WCS Lobby Ambassador with AAA Authentication

Similar Messages

• WCS - Lobby Ambassador users don't see each other's guest users

  Hi, we currently have the problem with WCS 5.2 that a user of the group "Lobby Ambassador" cannot see guest users that have been created by another user of that group. The user can only see his own created guest users. All are in the same virtual domain which is the root-domain.
  I believe this behaviour was not this way in previous versions, here all guest users were visible to all Lobby Ambassador users.
  I couldn't find any hint in the documentation about this.
  Is this simply a change in behaviour (works as designed) or is this maybe a bug?

  You will get this error:
  Error(s): You must correct the following error(s) before proceeding:
  Error:A Guest User account with the name ''lobby user'' has already been created by you or another WCS Lobby Ambassador user. Please choose a different User Name for this Guest account.

• WCS Lobby Ambassador Accounts

  Unable to manage Guest accounts created by different WCS Lobby Ambassador user Accounts.
  I have setup three Lobby Ambassador accounts in WCS. Three staff members have been given seperate usernames and passwords to WCS with Lobby Ambassador profiles to allow them to create and manage the Guest Wireless Accounts.
  It was expected that they would be able to view and manange all Guest accounts, but they can only manage accounts they created. If I login as WCS admin I can then see all accounts created by each user.
  We require that all three can view and manage each others accounts using their own WCS login. Is this possible as docs do not mention??

  Hi Stuart,
  Just to add a note to the great tips from Leo;
  CSCsw42942 Bug Details
  SuperUser cannot see guest users created by admin users
  Symptom:
  If a WCS admin user creates a guest user through controller template, a Superuser will not be able to see the guest user created.
  Conditions:
  wcs 5.2.110
  Workaround:
  the root user can see everything
  Further Problem Description: Status
  Fixed
  Severity
  3 - moderate
  Last Modified
  In Last 3 Days
  Product
  Cisco Wireless Control System
  Technology
  1st Found-In
  5.2(110.0)
  Fixed-In
  5.2(122.0)
  6.0(23.0)
  Have a look at this good recent thread;
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc2cc01
  And this good thread;
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&topicID=.ee6e8c0&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc3077f
  Hope this helps!
  Rob

• WCS Lobby Ambassador and Monitor User

  I'm running our WCS authentication through ACS with TACACS and it's working fine.  However, I currently have my Help Desk setup with a monitor user so they can login and view WCS, but this does not give them the Lobby Ambassador of course.  How can I get a user to have both WCS and Lobby access with having to login with seperate user identities?

  It's either admin either lobby account, you can not have both, the http pages are completly different and dont intermix.
  Your solution is to have 2 users on your TACACS where one is the admin and one the lobby.
  Here are the step by step config lines:
  http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0admin.html#wpmkr1064288

• WCS Lobby Ambassador audit report for a specific period of time

  Hi all,
  I know there is an WCS audit report for each lobby ambassador activities. But the problem is that I see only activities from Nov 9 to the present. I don't know what the reason is, whether somebody erased that information before Nov 9 or something else happened.
  Is there any option to manually configure a specific period of time, for example obtain all activities for last 3 months?
  Thanks for any hint.
  Jozef

  Hi Koti,
  What error did you meet when you used audit report from Oct 16 to Oct 31?
  Please check the log file to find more information about this issue. The path of the log file is: C:\Program Files\Common Files\microsoft shared\Web Server Extensions\15\LOGS. You can check the log file whose modified date is from Oct 16 to Oct 31.
  In addition, please deactivate and reactivate Reporting feature at site collection level.
  A similar post for your reference:
  http://sharepointknowledgebase.blogspot.com/2012/07/unexpected-error-when-trying-to-view.html#.VG2cFouUeog
  About audit log report, please take a look at:
  https://support.office.com/en-us/article/Configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2?ui=en-US&rs=en-US&ad=US
  Best Regards,
  Wendy
  Wendy Li
  TechNet Community Support

• WCS Lobby Ambassador

  Hello all,
  In WCS by default the lobby ambassador has option to generate manual or auto (random) password for guest user account.
  Is there any way that we can restrict lobby ambassador to generate manual password for guest user ?
  Regards,
  Anis

