I'm glad you've posted this question. I have exactly the same scenario. Without a response yet from this forum, my only thought for a work around is to use one of my four WLCs as dedicated for our Helpdesk to create Guest accounts on.
Check out page 7-2 of the WCS Config Guide for version 4.1. Here's the snippet that is causing our problem, "This section describes how to configure a WCS user. The accounting portion of the AAA framework is
not implemented at this time." We have it setup that our HelpDesk folks authenticate into WCS via TACACS and TACACS (via Authorization) drops them in as LobbyAmbassadors. Since WCS doesn't log (no accounting), we cant audit what guest accounts were created by whom.
I do not have any idea as to why only AA of AAA would be implemented?
IRT your question about Admins - we have not put anyone in that Group yet. The network team is configured in the SuperUsers group.
So our question remains unanswered. How can we audit folks that we've empowered to create Guest accounts? We'd want to know the person who created the account and when.
We may have found a workaround that gets us what we need. Again, the issue I'm most interested in addressing is the lack of AAA (last A) between WCS and ACS when using TACACS as the method to authenticate the folks that I want to be Lobby Ambassadors. I must be able to audit who has created Guest accounts and when the account was created.
If you create an account in WCS using the same username as their (by 'their' I mean the non-IT type personnel that we've empowered to be Lobby Ambassadors) username in ACS, then you can see the Audit Trail. The information was there all along, it's just that 1) WCS doesn't let you see the log locally if there is no account to match it and 2) WCS doesn't forward the information to ACS.
So I went in and added all of our admins as local accounts and set them up as Lobby Ambassadors. Administration > AAA > Users > Add User. I just made up a password for them. The cool part is that the password I made for their local account in WCS doesn't come in to play. They are still authenticated against ACS.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...
I have created a Powershell script to automatically add a Wireless Guest
User on Cisco WLCs. (tested on 2500 Series) The script should be
completely self explanatory. Prerequisites: Powershell SNMP Module
(Install-Module -Name SNMP) SNMP Write Access to y...