I was looking for a way to avoid creating numerous Lobby Ambassador users on a WCS, but use an existing Active Directory group instead.
The WCS configuration guide is very general on RADIUS servers other than TACACS, so I worked out the IAS related solution described below, which works with WCS 220.127.116.11 against IAS on Windows Server2003 SP1.
Of course you can authenticate every other role on the WCS, for this example I used the Admin role.
It is assumed that the WCS is correctly configured for your RADIUS servers, and has been created and configured as a RADIUS client on the IAS. The policy condition is correctly configured, so that access requests from the WCS are being successfully processed and accepted by IAS, but WCS still brings up a Login failed message.
The interesting section is in the Advanced Tab, within the policy form, where we will have to add the vendor specific attribute (VSA), and only the VSA, no other attributes are required. Once we add the VSA we create attribute values, one for the role, and additional ones for every task the user is allowed on the WCS. The attribute values are of the vendor code 9 (or select Cisco from list), and have to be entered in Hex format as "non RFC conforming" attributes. So for the Admin role, (Wireless-WCS:role0=Admin) the Hex string could have been 0x576972656c6573732d5743533a726f6c65303d41646d696e
But unfortunately it's not as simple as that.
Now we need to prefix this string with 0x01 (this stands for Cisco AV pair) and the length of the complete string (26 bytes in this case, which is 0x1a). So the final string that is to be entered is 0x011a576972656c6573732d5743533a726f6c65303d41646d696e
The next value would be Wireless-WCS:task0=Users and Groups, in Hex format (again including the prefix 0x1a and a length byte of 0x25): 0x0125576972656c6573732d5743533a7461736b303d557365727320616e642047726f757073
And so on.
In fact, you will have to calculate the Hex string and the length for every line of the task list. These lists can be found on the WCS in Administration / AAA / Groups / Export task list.
It would be wise to automate this process, I used Excel for that. For translating ASCII to HEX, there are lots of tools, like xxd (linux) or http://www.centricle.com/tools/ascii-hex/
For testing, you can start with a role with just one task.
If things dont work out, an incorrect length might be the reason. Using a sniffer is definitely helpful then.
There is a new document out, that gives more information about how the packets are assembled, http://www.cisco.com/en/US/products/ps6305/products_tech_note09186a00809038e6.shtml
Hope this helps someone. I couldnt find this information anywhere on the web.