  No not exactly ,
  We dont want lobby admin's to create manuall passwords for there guest. Loby admin should have option to generate the random passwords only.
  Regards,
  Anis

• Lobby Ambassador - Automatic deletion from WCS after Expiry or Account

  Hi Guys,
  When I create a guest account and the account time expires, the account still remains on the WCS (but not on the controller).
  Is this a feature of the WCS or a bug?
  If so, can I ask the WCS to automatically remove all guest users accounts from the WCS lobby ambassador either directly after expiry, or say at 00:00 hours every day?
  Many thx
  Ken

  Hi there,
  Many thx.
  The way I understand it, is that yes the user expires, but you still have to clear down the username off the WCS periodically.
  Just thought the WCS may be able to do this as the timer expires but had a chat with a few guys at Cisco and is not possible currently.
  Cheers
  Ken

• Customize Lobby Ambassador View

  Hi all,
  I have a problem with the following situation:
  - Cisco Prime Infrastructure 2.0 (2.0.0.0.294)
  - Cisco ACS 5.4 (5.4.0.46.0a)
  - 2x Cisco WLAN Controller 5508 in SSO mode
  - x APs 2600 Series
  All devices are configured properly, I can see the WLC on Prime, etc.
  Prime and WLC are added to ACS for TACACS+ Authentication.
  Admin users are able to login to Prime with full feature set (root permission).
  Lobby Ambassadors can also login to Prime for Guest User creation.
  Therefore I have created two Shell Profiles on ACS.
  Now I want to create WLAN Guest User with Lobby Ambassador Account (TACACS-authenticated!).
  I want to customize the Default Guest User Creation page with a company logo and some default settings (WLAN Profile, Apply to Controller List, set "generate password" to fixed, etc.) to fixed values.
  Only thing what Lobby Ambassador can change should be setting the password period (with hours or using calender), guest user name and description.
  If I configure a local user on Prime, I can customize the page.
  However if I use TACACS user, I am not able to use the customized page.
  Can anybody help me with this issue?
  THANKS a lot!!!!
  edit: problem solved by workaround...
  https://supportforums.cisco.com/thread/2201703
  BR, Stefan

  You will not be able to unless you build a back-end that does it and sends the commands to the WLC. Other than that, you can't customize the lobby ambassador page.
  Sent from Cisco Technical Support iPhone App

• Cisco Nexus AAA authentication and console access

  We have nexus 7k with AAA authentication working now i have an issue i can't login using console port because my logins are rejected.Is there anyway we can login into console with local login details or we have to use ACS server (AAA) logins when connected to console (while ACS server is still reachable).
  My main question is i want to login using console port while ACS server is still reachable is it possible?

  Perhaps I am not understanding some parts of the original post and if so I would appreciate clarification of what I missed. But it seems to me that the main question in the original post is whether the original poster would be able to login on the console. And it seems to me that the high level answer is that yes login to the console should be possible. The details of how that would work are dependent on details of how the N7K is configured. If the original poster would provide some details of the configuration (especially all of the aaa authentication commands and the configuration of line con 0) we would be in a much better position to provide helpful answers.
  HTH
  Rick

• Wireless Lobby Ambassador account errantly displays NCS home page

  Hi all,
  I'm running a supported NCS 1.0 virtual appliance installation which functions fine for most folks, but Lobby Ambassadors with Windows 7 and IE8 or IE9 end up seeing an odd version of the NCS home page with all the graphs, etc, rather than the normal very restrictive list of guest users.  Viewed with the same credentials with XP and IE7 or IE8, it's fine!  Does not matter whether or not Chrome Frame gets installed.  It's not as though the credentials are truly elevated, since the entire command bar is devoid of commands....it just doesn't show the list of guest users.
  Anyone else?
  Gary

  Noticed there is released a patch for 1.1.1 on the 14th of June, but havent been able to find any release notes for the patch.
  Tried to install it my self, it fails every time with "% Manifest file not found in the bundle"
  Getting the same error no matter if I use the main command /patch install or /application update
  application update ncs1_1_update_file.ubf FTPRepository
  patch install ncs1_1_update_file.ubf FTPRepository
  * Edit : the patch in question is only for the WAN release, which doesnt include wireless management, so I guess we are waiting for a seperate patch for the general packadge

