Cisco Wireless Control System Configuration Guide, Release 4.1
Managing WCS User Accounts
Downloads: This chapterpdf (PDF - 569.0KB) The complete bookPDF (PDF - 10.26MB) | Feedback

Managing WCS User Accounts

Table Of Contents

Managing WCS User Accounts

Adding WCS User Accounts

Changing Passwords

Monitoring Active Sessions

Viewing or Editing User Information

Viewing or Editing Group Information

Viewing the Audit Trail

Deleting WCS User Accounts

Creating Guest User Accounts

Creating a Lobby Ambassador Account

Logging in to the WCS User Interface

Managing WCS Guest User Accounts

Adding Guest User Accounts

Viewing and Editing Guest Users

Deleting Guest User Templates

Scheduling WCS Guest User Accounts

Print or Email WCS Guest User Details

Logging the Lobby Ambassador Activities


Managing WCS User Accounts


This chapter describes how to configure global email parameters and manage WCS user accounts. It contains these sections:

Adding WCS User Accounts

Viewing or Editing User Information

Viewing or Editing Group Information

Creating Guest User Accounts


Adding WCS User Accounts

This section describes how to configure a WCS user. The accounting portion of the AAA framework is not implemented at this time. Besides complete access, you can give administrative access with differentiated privileges to certain user groups. WCS supports external user authentication using these access restrictions and authenticates the users against the TACACS+ and RADIUS servers.

The username and password supplied by you at install time are always authenticated, but the steps you take here create additional superusers. If the password is lost or forgotten, the user must run a utility to reset the password to another user-defined password.

Follow these steps to add a new user account to WCS.


Step 1 Start WCS by following the instructions in the "Starting WCS" section on page 2-10.

Step 2 Log into the WCS user interface as Super1.


Note Cisco recommends that you create a new superuser assigned to the SuperUsers group and delete Super1 to prevent unauthorized access to the system.


Step 3 Click Administration > AAA and the Change Password window appears (see Figure 7-1).

Figure 7-1 Change Password Window

Step 4 From the Select a Command drop-down menu, choose Add User and click GO to display the User administration page.

Step 5 In the Old Password field, enter the current password that you want to change.

Step 6 Enter the username and password for the new WCS user account. You must enter the password twice.


Note These entries are case sensitive.


Step 7 Under Groups Assigned to this User, check the appropriate check box to assign the new user account to one of the user groups supported by WCS:


Note Some usergroups cannot be combined with other usergroups. For instance, you cannot choose both lobby ambassador and monitor lite.


System Monitoring—Allows users to monitor WCS operations.

ConfigManagers—Allows users to monitor and configure WCS operations.

Admin—Allows users to monitor and configure WCS operations and perform all system administration tasks except administering WCS user accounts and passwords.


Note If you choose admin account and log in as such on the controller, you can also see the guest users under Local Net Admin.


SuperUsers—Allows users to monitor and configure WCS operations and perform all system administration tasks including administering WCS user accounts and passwords. Superusers tasks can be changed.

North bound API—A user group used only with WCS Navigator.

Users Assistant—Allows only local net user administration.

Lobby Ambassador—Allows guest access for only configuration and managing of user accounts.

Monitor lite—Allows monitoring of assets location.

Root—Allows users to monitor and configure WCS operations and perform all system administration tasks including changing any passwords. Only one user can be assigned to this group and is determined upon installation. It cannot be removed from the system, and no task changes can be made for this user.

Step 8 Click Submit. The name of the new user account appears on the All Users page and can be used immediately.

Step 9 In the sidebar, click Groups to display the All Groups page (see Figure 7-2).

Figure 7-2 All Groups Window

Step 10 Click the name of the user group to which you assigned the new user account. The Group > User Group page shows a list of this group's permitted operations.

Step 11 Make any desired changes by checking or unchecking the appropriate check boxes.


Note Any changes you make will affect all members of this user group.


Step 12 Click Submit to save your changes or Cancel to leave the settings unchanged.


Changing Passwords

Follow these steps to change the password for a WCS user account.


Step 1 Start WCS by following the instructions in the "Starting WCS" section on page 2-10.

