WCS Lobby Ambassador and Monitor User

I'm running our WCS authentication through ACS with TACACS and it's working fine. However, I currently have my Help Desk setup with a monitor user so they can login and view WCS, but this does not give them the Lobby Ambassador of course. How can I get a user to have both WCS and Lobby access with having to login with seperate user identities?

It's either admin either lobby account, you can not have both, the http pages are completly different and dont intermix.
Your solution is to have 2 users on your TACACS where one is the admin and one the lobby.
Here are the step by step config lines:
http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0admin.html#wpmkr1064288

Similar Messages

WCS - Lobby Ambassador users don't see each other's guest users

Hi, we currently have the problem with WCS 5.2 that a user of the group "Lobby Ambassador" cannot see guest users that have been created by another user of that group. The user can only see his own created guest users. All are in the same virtual domain which is the root-domain.
I believe this behaviour was not this way in previous versions, here all guest users were visible to all Lobby Ambassador users.
I couldn't find any hint in the documentation about this.
Is this simply a change in behaviour (works as designed) or is this maybe a bug?

You will get this error:
Error(s): You must correct the following error(s) before proceeding:
Error:A Guest User account with the name ''lobby user'' has already been created by you or another WCS Lobby Ambassador user. Please choose a different User Name for this Guest account.

WCS Lobby Ambassador Accounts

Unable to manage Guest accounts created by different WCS Lobby Ambassador user Accounts.
I have setup three Lobby Ambassador accounts in WCS. Three staff members have been given seperate usernames and passwords to WCS with Lobby Ambassador profiles to allow them to create and manage the Guest Wireless Accounts.
It was expected that they would be able to view and manange all Guest accounts, but they can only manage accounts they created. If I login as WCS admin I can then see all accounts created by each user.
We require that all three can view and manage each others accounts using their own WCS login. Is this possible as docs do not mention??

Hi Stuart,
Just to add a note to the great tips from Leo;
CSCsw42942 Bug Details
SuperUser cannot see guest users created by admin users
Symptom:
If a WCS admin user creates a guest user through controller template, a Superuser will not be able to see the guest user created.
Conditions:
wcs 5.2.110
Workaround:
the root user can see everything
Further Problem Description: Status
Fixed
Severity
3 - moderate
Last Modified
In Last 3 Days
Product
Cisco Wireless Control System
Technology
1st Found-In
5.2(110.0)
Fixed-In
5.2(122.0)
6.0(23.0)
Have a look at this good recent thread;
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2cc01
And this good thread;
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc3077f
Hope this helps!
Rob

WCS Lobby Ambassador with AAA Authentication

We are using WCS 7.0.164.0. I configured a user as local lobby ambassador with special defaults and also with a special guest login logo. If I use this user to create guest accounts everything is alright. Now I want to change the authentication to radius, so I export the cisco lobby ambassador attributes to the radius server and extend these network policies. Now I can login as user, authenticated from the radius server and I create guest accounts in the same way as before with local login, BUT !!! Our special guest login logo isn't shown and there is now way to upload or configure this special logo. Is there a way to configure these options for users authenticated with AAA ? Thanks for any Help Bernhard

Hi Bernhard,
I used following doc-link: http://www.cisco.com/en/US/customer/tech/tk722/tk809/technologies_tech_note09186a0080851f7c.shtml
The trick I used is to configure same username on tacacs+ and local, but different passwords.
local-user: configure your special attributes like logo
tacacs+: configure the authentication and group
local-user password is not the same like tacacs+ password.
I configured Authentication in WCS section: Administration > AAA > AAA Mode Settings
Enable fallback to local == on auth failure or no server response
Maybe if you deselect Enable fallback to local you can only authenticate to tacacs+. But now I can authenticate with local user/password and tacacs+ user/password.
Attributes for tacacs+ or radius server can be exported in WCS section: Administration > AAA > All Groups; Export Task List
Attributes for tacacs+ server:
virtual-domain0=root
role0=LobbyAmbassador
task0=Configure Guest Users
task1=Lobby Ambassador User Preferences
Attributes for Radius (I never tried radius):
Wireless-WCS:role0=LobbyAmbassador
Wireless-WCS:task0=Configure Guest Users
Wireless-WCS:task1=Lobby Ambassador User Preferences
==> I think also virtual-domain can be set.

Lobby Ambassador Managment of Users that have expired.