• Aaa authentication enable console issue

  I have an ASA5505 running 8.2(5). It is configured with
  aaa authentication telnet console xxxxxx LOCAL
  and I am able to use my username and password to telnet in, but I then have to use the local enable password to get to privilege exec mode.
  I tried configuring aaa authentication enable console xxxxxx LOCAL so that when I try to access privilege exec mode,I would be prompted for my password instead of the enable password, but it doesn't work.
  I also tried removing the aaa authentication telnet console xxxxxx LOCAL and telenetted in with the local passwd.
  I was prompted for a username and password when trying to get to priv exec mode, but again, the credentials did not work.
  Could there be something that needs to be changed on the ACS server to make this work?
  Thanks.

  Using TACACS+
  No command authorization rules are being used
  When I add the aaa authentication enable console xxxxxxxx LOCAL command,
  and use login instead of enable, I get Login failed if I try to use my credentials.
  However, if I use login with the locally configured username and password, it lets me in.
  Here is the config (without the aaa authentication enable console command):
  User Access Verification
  Username: xxx/xxxxxxxxxx
  Password: ************
  Type help or '?' for a list of available commands.
  FW> en
  Password: ********
  FW# sh ru
  : Saved
  ASA Version 8.2(5)
  terminal width 511
  hostname xxxxxxxx
  enable password *********** encrypted
  passwd *********** encrypted
  names
  interface Ethernet0/0
  switchport access vlan xxx
  interface Ethernet0/1
  switchport access vlan xxx
  shutdown
  interface Ethernet0/2
  switchport access vlan xxx
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlanxxx
  nameif inside
  security-level 100
  ip address x.x.x.x x.x.x.x
  interface Vlanxxx
  nameif OUtside
  security-level 0
  ip address x.x.x.x x.x.x.x
  ftp mode passive
  same-security-traffic permit intra-interface
  object-group protocol TCPUDP
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_1
  protocol-object udp
  protocol-object tcp
  group-object TCPUDP
  object-group protocol DM_INLINE_PROTOCOL_2
  protocol-object udp
  protocol-object tcp
  group-object TCPUDP
  object-group protocol DM_INLINE_PROTOCOL_3
  protocol-object ip
  protocol-object udp
  protocol-object tcp
  object-group protocol DM_INLINE_PROTOCOL_4
  protocol-object ip
  protocol-object udp
  protocol-object tcp
  access-list Outside_access_in extended permit ip any any
  access-list inside_access_in extended permit icmp any any
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a
  ny any inactive
  access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a
  ny any
  access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_1
  any any inactive
  access-list OUtside_access_in extended permit icmp any any
  access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_3
  any any
  pager lines 24
  logging enable
  logging asdm informational
  logging host inside x.x.x.x
  mtu inside 1500
  mtu OUtside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  access-group inside_access_in in interface inside
  access-group OUtside_access_in in interface OUtside
  route inside 0.0.0.0 0.0.0.0 x.x.x.x 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server xxxxxxxxx protocol tacacs+
  aaa-server xxxxxxxxx (inside) host x.x.x.x
  key *****
  aaa-server xxxxxxxxx (inside) host x.x.x.x
  key *****
  aaa-server xxxxxxxxx (inside) host x.x.x.x
  key *****
  aaa authentication http console ******* LOCAL
  aaa authentication ssh console ******* LOCAL
  aaa authentication telnet console ******* LOCAL
  aaa local authentication attempts max-fail 5
  http server enable
  http x.x.x.x x.x.x.x inside
  http x.x.x.x x.x.x.x inside
  snmp-server host inside x.x.x.x community ***** version 2c
  snmp-server host OUtside x.x.x.x community ***** version 2c
  snmp-server host inside x.x.x.x community ***** version 2c
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet x.x.x.x x.x.x.x inside
  telnet x.x.x.x x.x.x.x inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd auto_config OUtside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  username ******* password ************** encrypted privilege 15
  username ******* password ************** encrypted privilege 15
  username ******* password ************** encrypted privilege 15
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:
  : end
  FW#
  Thanks.

