Configure 9800 WLC Lobby Ambassador with RADIUS and TACACS+ Authentication
Available Languages
Introduction
This document describes how to configure Catalyst 9800 Wireless Controllers for RADIUS and TACACS+ external authentication of Lobby Ambassador users.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Catalyst Wireless 9800 configuration model
- AAA, RADIUS and TACACS+ concepts
Components Used
The information in this document is based on these software and hardware versions:
- Catalyst 9800 Wireless Controller Series (Catalyst 9800-CL)
- Cisco IOSĀ® XE Gibraltar 16.12.1s
- ISE 2.3.0
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
The Lobby Ambassador user is created by the administrator of the network. A Lobby Ambassador user is capable to create a guest user username, password, description and lifetime. It also has the capability to delete the guest user. The guest user can be created via GUI or CLI.
Configure
Network Diagram
In this example, Lobby Ambassadors "lobby" and "lobbyTac" are configured. The Lobby Ambassador "lobby" is meant to be authenticated against the RADIUS Server and the Lobby Ambassador "lobbyTac" is authenticated against TACACS+.
The configuration is done first for the RADIUS Lobby Ambassador and finally for the TACACS+ Lobby Ambassador. The RADIUS and the TACACS+ ISE configuration is also shared.
Authenticate RADIUS
Configure RADIUS on Wireless LAN Controller (WLC).
Step 1. Declare the RADIUS server. Create the ISE RADIUS Server on the WLC.
GUI:
Navigate to Configuration > Security > AAA > Servers/Groups > RADIUS > Servers > + Add as shown in the image.
When the configuration window opens, the mandatory configuration parameters are the RADIUS Server name (it does not have to match the ISE/AAA system name), the RADIUS Server IP ADDRESS and the shared secret. Any other parameter can be left default or can be configured as desired.
CLI:
Tim-eWLC1(config)#radius server RadiusLobby
Tim-eWLC1(config-radius-server)#address ipv4 192.168.166.8 auth-port 1812 acct-port 1813
Tim-eWLC1(config-radius-server)#key 0 Cisco1234
Tim-eWLC1(config)#end
Step 2. Add the RADIUS server to a Server Group. Define a Server Group and add the RADIUS Server configured. This is the RADIUS Server used for authentication of the Lobby Ambassador user. If there are multiple RADIUS Servers configured in the WLC that can be used for authentication, the recommendation is to add all the Radius Servers to the same Server Group. If you do so, you let the WLC load balance the authentications among the RADIUS Servers in the Server Group.
GUI:
Navigate to Configuration > Security > AAA > Servers / Groups > RADIUS > Server Groups > + Add as shown in the image.
When the configuration window opens in order to give a name to the group, move the configured RADIUS Servers from the Available Servers list to the Assigned Servers list.
CLI:
Tim-eWLC1(config)#aaa group server radius GroupRadLobby
Tim-eWLC1(config-sg-radius)#server name RadiusLobby
Tim-eWLC1(config-sg-radius)#end
Step 3. Create an Authentication Method List. The Authentication Method List defines the type of authentication you look for and also attaches the same to the Server Group that you define. You know if the authentication is done locally on the WLC or external to a RADIUS Server.
GUI:
Navigate to Configuration > Security > AAA > AAA Method List > Authentication > + Add as shown in the image.
When the configuration window opens, provide a name, select the type option as Login and assign the Server Group created previously.
Group Type as local.
GUI:
If you select Group Type as 'local' the WLC first checks if the user exists in the local database and then falls back to the Server Group only if the Lobby Ambassador user is not found in the local database.
CLI:
Tim-eWLC1(config)#aaa authentication login AuthenLobbyMethod local group GroupRadLobby
Tim-eWLC1(config)#end
Group Type as group.
GUI:
If you select Group Type as 'group' and no fallback to local option checked, the WLC will just check the user against the Server Group and will not check in its local database.
CLI:
Tim-eWLC1(config)#aaa authentication login AuthenLobbyMethod group GroupRadLobby
Tim-eWLC1(config)#end
Group Type as a group and the fallback to local option is checked.