Hi there all :)
When you set users up on LA and you set a user to a "controller list", the entry on the listing always shows the account as active from the front menu even if the time has expired.
You then go into the account and you can see the date has expired, and if you test the account, yes, you cant login.
Is this a bug?
I am running WCS version 4.2.62.11.
Also, I would like a function on LA to allow me to delete all expired users in one go. Is this possible?
As the above indicates that the users is not expired but active, at the moment, you have to go into every account, check the expiry date and then delete the account one by one.
Painful?
Many thx indeed,
Ken

Hey Ken,
Is it time for a beer yet??
In answer to your first question, I think you are seeing this bug;
CSCsk17497 Bug Details
D3WCS:lobby ambassador-guest user account expiry not shown clearly
Symptom:
After successful scheduling the Guest account, the detail page for the created account doesn't show the expiry time details.
Conditions:
This condition arrives only when the browsed account is the scheduled account.
Workaround:
The detail page has the 'start' and 'end' time selection, which can be used for the expiry detail.
Further Problem Description:
Status
Fixed
Severity
3 - moderate
Last Modified
Any Time
Product
Cisco Wireless Control System
Technology
1st Found-In
4.2(47.0)
Fixed-In
5.0(28.0)
Hope this helps bud!
Rob

WCS Lobby Ambassador audit report for a specific period of time

Hi all,
I know there is an WCS audit report for each lobby ambassador activities. But the problem is that I see only activities from Nov 9 to the present. I don't know what the reason is, whether somebody erased that information before Nov 9 or something else happened.
Is there any option to manually configure a specific period of time, for example obtain all activities for last 3 months?
Thanks for any hint.
Jozef

Hi Koti,
What error did you meet when you used audit report from Oct 16 to Oct 31?
Please check the log file to find more information about this issue. The path of the log file is: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\LOGS. You can check the log file whose modified date is from Oct 16 to Oct 31.
In addition, please deactivate and reactivate Reporting feature at site collection level.
A similar post for your reference:
http://sharepointknowledgebase.blogspot.com/2012/07/unexpected-error-when-trying-to-view.html#.VG2cFouUeog
About audit log report, please take a look at:
https://support.office.com/en-us/article/Configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2?ui=en-US&rs=en-US&ad=US
Best Regards,
Wendy
Wendy Li
TechNet Community Support

WCS Lobby Ambassador

Hello all,
In WCS by default the lobby ambassador has option to generate manual or auto (random) password for guest user account.
Is there any way that we can restrict lobby ambassador to generate manual password for guest user ?
Regards,
Anis

No not exactly ,
We dont want lobby admin's to create manuall passwords for there guest. Loby admin should have option to generate the random passwords only.
Regards,
Anis

Lobby Ambassador - Automatic deletion from WCS after Expiry or Account

Hi Guys,
When I create a guest account and the account time expires, the account still remains on the WCS (but not on the controller).
Is this a feature of the WCS or a bug?
If so, can I ask the WCS to automatically remove all guest users accounts from the WCS lobby ambassador either directly after expiry, or say at 00:00 hours every day?
Many thx
Ken

Hi there,
Many thx.
The way I understand it, is that yes the user expires, but you still have to clear down the username off the WCS periodically.
Just thought the WCS may be able to do this as the timer expires but had a chat with a few guys at Cisco and is not possible currently.
Cheers
Ken

Lobby Ambassador Profiles in ACS 5.3

We've set our WCS up to do AAA through our ACS 5.3 which works great. So in order to log into the WCS for Administration or as a Lobby Ambassador (to create guest users etc) the AAA is all done by the ACS, GREAT!
I have assigned a set of users the Lobby Ambassador role as passed that back through TACACS to the WCS, so those users have their role setup as Lobby Ambassador and are limited from doing anything else, as expected.
What I want to know is: With normal local AAA on the WCS, when you created a Lobby Ambassador account, you could give the account a set of defaults for any guests accounts created by that Lobby Ambassador account, which was good, so Lobby Ambassadors couldn't set up unlimited time accounts and stuff like that.
What I want to know now is that since I'm now doing all the AAA on the ACS, is there an attribute I can pass to the WCS in the Shell Profile, along with the roles etc telling the WCS what the guest user creation defaults for the Lobby Ambassador account is, so that we can continue to limit the defaults of any guest account that the Lobby Ambassador accounts create, as it used to be? We'd really like different lobby ambassadors to be able to do different things as well. i.e., Lobby Ambassador X can only create accounts for one region. Lobby Ambassador Y can create Unlimited time accounts where the others can not. We used to do this by assigning different guest user creation defaults to different lobby ambassador accounts on the WCS.
Help appreciated

Hi,
at the moment the only solution for your requirement is to create local NCS/WCS accounts with exactly the same username as existing in your ACS, no matter what password. Authentication will happen via TACACS+ while the defaults will be taken from the local user account. Please be aware that this mechanism is case sensitive.
Regards
Stefan

One Lobby Ambassador on multiple WLCs

Hello,
I have wireless network with 2 WLCs and I configured a guest access WLAN with web autentication.
I would like to use a LOCAL authentications with lobby ambassador for guest users.
Is there a way to create a user only once in one WLC?
At the moment I have to connect to each wlc with lobby ambassador privilege and create the same user/pwd on each.
Thanks
Johnny

Hi Johnny,
I reckon you only have to create the guest user on the Anchor Controller (that's assuming you have your wireless infrastructure configured that way) as that is the WLC that is doing the authentication.
Hope this helps
Scott

WCS setup RADIUS users Lobby Ambassador Defaults

Hi
I'm using RADIUS so my users can use their active directory credentials to login WCS and generate guest users accounts...
But I would like to setup some Lobby Ambassador Defaults, I can easily do ths for local users on the WCS system, but how to setup defaults for RADIUS users?
Best Regards,
Steffen.