Step 2 Log into the WCS user interface as a user assigned to the SuperUsers group.

Step 3 Click Administration > Accounts to display the Change Password page.

Step 4 Click the name of the user account for which you want to change the password. You can change the password here or through the User > Edit window.

Step 5 Enter your old password, unless you are the root user. (A root user can change any password without entering the old password.)

Step 6 On the User > Username page, enter the new password in both the New Password and Confirm New Password fields.

Step 7 Click Submit to save your changes. The password for this user account has been changed and can be used immediately.


Monitoring Active Sessions

Follow the steps below to view a list of active users.


Step 1 Choose Administration > AAA.

Step 2 From the left sidebar menu, choose Active Sessions. The Active Sessions window appears (see Figure 7-3).

Figure 7-3 Active Sessions Window

The user highlighted in red represents your current login. If a column heading is a hyperlink, click the heading to sort the list of active sessions in descending or ascending order along that column. The sort direction is toggled each time the hyperlink is clicked.

The Active sessions window has the following columns:

IP/Host Name: The IP address or the hostname of the machine on which the browser is running. If the hostname of the user machine is not in DNS, the IP address is displayed.

Login Time: The time at which the user logged in to WCS. All times are based on the WCS server machine time.

Last Access Time: The time at which the user's browser accessed WCS. All times are based on the WCS server machine time.


Note The time displayed in this column is usually a few seconds behind the current system time because Last Access Time is updated frequently by the updates to the alarm status panel. However, if a user navigates to a non-WCS Navigator web page in the same browser, the disparity in time will be greater upon returning to WCS Navigator. This disparity results because alarm counts are not updated while the browser is visiting non-WCS Navigator web pages.


Login Method:

Web Service: Internal session needed by Navigator to manage WCS.

Regular: Sessions created for users who log into WCS directly through a browser.

Navigator Redirect: Sessions created for Navigator uses who are redirected to WCS from Navigator.

User Groups: The list of groups the user belongs to. (North bound API is a user group used only with WCS Navigator.)

Audit trail icon: Link to window that displays the audit trail (previous login times) for that user.


Viewing or Editing User Information

Click in the User Name column of the Users window to see the group the user is assigned to or to adjust a password or group assignment. The detailed users window appears (see Figure 7-4).

Figure 7-4 Detailed Users Window

Viewing or Editing Group Information

Click in the Member Of column of the User window to see specific tasks the user is permitted to do within the defined group or to make changes and submit them. The detailed group window displays (see Figure 7-5).

Figure 7-5 Detailed Group Window

Viewing the Audit Trail

Click the Audit Trail icon in the Users window to view a log of authentication attempts. The Audit Trail window appears (see Figure 7-6).

Figure 7-6 Audit Trail

Deleting WCS User Accounts

Follow these steps to delete a WCS user account.


Step 1 Start WCS by following the instructions in the "Starting WCS" section on page 2-10.

Step 2 Log into the WCS user interface as a user assigned to the SuperUsers group.

Step 3 Click Administration > Accounts to display the All Users page.

Step 4 Check the check box to the left of the user account(s) to be deleted.

Step 5 From the Select a Command drop-down menu, choose Delete User(s) and click GO.

Step 6 When prompted, click OK to confirm your decision. The user account is deleted and can no longer be used.


Creating Guest User Accounts

You can use the Cisco Lobby Ambassador feature to create guest user accounts in WCS. A guest network provided by an enterprise allows access to the internet for a guest without compromising the host. The web authentication is provided with or without a supplicant or client, so a guest needs to initiate a VPN tunnel to their desired destinations.

The system administrator must first set up a lobby administrator account. A lobby ambassador account has limited configuration privileges and only allows access to the screens used to configure and manage guest user accounts. The lobby administrator has no access to online help.

This account allows a non-administrator to create and manage guest user accounts on WCS. The purpose of a guest user account is to provide a user account for a limited amount of time. The lobby ambassador is able to configure a specific time frame for the guest user account to be active. After the specified time period, the guest user account automatically expires. This section describes how a lobby ambassador can create and manage guest user accounts on WCS.

