Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Error: AAA Authentication Failure for UserName:lobbyadmin User Type: WLAN USER

     

     

    Introduction

    In the document Cisco HTTS Wireless engineer "Victor Vasantha Kumar" has explained issue about "Lobby administrator account, also known as a lobby ambassador account user is Unable to authenticate".

     

    Untitled.jpg

    Symptoms

    We are having 5508 Wireless LAN controller and also using lobby login which is not working and we are getting the below mentioned error.

    Product details

    WLC CT-5508-K9

     

    5508-wireless-controller.jpg

    Problem Description

    Lobby Admin user is not getting authenticated.

    Logs

    AAA server ( ACS ) is rejecting the auth request.
    
    *tplusTransportThread: Oct XX 14:57:12.XXX: 00000000: XX 01 XX XX 09 XX XX XX 00 00 00 06 XX XX 58 XX ..............X.
    
    *tplusTransportThread: Oct XX 14:57:12.XXX: 00000010: XX 5X XX
    
    *tplusTransportThread: Oct XX 14:57:12.XXX: tplus auth response: type=1 seq_no=4 session_id=09dcadb8 length=6 encrypted=0
    
    *tplusTransportThread: Oct XX 14:57:12.XXX: 00:00:00:XX:00:00 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:00:00:XX:00:00
    
    *tplusTransportThread: Oct XX 14:57:12.XXX: AuthorizationResponse: 0x450e29c4
    
    *tplusTransportThread: Oct XX 14:57:12.XXX: structureSize................................32
    
    *tplusTransportThread: Oct XX 14:57:12.XXX: resultCode...................................-4
    
    *tplusTransportThread: Oct XX 14:57:12.XXX: protocolUsed.................................0xffffffff
    
    *tplusTransportThread: Oct XX 14:57:12.XXX: proxyState...................................00:00:00:YY:00:00-00:00
    
    *tplusTransportThread: Oct XX 14:57:12.XXX: Packet contains 0 AVPs:
    
    *emWeb: Oct XX 14:57:12.XXX: Authentication failed for lobbyadmin

    Resolution

    If LOCAL is selected as second priority than user will be authenticated against LOCAL only if first priority is unreachable. In configuration, LOCAL was selected as second priority.

    So the authentication for the “lobby-admin” user was hitting only TACACS+ and was not approaching LOCAL Database. After changing LOCAL to first priority, it started to work.

    More Information

    The controller can provide guest user access on WLANs. The first step in creating guest user accounts is to create a lobby administrator account, also known as a lobby ambassador account. Once this account has been created, a lobby ambassador can create and manage guest user accounts on the controller. The lobby ambassador has limited configuration privileges and access only to the web pages used to manage the guest accounts.

    The lobby ambassador can specify the amount of time that the guest user accounts remain active. After the specified time elapses, the guest user accounts expire automatically.

    The Local user database is limited to a maximum of 2048 entries, which is also the default value (on the Security > AAA > General page). This database is shared by local management users (including lobby ambassadors), local network users (including guest users), MAC filter entries, exclusion list entries, and access point authorization list entries. Together they cannot exceed the configured maximum value.

    Creating a Lobby Ambassador Account

    You can create a lobby ambassador account on the controller through either the GUI or the CLI.

    Related Information

    2905
    Views
    0
    Helpful
    0
    Comments