GUI:
If you select Group Type as 'group' and the fallback to local option is checked, the WLC will check the user against the Server Group and will query the local database only if the RADIUS Server times out in the response. If the server responds, the WLC will not trigger a local authentication.
CLI:
Tim-eWLC1(config)#aaa authentication login AuthenLobbyMethod group GroupRadLobby local
Tim-eWLC1(config)#end
Step 4. Create an Authorization Method List. The Authorization Method List defines the authorization type that you need for the Lobby Ambassador which in this case will be 'exec'. It will also be attached to the same Server Group that is defined. It will also allow to select if the authentication will be done locally on the WLC or external to a RADIUS Server.
GUI:
Navigate to Configuration > Security > AAA > AAA Method List > Authorization > + Add as shown in the image.
When the configuration window opens to provide a name, select the type option as 'exec' and assign the Server Group created previously.
Be aware that the Group Type applies the same way it was explained in the Authentication Method List section.
CLI:
Group Type as local.
Tim-eWLC1(config)#aaa authorization exec AuthozLobbyMethod local group GroupRadLobby
Tim-eWLC1(config)#end
Group Type as group.
Tim-eWLC1(config)#aaa authorization exec AuthozLobbyMethod group GroupRadLobby
Tim-eWLC1(config)#end
Group Type as group and the fallback to local option is checked.
Tim-eWLC1(config)#aaa authorization exec AuthozLobbyMethod group GroupRadLobby local
Tim-eWLC1(config)#end
Step 5. Assign the methods. Once the methods are configured, they have to be assigned to the options to login to the WLC in order to create the guest user such as line VTY (SSH/Telnet) or HTTP (GUI).
These steps cannot be done from GUI, hence they need to be done from CLI.
HTTP/GUI authentication:
Tim-eWLC1(config)#ip http authentication aaa login-authentication AuthenLobbyMethod
Tim-eWLC1(config)#ip http authentication aaa exec-authorization AuthozLobbyMethod
Tim-eWLC1(config)#end
When you perform changes to the HTTP configurations, it is best to restart the HTTP and HTTPS services:
Tim-eWLC1(config)#no ip http server
Tim-eWLC1(config)#no ip http secure-server
Tim-eWLC1(config)#ip http server
Tim-eWLC1(config)#ip http secure-server
Tim-eWLC1(config)#end
Line VTY.
Tim-eWLC1(config)#line vty 0 15
Tim-eWLC1(config-line)#login authentication AuthenLobbyMethod
Tim-eWLC1(config-line)#authorization exec AuthozLobbyMethod
Tim-eWLC1(config-line)#end
Step 6. This step is only required in software versions before 17.5.1 or 17.3.3 and is not required after those releases where CSCvu29748 
was implemented. Define the remote user. The username created on ISE for the Lobby Ambassador has to be defined as a remote username on the WLC. If the remote username is not defined in the WLC, the authentication will go through correctly, however, the user will be granted with full access to the WLC instead of only access to the Lobby Ambassador privileges. This configuration can be done only via CLI.
CLI:
Tim-eWLC1(config)#aaa remote username lobby
Configure ISE - RADIUS
Step 1. Add the WLC to ISE. Navigate to Administration > Network Resources > Network Devices > Add. The WLC needs to be added to ISE. When you add the WLC to ISE, enable RADIUS Authentication Settings and configure the needed parameters as shown in the image.
When the configuration window opens, provide a name, IP ADD, enable RADIUS Authentication Settings and under Protocol Radius enter the needed Shared Secret.
Step 2. Create the Lobby Ambassador user on ISE. Navigate to Administration > Identity Management > Identities > Users > Add.
Add to ISE the username and password assigned to the Lobby Ambassador who creates the guest users. This is the username the Administrator will assign to the Lobby Ambassador.
When the configuration window opens, provide the name and password for the Lobby Ambassador user. Also, ensure that the Status is Enabled.