• ACE 4700 and Cisco ACS aaa authentication

  ACE version Software
  loader: Version 0.95
  system: Version A1(7b) [build 3.0(0)A1(7b)
  Cisco ACS version 4.0.1
  I am trying to authenticate admin users with AAA authentication for ACE management.
  This is what I've done:
  ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
  warning: numeric key will not be encrypted
  ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
  ACE-lab/Admin(config-tacacs+)# server ?
  <A.B.C.D> TACACS+ server name
  ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
  can not find the TACACS+ server
  specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
  ACE-lab/Admin(config-tacacs+)#
  Why am I getting this error? I have full
  connectivity between the ACE and the ACS
  server. Furthermore, the ACS server
  works fine with other Cisco IOS devices.
  Please help. Thanks.

  Thanks. Now I have another problem. I CAN
  log into the ACE via tacacs+ account(s).
  However, I get error when I try going into
  configuration mode:
  ACE-lab login: ngx1
  Password:
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  ACE-lab/Admin# conf t
  ^
  % invalid command detected at '^' marker.
  ACE-lab/Admin#
  The ngx1 account can access other Cisco
  routers/switches just fine and can go into
  enable mode just fine. Only issue on the ACE.
  Any ideas? Thanks.

• Lobby Ambassador - WCS Logging of Guest Account Creation

  Hello all,
  If I am user "admin-ken" and I setup an guest user account "guestuser1" via the WCS controller templates > Guest User (which takes me into lobby ambassador), is there a log file that indicates that "admin-ken" had setup "guestuser1" guest account?
  Many thx indeed,
  Kind regards,
  Ken

  HiKen,
  Hope all is well :)
  Maybe this is what you are looking for;
  Logging the Lobby Ambassador Activities
  The following activities are logged for each lobby ambassador account:
  •Lobby ambassador login: WCS logs the authentication operation results for all users.
  •Guest user creation: When a lobby ambassador creates a guest user account, WCS logs the guest user name.
  •Guest user deletion: When a lobby ambassador deletes the guest user account, WCS logs the deleted guest user name.
  •Account updates: WCS logs the details of any updates made to the guest user account. For example, increasing the life time.
  Follow these steps to view the lobby ambassador activities.
  Note You must have superuser status to open this window.
  Step 1 Log into the Navigator or WCS user interface as an administrator.
  Step 2 Click Administration > AAA, then click Groups in the left sidebar menu to display the All Groups window.
  Step 3 On the All Groups windows, click the Audit Trail icon for the lobby ambassador account you want to view. The Audit Trail window for the lobby ambassador displays.
  This window enables you to view a list of lobby ambassador activities over time.
  •User: User login name
  •Operation: Type of operation audited
  •Time: Time operation was audited
  •Status: Success or failure
  Step 4 To clear the audit trail, choose Clear Audit Trail from the Select a command drop-down menu and click GO.
  http://www.cisco.com/en/US/docs/wireless/wcs/4.2/configuration/guide/wcsmanag.html#wp1076868
  http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html#wp1001609
  Hope this helps!
  Rob

• Lobby Ambassador can't email guest user accounts via WCS

  WCS is configured with SMTP server under Administration-Settings-Mail Server Configuration and test is successful and it sends e-mail alerts out no problem. However, when Lobby Ambassador creates a new guest account and clicks on the e-mail link to email it out, this message pops-up: 'Email Server is not configured.Contact Network Administrator'.
  Any ideas?

  by poking around I've found an answer. Even though we have a single email server, right after I've added the same server as a secondary email server, notifications started working. Seems to be a WCS bug.

• WCS setup RADIUS users Lobby Ambassador Defaults

  Hi
  I'm using RADIUS so my users can use their active directory credentials to login WCS and generate guest users accounts...
  But I would like to setup some Lobby Ambassador Defaults, I can easily do ths for local users on the WCS system, but how to setup defaults for RADIUS users?
  Best Regards,
  Steffen.

  Hi Scott
  Tanks for your reply.
  I've allready read the article, but I can't see that it says anything about setting up Defaults for the users, only which task the should be able to do...
  I would like to setup defaults for the radius users, so when they are authenticated as lobby abassadors the do not need to select which SSID the a generating a guest user account for and so on...
  This is possible for local WCS users, but i need to setup these defaults for my RADIUS authenticated users.
  Best Reards
  Steffen
  And btw.. this dicussion was started by me.. https://supportforums.cisco.com/thread/2115616