'Lobbytrack visitor management is a very versatile system that was very easy to install, setup, and train the staff on how to use. This product has taken our analog tracking system and revolutionized it for the digital age.
ClubWPT Online Poker and Casino. The Register of Lobbying is maintained by the Standards in Public Office Commission. Address: Standards in Public Office Commission 6 Earlsfort Terrace, Dublin 2 D02 W773 Ireland.
Introduction
This document describes how to configure Catalyst 9800 Wireless LAN Controllers for RADIUS and TACACS+ external authentication of Lobby Ambassador users, with the use of Identity Services Engine (ISE).
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Catalyst Wireless 9800 configuration model
- AAA, RADIUS and TACACS+ concepts
Components Used
The information in this document is based on these software and hardware versions:
- Catalyst 9800 Wireless Controller Series (Catalyst 9800-CL)
- Cisco IOS®-XE Gibraltar 16.12.1s
- ISE 2.3.0
The information in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Background Information
The Lobby Ambassador user is created by the administrator of the network. A Lobby Ambassador user is capable to create a guest user's username, password, description and lifetime. It also has the capability to delete the guest user. The guest user can be created via GUI or CLI.
Configure
Network Diagram
In this example, Lobby Ambassadors 'lobby' and 'lobbyTac' are configured. The Lobby Ambassador 'lobby' is meant to be authenticated against the RADIUS Server and the Lobby Ambassador 'lobbyTac' is authenticated against TACACS+.
The configuration will be done first for the RADIUS Lobby Ambassador and finally for the TACACS+ Lobby Ambassador. The RADIUS and the TACACS+ ISE configuration is also shared.
Authenticate RADIUS
Configure RADIUS on Wireless LAN Controller (WLC).
Step 1. Declare the RADIUS server. Create the ISE RADIUS Server on the WLC.
GUI:
Navigate to Configuration > Security > AAA > Servers/Groups > RADIUS > Servers > + Add as shown in the image.
When the configuration window opens, the mandatory configuration parameters are the RADIUS Server name (it does not have to match the ISE/AAA system name), the RADIUS Server IP ADDRESS and the shared secret. Any other parameter can be left default or can be configured as desired.
CLI:
Step 2. Add the RADIUS server to a Server Group. Define a Server Group and add the RADIUS Server configured. This will be the RADIUS Server used for authentication of the Lobby Ambassador user. If there are multiple RADIUS Servers configured in the WLC that can be used for authentication, the recommendation is to add all the Radius Servers to the same Server Group. If you do so, you let the WLC load balance the authentications among the RADIUS Servers in the Server Group.
GUI:
Navigate to Configuration > Security > AAA > Servers / Groups > RADIUS > Server Groups > + Add as shown in the image.
When the configuration window opens in order to give a name to the group, move the configured RADIUS Servers from the Available Servers list to the Assigned Servers list.
CLI:
Step 3. Create an Authentication Method List. The Authentication Method List defines the type of authentication you look for and also will attach the same to the Server Group that you define. You will know if the authentication will be done locally on the WLC or external to a RADIUS Server.
GUI:
Navigate to Configuration > Security > AAA > AAA Method List > Authentication > + Add as shown in the image.
When the configuration window opens, provide a name, select the type option as Login and assign the Server Group created previously.
Group Type as local.
GUI:
If you select Group Type as 'local' the WLC will first check if the user exists in the local database and will then fallback to the Server Group only if the Lobby Ambassador user is not found in the local database.
CLI:
Note: Please be aware of bug CSCvs87163when you use local first. This is fixed in 17.3.
Group Type as group.
GUI:
If you select Group Type as 'group' and no fallback to local option checked, the WLC will just check the user against the Server Group and will not check in its local database.
CLI:
Group Type as a group and the fallback to local option is checked.
GUI:
If you select Group Type as 'group' and the fallback to local option is checked, the WLC will check the user against the Server Group and will query the local database only if the RADIUS Server times out in the response. If the server responds, the WLC will not trigger a local authentication.
CLI:
Step 4. Create an Authorization Method List. The Authorization Method List defines the authorization type that you need for the Lobby Ambassador which in this case will be 'exec'. It will also be attached to the same Server Group that is defined. It will also allow to select if the authentication will be done locally on the WLC or external to a RADIUS Server.