This section describes how to perform the following procedures:

Creating a Lobby Ambassador Account

Logging in to the WCS User Interface

Managing WCS Guest User Accounts

Logging the Lobby Ambassador Activities

Creating a Lobby Ambassador Account

The lobby ambassador is able to create the following types of guest user accounts:

A guest user account with a limited lifetime. The lobby ambassador is able to configure a specific end time for the guests user account to be active. After the specified time period, the guest user account automatically expires.

A guest user account with an unlimited lifetime. This account never expires.

A guest user account that is activated at a predefined time in the future. The lobby ambassador defines the start and end time of the valid time period.

Follow these steps to create a lobby ambassador account in WCS.


Note User should have SuperUser privilege (by default) to create a lobby ambassador account and not administration privileges.



Note A root group, which is created during installation, has only one assigned user, and no additional users can be assigned after installation. This root user cannot be changed. Also, unlike a super user, no task changes are allowed.



Step 1 Log into the WCS user interface as an administrator.

Step 2 Click Administration > AAA, then choose Users in the left sidebar menu.

Step 3 From the Select a Command drop-down menu, choose Add User and click GO. The Users window appears.

Step 4 On the Users window, follow these steps to add a new Lobby Ambassador account.

a. Enter the username.

b. Enter the password. The minimum is 6 characters. Reenter and confirm the password.

c. In the section Groups Assigned to this User, check the LobbyAmbassador check box.

d. Click Submit. When the lobby ambassador is added, it is part of the lobby ambassador group. The name of the new lobby ambassador account is listed and can be used immediately.


Logging in to the WCS User Interface

When you log in as a lobby ambassador, you have access to the guest user template page in the WCS. You can then configure guest user accounts (through templates).

Follow these steps to log into the WCS user interface through a web browser.


Step 1 Launch Internet Explorer 6.0 or later on your computer.


Note Some WCS features may not function properly if you use a web browser other than Internet Explorer 6.0 on a Windows workstation.


Step 2 In the browser's address line, enter https://wcs-ip-address (such as https://1.1.1.1/login.html), where wcs-ip-address is the IP address of the computer on which WCS is installed. Your administrator can provide this IP address.

Step 3 When the WCS user interface displays the Login window, enter your username and password.


Note All entries are case sensitive.



Note The lobby administrator can only define guest users templates.


Step 4 Click Submit to log into WCS. The WCS user interface is now active and available for use. The Guest Users window is displayed. This window provides a summary of all created Guest User.


Note To exit the WCS user interface, close the browser window or click Logout in the upper right corner of the window. Exiting a WCS user interface session does not shut down WCS on the server.



Note When a system administrator stops the WCS server during your WCS session, your session ends, and the web browser displays this message: "The page cannot be displayed." Your session does not reassociate to WCS when the server restarts. You must restart the WCS session.



Managing WCS Guest User Accounts

WCS guest user accounts are managed with the use of templates. This section describes how to manage WCS user accounts. It includes the following:

Adding Guest User Accounts

Viewing and Editing Guest Users

Deleting Guest User Templates

Scheduling WCS Guest User Accounts

Print or Email WCS Guest User Details

Adding Guest User Accounts

Templates are used to create guest user accounts in WCS. After the template is created, it is applied to all controllers that the guest users are allowed access. Follow these steps to add a new guest user account to WCS.


Step 1 Log into the WCS user interface as lobby ambassador.

Step 2 On the Guest User page, choose Add Template from the elect a Command drop-down menu and click GO.

Step 3 On the Guest User > New User window, enter the guest user name. The maximum is 24 characters.

Step 4 The lobby ambassador can either manually enter the username/password or will have an option to auto generate a password. If you choose to auto generate, the password field will get populated. If you enter a password, enter it twice to confirm.


Note Passwords are case sensitive.



Note The lobby administrator can only define guest user templates.


Step 5 Select a Profile ID from the drop-down menu. This is the SSID to which this guest user applies and must be a WLAN that has Layer 3 web authentication policy configured. Your administrator can advise which Profile ID to use.

Step 6 Enter a description of the guest user account.

