Solved: WLC Lobby Admin with ACS 5.1

jmarshman · ‎01-24-2012

Hello,

Just wondering if someone knew how to configure a LobbyAdmin account for WLC 7.0 on a 5.1 ACS? I'm very new to ACS 5.1 and need to advise as to how to configure it.

I've got the ACS policy working that allows me to login to the WLC using a user account with full rights but the Lobby admin account can login with full rights as well. I've tried setting the custome attributes in the shell profiles with role0-mandatory-LobbyAmbassador, task0-Mandatory-Configure Guest User and task1-Mandatory-Lobby Ambassador User Preferences but it still doesn't work.

Scott Fella · ‎01-24-2012

Double check you shell profile... might want to delete it and recreate it, if you are sure it is hitting that policy.

-Scott
*** Please rate helpful posts ***

View solution in original post

Stephen Rodriguez · ‎01-24-2012

can you rebuild the attribute, or try to put the cursor in front of LOBBY and backspace?

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Scott Fella · ‎01-24-2012

If you have the WLC there already for management, the role for lobby is role1=LOBBY. Of course you will have two separate policies in ACS, one for your management and one for lobby.

-Scott
*** Please rate helpful posts ***

jmarshman · ‎01-24-2012

I made the changes and added the rule and now I can't login to the WLC with any account. My hit count goes up but I can't login.

Scott Fella · ‎01-24-2012

You not defineing a group or AD1. So your policy is very generic... If you look at mine, I define what group the user is in first then it looks for the others.

-Scott
*** Please rate helpful posts ***

jmarshman · ‎01-24-2012

I've created the group and added the lobby admin user to that group. I added the group to the rule and I get a hit count on the role but I still can't login.

Scott Fella · ‎01-24-2012

You need to define two different shell profiles, don't combine the two together. For the wlc it is role1=ALL and for lobby its role1=LOBBY.

-Scott
*** Please rate helpful posts ***

jmarshman · ‎01-24-2012

I have two shell profiles configured,

Scott Fella · ‎01-24-2012

On your policy, it shows only WLC-Lobby as your shell profile. One policy should have WLC-Admin and the other WLC-Lobby.

-Scott
*** Please rate helpful posts ***

jmarshman · ‎01-24-2012

I noticed that and corrected it, now I can login with full admin but not with Lobby admin. I'm checking the debug logs now.

Scott Fella · ‎01-24-2012

Double check you shell profile... might want to delete it and recreate it, if you are sure it is hitting that policy.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎01-24-2012

Can you screen shot your command sets?

-Scott
*** Please rate helpful posts ***

jmarshman · ‎01-24-2012

Screen shot of command set,

Scott Fella · ‎01-24-2012

Okay... I though you had something there that also might be causing an issue.

-Scott
*** Please rate helpful posts ***

jmarshman · ‎01-24-2012

I see in your configuration that you don't have the command set field, is that becuase you are using AD as the source for your users?

Scott Fella · ‎01-24-2012

Correct... I can use internal user groups if I wanted to, but I'm just testing AD for now.

-Scott
*** Please rate helpful posts ***