Step 3. Create a Results Authorization Profile. Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles > Add. Create a result authorization profile in order to return to the WLC an Access-Accept with the needed attributes as shown in the image.
Ensure that the profile is configured to send an Access-Accept as shown in the image.
You will need to add the attributes manually under Advanced Attributes Settings. The attributes are needed in order to define the user as Lobby Ambassador and to provide the privilege in order to allow the Lobby Ambassador to make the needed changes.
Step 4. Create a policy in order to process the authentication. Navigate to Policy > Policy Sets > Add. The conditions to configure the policy relies upon the Administrator decision. Network Access-Username condition and the Default Network Access protocol are used here.
It is mandatory to ensure under the Authorization Policy the profile configured under the Results Authorization is selected, that way you can return the needed attributes to the WLC as shown in the image.
When the configuration window opens configure the Authorization Policy. The Authentication Policy can be left as default.
Authenticate TACACS+
Configure TACACS+ on WLC
Step 1. Declare the TACACS+ server. Create the ISE TACACS Server in the WLC.
GUI:
Navigate to Configuration > Security > AAA > Servers/Groups > TACACS+ > Servers > + Add as shown in the image.
When the configuration window opens, the mandatory configuration parameters are the TACACS+ Server name (it does not have to match the ISE/AAA system name), the TACACS Server IP ADDRESS and the Shared Secret. Any other parameter can be left default or can be configured as needed.
CLI:
Tim-eWLC1(config)#tacacs server TACACSLobby
Tim-eWLC1(config-server-tacacs)#address ipv4 192.168.166.8
Tim-eWLC1(config-server-tacacs)#key 0 Cisco123
Tim-eWLC1(config-server-tacacs)#end
Step 2. Add the TACACS+ server to a Server Group. Define a Server Group and add the desired TACACS+ Server configured. This will be the TACACS+ Servers used for authentication.
GUI:
Navigate to Configuration > Security > AAA > Servers / Groups > TACACS > Server Groups > + Add as shown in the image.
When the configuration window opens, give a name to the group and move the desired TACACS+ Servers from the Available Servers list to the Assigned Servers list.
CLI:
Tim-eWLC1(config)#aaa group server tacacs+ GroupTacLobby
Tim-eWLC1(config-sg-tacacs+)#server name TACACSLobby
Tim-eWLC1(config-sg-tacacs+)#end
Step 3. Create an Authentication Method List. The Authentication Method List defines the type of authentication that is needed and also will attach the same to the Server Group that is configured. It also allows to select if the authentication can be done locally on the WLC or external to a TACACS+ Server.
GUI:
Navigate to Configuration > Security > AAA > AAA Method List > Authentication > + Add as shown in the image.
When the configuration window opens, provide a name, select the type option as Login and assign the Server Group created previously.
Group Type as local.
GUI:
If you select Group Type as 'local', the WLC will first check the if the user exists in the local database and will then fallback to the Server Group only if the Lobby Ambassador user is not found in the local database.
CLI:
Tim-eWLC1(config)#aaa authentication login AutheTacMethod local group GroupTacLobby
Tim-eWLC1(config)#end
Group Type as group.
GUI:
If you select Group Type as group and no fallback to local option checked, the WLC will just check the user against the Server Group and will not check in its local database.
CLI:
Tim-eWLC1(config)#aaa authentication login AutheTacMethod group GroupTacLobby
Tim-eWLC1(config)#end
Group Type as group and the fallback to local option is checked.
GUI:
If you select Group Type as 'group' and the Fallback to local option is checked, the WLC will check the user against the Server Group and will query the local database only if the TACACS Server times out in the response. If the server sends a reject, the user is not authenticated, even if it exists on the local database.
CLI:
Tim-eWLC1(config)#aaa authentication login AutheTacMethod group GroupTacLobby local
Tim-eWLC1(config)#end
Step 4. Create an Authorization Method List.
The Authorization Method List will define the authorization type that is needed for the Lobby Ambassador which in this case will be exec. It is also attached to the same Server Group that is configured. It is also allowed to select if the authentication is done locally on the WLC or external to a TACACS+ Server.