Step 7 Choose limited or unlimited.

Limited —From the drop-down menus, choose days, hours, or minutes for the lifetime of this guest user account. The maximum is 35 weeks.

Unlimited —This user account never expires.

Step 8 Click Apply To to restrict a guest user to a confined area by selecting a campus, building, or floor so that when applied, only those controllers and associated access points are available. You can also restrict the guest user to a specific listed controller or a configuration group, which is a group of controllers that has been preconfigured by the administrator.

From the drop-down menus, choose one of the following:

Controller List: Check the check box for the controller(s) that the guest user account applies to

Indoor Area: Choose the applicable campus, building, and floor

Outdoor Area: Choose the applicable campus and outdoor area

Config Group: Choose the config group that the guest user account applies to

Step 9 Review the disclaimer information. Use the scroll bar to move up and down.


Note The Account Expiry displays the controller(s) to which the guest user account was applied to and the seconds remaining before the guest user account expires. If you need to update the lifetime parameter for this account, see the "Viewing and Editing Guest Users" section.


Step 10 Click the check box if you want to set new default disclaimer text for all future guest user accounts.

Step 11 Click Save to save your changes or Cancel to leave the settings unchanged. The Guest User Credentials window appears.


Viewing and Editing Guest Users

Follow these steps to view the current WCS guest users.


Step 1 Log into the WCS user interface as described in the "Logging into the WCS User Interface" section on page 2-11.

Step 2 On the Guest User window, click an item number under the User Name column that you would like to view or edit.

Step 3 On the Guest Users > Users window, you can edit the following items:

Profile ID: Select an Profile ID from the drop-down menu. This is the SSID to which this guest user applies and must be a WLAN that has Layer 3 web authentication policy configured. Your administrator can advise which Profile ID to use.

Description: Enter a description of the guest user account.

Limited or Unlimited:

Limited: From the drop-down menus, choose days, hours, or minutes for the lifetime of this guest user account. The maximum is 30 days.

Unlimited: This user account never expires.

Choose Apply To to restrict a guest user to a confined area by selecting a campus, building, or floor so that when applied, only those controllers and associated access points are available. You can also restrict the guest user to specific listed controllers or a config group, which is a group of controllers that has been preconfigured by the administrator. From the drop-down menus, choose one of the following:

Controller List: Check the check box for the controller(s) that the guest user account applies to.

Indoor Area: Choose the applicable campus, building, and floor.

Outdoor Area: Choose the applicable campus and outdoor area.

Config Group: Choose the Config Group that the guest user account applies to.

Step 4 Click Save to save your changes or Cancel to leave the settings unchanged. When you click Save, the screen refreshes.


Note The account expiry displays the controller(s) to which the guest user account was applied to and the seconds remaining before the guest user account expires.



Deleting Guest User Templates

During deletion of the guest account, all client stations logged in and using the guest WLAN username will be deleted. Follow these steps to delete a WCS guest user template.


Step 1 Log into the WCS user interface as described in the "Logging into the WCS User Interface" section on page 2-11.

Step 2 On the Guest Users window, check the check box to the left of the guest user account(s) to be deleted.

Step 3 From the Select a Command drop-down menu, choose Delete Guest User and click GO.

Step 4 When prompted, click OK to confirm your decision.


Note The IP address and controller name to which the guest user account was applied to displays, and you are prompted to confirm the removal of the template from the controller.


The controller sends a notification of a guest account expiry and deletion by invoking a trap. WCS processes the trap and deletes the user account expired from the configuration of that controller. If that guest account is not applied to other controllers, it can be deleted from the templates as well. A notice appears in the event logs also.

Step 5 Click OK to delete the guest user template from the controller or Cancel to leave the settings unchanged. When you delete the guest user template from the controller, you delete the specified guest user account.


Scheduling WCS Guest User Accounts

A lobby ambassador is able to schedule automatic creation of a guest user account. The validity and recurrence of the account can be defined. The generation of a new username on every schedule is optional and is enabled using a check box. For scheduled users, the password is automatically generated and is automatically sent by email to the host of the guest. The email address for the host is configured on the New User window. After clicking Save, the Guest User Details window displays the password. From this window, you can email or printer the account credentials.

