Regarding the WLC using RADIUS for admin or logbbyambassador login, you only need the Service Type Radius attribute, so if you have a RADIUS server that can send this RADIUS attibute on the RADIUS access-accept, it is transparent for the WLC.
For lobby-admin -> IETF RADIUS Service-Type attribute set to Callback Administrative.
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
My problem: I have a local management user profile defined on my WLC and it works fine when the Priority Order is set to LOCAL. When I change the Priority Order to make RADIUS first and LOCAL second, I can't get logged into the WLC using CLI, GUI, or the console. The last time this happened I had to reset the WLC and start over. I don't want to do that again, so I need some way to get into the WLC.
Once I can get back into the WLI would prefer using Active Directory to authenticate the management user but that doesn't seem to work. My RADIUS acts as a front end for the Active Directory database and works well for many of our Cisco LAN switches andd Routers. Now I'm trying to set up the WLC to authenticate the management user with RADIUS. I have set the RADIUS (MS IAS) to return two attributes;
When I try to login using my AD account, the RADIUS server log shows an Access Request record, then an Access-Accept record that makes it appear RADIUS has successfully authenticated the user. But the login prompt for the GUI comes back as if it has failed. Same with the CLI login. Now I can't get logged into the WLC. How can I get into the box to manage it again?
In order to authenticate a user via a RADIUS server, for controller login and management, you must add the user to the RADIUS database with the IETF RADIUS attributes Service-Type attribute set to the appropriate value according to the user's privileges.
In order to set read-write privileges for the user, set the Service-Type Attribute to Administrative.
In order to set read-only privileges for the user, set the Service-Type Attribute to NAS-Prompt.
For Lobby Ambassador you have to return IETF RADIUS Service-Type attribute set to Callback Administrative.
That solved my problem. I have a RADIUS (MS IAS) defined, but the RADIUS is using LDAP as the database for authentication. We manage the users by Windows Groups, and in the RADIUS policy conditions check for a certain Windows group in the user profile. If it passes, they can login. If it fails they can't unless they use the administrator profile.
How did you end up fixing it? I am having the same issue. I am using Windows 2008 server. I have tried to set the RADIUS Attribute Service Type as Adminsitrative as well as Login didn't work. Also what goes under Vendor Specific?
Note: I am trying to use this just so I can log into the WLC.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...