GUI:
Navigate to Configuration > Security > AAA > AAA Method List > Authorization > + Add as shown in the image.
When the configuration window opens, provide a name, select the type option as exec and assign the Server Group created previously.
Be aware that the Group Type applies the same way it is explained in the Authentication Method List part.
CLI:
Group Type as local.
Tim-eWLC1(config)#aaa authorization exec AuthozTacMethod local group GroupTacLobby
Tim-eWLC1(config)#end
Group Type as group.
Tim-eWLC1(config)#aaa authorization exec AuthozTacMethod group GroupTacLobby
Tim-eWLC1(config)#end
Group Type as group and the Fallback to local option is checked.
Tim-eWLC1(config)#aaa authorization exec AuthozTacMethod group GroupTacLobby local
Tim-eWLC1(config)#end
Step 5. Assign the methods. Once the methods are configured, they have to be assigned to the options in order to login to the WLC to create the guest user such as line VTY or HTTP (GUI). These steps cannot be done from GUI, hence they need to be done from CLI.
HTTP/GUI authentication:
Tim-eWLC1(config)#ip http authentication aaa login-authentication AutheTacMethod
Tim-eWLC1(config)#ip http authentication aaa exec-authorization AuthozTacMethod
Tim-eWLC1(config)#end
When you make changes to the HTTP configurations, it is best to restart the HTTP and HTTPS services:
Tim-eWLC1(config)#no ip http server
Tim-eWLC1(config)#no ip http secure-server
Tim-eWLC1(config)#ip http server
Tim-eWLC1(config)#ip http secure-server
Tim-eWLC1(config)#end
Line VTY:
Tim-eWLC1(config)#line vty 0 15
Tim-eWLC1(config-line)#login authentication AutheTacMethod
Tim-eWLC1(config-line)#authorization exec AuthozTacMethod
Tim-eWLC1(config-line)#end
Step 6. Define the remote user. The username created on ISE for the Lobby Ambassador has to be defined as a remote username on the WLC. If the remote username is not defined in the WLC, the authentication will go through correctly, however, the user will be granted with full access to the WLC instead of only access to the Lobby Ambassador privileges. This configuration can be done only via CLI.
CLI:
Tim-eWLC1(config)#aaa remote username lobbyTac
Configure ISE - TACACS+
Step 1. Enable Device Admin. Navigate to Administration > System > Deployment. Before you proceed any further, select Enable Device Admin Service and ensure that ISE has been enabled as shown in the image.
Step 2. Add the WLC to ISE. Navigate to Administration > Network Resources > Network Devices > Add. The WLC needs to be added to ISE. When you add the WLC to ISE, enable TACACS+ Authentication Settings and configure the needed parameters as shown in the image.
When the configuration window opens to provide a name, IP ADD, enable TACACS+ Authentication Settings and enter the needed Shared Secret.
Step 3. Create the Lobby Ambassador user on ISE. Navigate to Administration > Identity Management > Identities > Users > Add. Add to ISE, the username and password assigned to the Lobby Ambassador who will create the guest users. This is the username the Administrator assigns to the Lobby Ambassador as shown in the image.
When the configuration window opens, provide the name and password for the Lobby Ambassador user. Also, ensure that the Status is Enabled.
Step 4. Create a Results TACACS+ Profile. Navigate to Work Centres > Device Administration > Policy Elements > Results > TACACS Profiles as shown in the image. With this profile, return the needed attributes to the WLC in order to place the user as a Lobby Ambassador.
When the configuration window opens, provide a name to the profile, also configure a Default Privileged 15 and a Custom Attribute as Type Mandatory, name as user-type and value lobby-admin. Also, let the Common Task Type be selected as Shell as shown in the image.
Step 5. Create a Policy Set. Navigate to Work Centers > Device Administration > Device Admin Policy Sets as shown in the image. The conditions to configure the policy rely upon the Administrator decision. For this document, the Network Access-Username condition and the Default Device Admin protocol are used. It is mandatory to ensure under the Authorization Policy that the profile configured under the Results Authorization is selected, that way you can return the needed attributes to the WLC.
