Creating a Lobby Ambassador Account

Lobby ambassador account

A lobby ambassador account is a user account that

  • allows designated personnel (lobby ambassadors) to create and delete guest users on the network

  • allows lobby ambassadors to assign guest user parameters such as password, life span, and role profile, and

  • restricts lobby ambassadors from creating WLAN or web authentication policies.

Feature history

This table provides release and related information about the feature explained in this section.

This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1. Feature history for lobby ambassador account

Feature Name

Release Information

Feature Description

Lobby ambassador account

Cisco IOS XE Dublin 17.2.x

From Cisco IOS XE Cupertino 17.2.x onwards, lobby administrators can add or delete a client from the allowed list to manage the association with a WLAN or SSID.

As a global administrator, you create a lobby ambassador user to manage guest accounts.

Configure the RADIUS server with the Cisco-AV-pair privilege level set greater than zero to enable lobby ambassador functionality.


Note

An administrator can create lobby ambassador accounts remotely using a RADIUS or TACACS server, or locally.

Only the administrator can create WLAN policies, web authentication policies, and AAA attribute lists. Lobby ambassadors use these attribute lists to map guest users to role profiles, including Quality-of-Service profiles.

After upgrading to Cisco Catalyst 9800 Controller software release 17.2.x, clear the browser cache to correctly view the lobby admin GUI.

Create a lobby ambassador user account

You can configure administrator or lobby ambassador usernames and passwords to prevent unauthorized users from reconfiguring the controller and viewing configuration information.

Create a user account (GUI)

Add a new user account to the system.

Procedure

Step 1

Choose Administration > User Administration.

Step 2

Click Add.

Step 3

In the User Name field, enter a user name for the new account.

Step 4

Select the policy that you want to associate with the user from the Policy drop-down list.

Step 5

Select the privilege level that you want to associate with the user by clicking the user privilege icon from the Privilege drop-down list. The options are:

  • Go to Basic Mode

  • Go to Advanced Mode

Go to Basic Mode: This privilege level defines the commands that users enter using the CLI after they have logged into the device. Privilege one allows access in user EXEC mode and privilege 15 allows access in Privileged EXEC mode.

Go to Advanced Mode:

Admin: Users with Privilege 15 can execute all the show , config , and exec commands on the device. These users will have access to all GUI sections.
Read Only: Users with Privileges one to 14 are considered read-only users. The default privilege is one if a user is created using the GUI. These users have access only to the Dashboard and the Monitoring sections.
No Access: Users with Privilege zero can log in to the device through Telnet or SSH to access the CLI, but cannot access the GUI.
Lobby Admin: Users who can create only guest user accounts. Lobby ambassadors can create and delete guest users and set parameters such as:

  • Password.

  • Lifetime of the guest user.

  • Guest role profiles (Quality-of-Service) profiles that should be applied on a guest using the AAA attribute list.

Step 6

In the Password field, enter a password for the new account.

Step 7

In the Confirm Password field, enter the same password again to confirm again.

Step 8

Click Apply to Device.

Log in using the lobby account

Execute the following commands before logging in using the lobby credentials:

  • aaa new-model

  • aaa authorization exec default local

  • ip http authentication aaa

Log out from the administrator account. Then, log in using the lobby credentials. After logging in, the Guest User page appears.

Create a lobby ambassador account (CLI)

Add a new lobby ambassador (guest network administrator) to the system using CLI commands.

Procedure

Step 1

Enter the global configuration mode.

Example:

Device# configure terminal

Step 2

Create a user account.

Example:

Device(config)# user-name user-name example-user

Step 3

Specify the account type as lobby admin.

Example:

Device(config-user-name)# type lobby-admin

Step 4

Create a password for the lobby administrator account.

Example:

Device(config-user-name)# password 0 password example-password

Step 5

Create an attribute list for lobby admin access.

Example:

Device(config-user-name)# aaa attribute list user-name example-user

Step 6

Create an attribute type for lobby admin access.

Example:

Device(config-user-name)# attribute type wlan-profile-name wlan_wl_mab

Step 7

Return to the global configuration mode.

Example:

Device(config-user-name)# exit