Hi Scott
Tanks for your reply.
I've allready read the article, but I can't see that it says anything about setting up Defaults for the users, only which task the should be able to do...
I would like to setup defaults for the radius users, so when they are authenticated as lobby abassadors the do not need to select which SSID the a generating a guest user account for and so on...
This is possible for local WCS users, but i need to setup these defaults for my RADIUS authenticated users.
Best Reards
Steffen
And btw.. this dicussion was started by me.. https://supportforums.cisco.com/thread/2115616

Lobby Ambassador can't email guest user accounts via WCS

WCS is configured with SMTP server under Administration-Settings-Mail Server Configuration and test is successful and it sends e-mail alerts out no problem. However, when Lobby Ambassador creates a new guest account and clicks on the e-mail link to email it out, this message pops-up: 'Email Server is not configured.Contact Network Administrator'.
Any ideas?

by poking around I've found an answer. Even though we have a single email server, right after I've added the same server as a secondary email server, notifications started working. Seems to be a WCS bug.

Lobby Ambassador - WCS Logging of Guest Account Creation

Hello all,
If I am user "admin-ken" and I setup an guest user account "guestuser1" via the WCS controller templates > Guest User (which takes me into lobby ambassador), is there a log file that indicates that "admin-ken" had setup "guestuser1" guest account?
Many thx indeed,
Kind regards,
Ken

HiKen,
Hope all is well :)
Maybe this is what you are looking for;
Logging the Lobby Ambassador Activities
The following activities are logged for each lobby ambassador account:
â¢Lobby ambassador login: WCS logs the authentication operation results for all users.
â¢Guest user creation: When a lobby ambassador creates a guest user account, WCS logs the guest user name.
â¢Guest user deletion: When a lobby ambassador deletes the guest user account, WCS logs the deleted guest user name.
â¢Account updates: WCS logs the details of any updates made to the guest user account. For example, increasing the life time.
Follow these steps to view the lobby ambassador activities.
Note You must have superuser status to open this window.
Step 1 Log into the Navigator or WCS user interface as an administrator.
Step 2 Click Administration > AAA, then click Groups in the left sidebar menu to display the All Groups window.
Step 3 On the All Groups windows, click the Audit Trail icon for the lobby ambassador account you want to view. The Audit Trail window for the lobby ambassador displays.
This window enables you to view a list of lobby ambassador activities over time.
â¢User: User login name
â¢Operation: Type of operation audited
â¢Time: Time operation was audited
â¢Status: Success or failure
Step 4 To clear the audit trail, choose Clear Audit Trail from the Select a command drop-down menu and click GO.
http://www.cisco.com/en/US/docs/wireless/wcs/4.2/configuration/guide/wcsmanag.html#wp1076868
http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html#wp1001609
Hope this helps!
Rob

Lobby Ambassador- Guest User Creation

Hi all,
I am currently implementing the use of the lobby ambassador for guest account creation, however I am looking to see if some features exist. I would like to be able to tie into AD to create lobby ambassador's to have further control of who can and cannot create guest accounts. I am also looking if there is a way to put restrictions on the time frame a guest account can remain active for when created by the lobby ambassador. An example of what I am trying to do is to not have a guest account created by an ambassador to go over a day for it's time frame.
Thanks in advance,
Chris

Yes and yes. From WCS you can pull the role for lobby admin and use that to create the group with the proper attributes.
Then on the WCS you build the template you want them to use. There you can create the restrictions of how long.
Steve
Sent from Cisco Technical Support iPhone App

Prime Lobby Ambassador defaults scheduling guest users

Hi.
I'm actually testing Prime Infrastructure and one important thing there for me is the Lobby Ambassador feature.
I want to give our colleagues from other sites the possibility to create guest accounts on their own, but with some defaults already set. They should only be able to create accounts with a lifetime of 14 days ( not editable ), but with the possibility to schedule the accounts.
If I now set the defaults of the Lobby Ambassador to 14 days lifetime and make them not editable, the Lobby Ambassador can’t schedule the guest user. If they choose “Schedule Guest User” from dropdown, they get the message “The creation will be scheduled 5 minutes after the current server time.”
Is there a way to get that working?
Best would be to have the defaults partially not editable, so that you can make some things default ( e.g. lifetime, generate password, controller config group ) and some things editable ( e.g. description, disclaimer, scheduling ).
Regards,
Sven Lindeke

I went through this nightmare before as well if memory serves. Unfortunately, it doesn't appear it's possible.
If I'm incorrect, someone please pipe up as I don't believe I was ever able to find a way either.

WCS Lobby Ambassador and Monitor User

Similar Messages

Maybe you are looking for