When the configuration window opens, configure the Authorization Policy. The Authentication Policy can be left as default as shown in the image.
Verify
Use this section to confirm that your configuration works properly.
show run aaa
show run | sec remote
show run | sec http
show aaa method-lists authentication
show aaa method-lists authorization
show aaa servers
show tacacs
This is how the Lobby Ambassador GUI looks like after successful authentication.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Authenticate RADIUS
For RADIUS authentication, these debugs can be used:
Tim-eWLC1#debug aaa authentication
Tim-eWLC1#debug aaa authorization
Tim-eWLC1#debug aaa attr
Tim-eWLC1#terminal monitor
Ensure the right method list is selected from the debug. Also, the needed attributes are returned by the ISE Server with the right username, user-type and privilege.
Feb 5 02:35:27.659: AAA/AUTHEN/LOGIN (00000000): Pick method list 'AuthenLobbyMethod'
Feb 5 02:35:27.681: ADD-DELETE: AAA/ATTR(00000000): add attr: sublist(0x7FBA5500C860) index(0):
7FBA5500C870 0 00000081 username(450) 5 lobby
Feb 5 02:35:27.681: ADD-DELETE: AAA/ATTR(00000000): add attr: sublist(0x7FBA5500C860) index(1):
7FBA5500C8B0 0 00000001 user-type(1187) 4 lobby-admin
Feb 5 02:35:27.681: ADD-DELETE: AAA/ATTR(00000000): add attr: sublist(0x7FBA5500C860) index(2):
7FBA5500C8F0 0 00000001 priv-lvl(335) 4 15(F)
Feb 5 02:35:27.683: %WEBSERVER-5-LOGIN_PASSED: Chassis 1 R0/0: nginx: Login Successful from host
192.168.166.104 by user 'lobby' using crypto cipher 'ECDHE-RSA-AES128-GCM-SHA256'
Authenticate TACACS+
For TACACS+ authentication, this debug can be used:
Tim-eWLC1#debug tacacs
Tim-eWLC1#terminal monitor
Ensure that the authentication is processed with the right username and ISE IP ADD. Also, the status "PASS" must be seen. In the same debug, right after the authentication phase, the authorization process will be presented. In this authorization, phase ensures the right username is used along with the correct ISE IP ADD. From this phase, you are able to see the attributes that are configured on ISE that state the WLC as a Lobby Ambassador user with the right privilege.
Authentication phase example:
Feb 5 02:06:48.245: TPLUS: Queuing AAA Authentication request 0 for processing
Feb 5 02:06:48.245: TPLUS: Authentication start packet created for 0(lobbyTac)
Feb 5 02:06:48.245: TPLUS: Using server 192.168.166.8
Feb 5 02:06:48.250: TPLUS: Received authen response status GET_PASSWORD (8)
Feb 5 02:06:48.266: TPLUS(00000000)/0/7FB7819E2100: Processing the reply packet
Feb 5 02:06:48.266: TPLUS: Received authen response status PASS (2)
Authorization phase example:
Feb 5 02:06:48.267: TPLUS: Queuing AAA Authorization request 0 for processing
Feb 5 02:06:48.267: TPLUS: Authorization request created for 0(lobbyTac)
Feb 5 02:06:48.267: TPLUS: Using server 192.168.166.8
Feb 5 02:06:48.279: TPLUS(00000000)/0/7FB7819E2100: Processing the reply packet
Feb 5 02:06:48.279: TPLUS: Processed AV priv-lvl=15
Feb 5 02:06:48.279: TPLUS: Processed AV user-type=lobby-admin
Feb 5 02:06:48.279: TPLUS: received authorization response for 0: PASS
The debug examples mentioned previously for RADIUS and TACACS+ have the key steps for a successful login. The debugs are more verbose and the output will be bigger. In order to disable the debugs, this command can be used:
Tim-eWLC1#undebug all
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
18-Jun-2020 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)