Follow these steps to schedule a recurring guest user account in WCS.


Step 1 Log in to the WCS user interface as lobby ambassador.

Step 2 On the Guest User window, choose Schedule Guest User and click GO from the Select a command drop-down menu.

Step 3 On the Guest Users > Scheduling window, enter the guest user name. The maximum is 24 characters.

Step 4 Check the check box to generate a username and password on every schedule. The generation of a new username and password on every schedule is optional.

Step 5 Select a Profile ID from the drop-down menu. This is the SSID to which this guest user applies and must be a WLAN that has Layer 3 authentication policy configured. Your administrator can advise which Profile ID to use.

Step 6 Enter a description of the guest user account.

Step 7 Choose limited or unlimited.

Limited: From the drop-down menu, choose days, hours, or minutes for the lifetime of this guest user account. The maximum is 30 days.

Start time: Date and time when the guest user account begins.

End time: Date and time when the guest user account expires.

Unlimited: This user account never expires.

Days of the week: Check the check box for the days of the week that apply to this guest user account.

Step 8 Choose Apply To to restrict a guest user to a confined area by selecting a campus, building, or floor so that when applied, only those controllers and associated access points are available. You can also restrict the guest user to specific listed controllers or a configuration group, which is a group of controllers that has been preconfigured by the administrator.

From the drop-down menus, choose one of the following:

Controller List: check the check box for the controller(s) that the guest user account applies to

Indoor Area: choose the applicable campus, building, and floor

Outdoor Area: choose the applicable campus and outdoor area

Config group: choose the configuration group that the guest user account applies to

Step 9 Enter the email address to send the guest user account credentials. Each time the scheduled time comes up, the guest user account credentials are emailed to the specified email address.

Step 10 Review the disclaimer information. Use the scroll bar to move up and down.

Step 11 Click Save to save your changes or Cancel to leave the settings unchanged.


Print or Email WCS Guest User Details

The lobby ambassador can print or email the guest user account details to the host or person who will be welcoming the guest.

The email and print copy shows the following details:

Username: Guest user account name.

Password: Password for the guest user account.

Start time: Data and time when the guest user account begins.

End time: Date and time when the guest user account expires.

Profile ID: Profile ID to which this guest user applies. Your administrator can advise which Profile ID to use.

Disclaimer: Disclaimer information for the guest user.

When creating the guest user account and applying the account to a list of controllers, area, or configuration group, a link is provided to email or print the guest user account details. You can also print guest user account details from the Guest Users List window.

Follow these steps to print guest user details from the Guest Users List window.


Step 1 Log into the WCS user interface as lobby ambassador.

Step 2 On the Guest User window, check the check box next to User Name and choose Print/Email User Details from the Select a command drop-down menu and click GO.

If printing, click Print button and from the print window, select a printer and click Print or Cancel.

If emailing, click Email button and from the email window, enter the subject text and the recipient's email address. Click Send or Cancel.


Logging the Lobby Ambassador Activities

The following activities will be logged for each lobby ambassador account:

Lobby ambassador login: WCS logs the authentication operation results for all users.

Guest user creation: When a lobby ambassador creates a guest user account, WCS logs the guest user name.

Guest user deletion: When a lobby ambassador deletes the guest user account, WCS logs the deleted guest user name.

Account updates: WCS logs the details of any updates made to the guest user account. For example, increasing the life time.

Follow these steps to view the lobby ambassador activities.


Note You must have superuser status to open this window.



Step 1 Log into the Navigator or WCS user interface as an administrator.

Step 2 Click Administration > AAA, then click Groups in the left sidebar menu to display the All Groups window.

Step 3 On the All Groups windows, click the Audit Trail icon for the lobby ambassador account you want to view. The Audit Trail window for the lobby ambassador displays.

This window enables you to view a list of lobby ambassador activities over time.

User: User login name

Operation: Type of operation audited

Time: Time operation was audited

Status: Success or failure

Step 4 To clear the audit trail, choose Clear Audit Trail from the Select a command drop-down menu and click GO.