to create guest users from lobby ambassador. The WLC has been configured with 2 wlans - wlanguest and wlan01 but I can't select this profile to assign the user to.
  Hope someone can shed some light.

  For guest users and lobby admins, the WLAN profiles that can be selected from the WLC are only those that are using WEB-AUTH as security policy.
  Make sure the WLAN profile for guest user is using web-auth on your WLC, that will address your issue.

• Scheduling WCS Guest User Accounts

  Hi all,
  I am question concerning scheduling WCS guest user accounts. I would appreciate having opportunity to schedule WCS guest account as a lobby ambassador. I know it is possible to do that but only in case that you allow (as administrator) for the user "lobby ambassador" set up "lifetime" to unlimited. If you set up a limited lifetime in "Defaults for creating Guest User accounts", the lobby ambassador is not able to schedule WCS guest account because this options is missing.
  Is it possible to do that without this restriction?
  The second issue is the email which consists of the guest user account credentials. Each time the scheduled time comes up, the guest user account credentials are emailed to the specified email address.
  Is it possible to send the credentials right after creating the guest user account and not when the scheduled time comes up which can be a week later?
  Jozef

  No this should not be done because, the credentials are pushed by WCS to the controller only when the time comes.
  Once the WLC confirms the user is created, then WCS goes ahead and send you the credentials.
  Technically this could be added to WCS, it would be a PERs : Personnal Enhancement Request to be filed from your System Engineer, Account / Sales team

• Cisco Prime UTC/GMT Lobby Ambassador Issue

  After creating guest user credentials via Cisco Prime Lobby Ambassador, you receive a summary page(attached) that list the start time and end time.  The issue is that the times show up in UTC instead of GMT, does anyone know how to change this?  Thanks.

  I am not  sure ,if this BUG is applicable to P1 2.1 or not , hopefully not .but you can contact TAC  to confirm the behavior.
  If  anyone have a different view ,kindly share it with us.
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***

• Cisco Prime UTC/GMT Lobby Ambassador

  After creating guest user credentials via Cisco Prime Lobby Ambassador, you receive a summary page(attached) that list the start time and end time.  The issue is that the times show up in UTC instead of GMT, does anyone know how to change this?  PI v 2.1  Thanks.

  Please refer: https://supportforums.cisco.com/discussion/11821441/cisco-prime-infra-13-how-change-time-zone
  Hope that helps.

• Guest User SNMP Traps

  Hi all,
  I run into a confusing behavior. When I use the Lobby Amabassador to add/delete an Guest User with limited life time I get a SNMP Trap (thats what i want) but when I add an Guest User with unlimited life time I never got a SNMP trap, wether the user is added or deletet by the Lobby Ambassador.
  I dubble-checked that, with and without Lobby Ambassador Defaults, but I found no reason for that behavior.
  Do you have any ideas? Maybe run into the same problem?
  Thanks
  Best regards
  Peter

  Hi Peter,
  Please flag this as resolved if it answered your question. Future readers of this forum will then be able to benefit from our collective intelligence. Thanks.
  Best,
  Paul

• Question about ISE guest user account self registration

  Dear Sir,
  We will plan guest solution for my wireless network ( we have WLC5508 and 1142 access point ), our requirement is :
  1. guest user access to an wireless guest SSID, open browser, it will redirect to web-auth page.
  2. The web-auth page have a url and if user click the url, guest user then connect to another web page, guest user can input some information ( for examples : username, email, cell phone ,,, ) to create guest user account self. The expiration of the user account fix to one day.
  3. the username and random password created for the guest user then send by SMS or email to guest user.
  4. Guest user can use the username and password he received to login web-auth page to use guest wireless network
  5. User activity information ( user create, login/logout, expire time, user IP address ... ) should be log.
  Please help to verify the ISE with base license can meet our requirement. ( especially item 2 & 3 )
  Best Regards,

  Hi,
  Guest registration is covered with base licenses.
  Here is some material that will bring you up to speed:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
  Base:
  Capabilities: Basic network access and guest access
  Network deployment support: Wired, wireless, and VPN
  License prerequisite: None
  Perpetual license
  Licenses are available for 100, 250, 500, 1000, 1500, 2500, 3500, 5000, 10,000, 25,000, 50,000, and 100,000 endpoints
  Tarik Admani
  *Please rate helpful posts*

• Guest user creation via API

  I think I read somewhere there is an API for creating guest users on a WCS/WLC.
  I am looking for a way to intergrating the creation into a intranet page.
  Can somebody confirm such API and maybe point to a place to find it?

  That is great news.
  I ende up sniffing the traffic from the WCS to the WLC with wireshark and saw the reuqiered SNMP OID's for making a guest user.
  So I have made a little (ugly) perl script that make a guest user on the WLC, send a email to a sponsor and send a SMS via kannel.
  Ugly, but its cover our need for now.
  But a API will make life (and the perl script) alot nicer.
  Thanks for the info.