I Lobby Hilton
GUI:
Navigate to Configuration > Security > AAA > AAA Method List > Authorization > + Add as shown in the image.
When the configuration window opens to provide a name, select the type option as 'exec' and assign the Server Group created previously.
Be aware that the Group Type applies the same way it was explained in the Authentication Method List section.
CLI:
Group Type as local.
Group Type as group.
Group Type as group and the fallback to local option is checked.
Step 5. Assign the methods. Once the methods are configured, they have to be assigned to the options to login to the WLC in order to create the guest user such as line VTY (SSH/Telnet) or HTTP (GUI).
These steps cannot be done from GUI, hence they need to be done from CLI.
HTTP/GUI authentication:
When you perform changes to the HTTP configurations, it is best to restart the HTTP and HTTPS services:
Line VTY.
Step 6. Define the remote user. The username created on ISE for the Lobby Ambassador has to be defined as a remote username on the WLC. If the remote username is not defined in the WLC, the authentication will go through correctly, however, the user will be granted with full access to the WLC instead of only access to the Lobby Ambassador privileges. This configuration can be done only via CLI.
CLI:
Configure ISE - RADIUS
Step 1. Add the WLC to ISE. Navigate to Administration > Network Resources > Network Devices > Add. The WLC needs to be added to ISE. When you add the WLC to ISE, enable RADIUS Authentication Settings and configure the needed parameters as shown in the image.
When the configuration window opens, provide a name, IP ADD, enable RADIUS Authentication Settings and under Protocol Radius enter the needed Shared Secret.
Step 2. Create the Lobby Ambassador user on ISE. Navigate to Administration > Identity Management > Identities > Users > Add.
Add to ISE the username and password assigned to the Lobby Ambassador who creates the guest users. This is the username the Administrator will assign to the Lobby Ambassador.
When the configuration window opens, provide the name and password for the Lobby Ambassador user. Also, ensure that the Status is Enabled.
Step 3. Create a Results Authorization Profile. Navigate to Policy > Policy Elements > Results >
Ensure that the profile is configured to send an Access-Accept as shown in the image.
You will need to add the attributes manually under Advanced Attributes Settings. The attributes are needed in order to define the user as Lobby Ambassador and to provide the privilege in order to allow the Lobby Ambassador to make the needed changes.
Step 4. Create a policy in order to process the authentication. Navigate to Policy > Policy Sets >
It is mandatory to ensure under the Authorization Policy the profile configured under the Results Authorization is selected, that way you can return the needed attributes to the WLC as shown in the image.
When the configuration window opens configure the Authorization Policy. The Authentication Policy can be left as default.
Authenticate TACACS+
Configure TACACS+ on WLC
Step 1. Declare the TACACS+ server. Create the ISE TACACS Server in the WLC.
GUI:
Navigate to Configuration > Security > AAA > Servers/Groups > TACACS+ > Servers > + Add as shown in the image.
When the configuration window opens, the mandatory configuration parameters are the TACACS+ Server name (it does not have to match the ISE/AAA system name), the TACACS Server IP ADDRESS and the Shared Secret. Any other parameter can be left default or can be configured as needed.
CLI:
Step 2. Add the TACACS+ server to a Server Group. Define a Server Group and add the desired TACACS+ Server configured. This will be the TACACS+ Servers used for authentication.
GUI:
Navigate to Configuration > Security > AAA > Servers / Groups > TACACS > Server Groups > + Add as shown in the image.
When the configuration window opens, give a name to the group and move the desired TACACS+ Servers from the Available Servers list to the Assigned Servers list.
CLI:
Step 3. Create an Authentication Method List. The Authentication Method List defines the type of authentication that is needed and also will attach the same to the Server Group that is configured. It also allows to select if the authentication can be done locally on the WLC or external to a TACACS+ Server.
GUI:
Navigate to Configuration > Security > AAA > AAA Method List > Authentication > + Add as shown in the image.
When the configuration window opens, provide a name, select the type option as Login and assign the Server Group created previously.
Group Type as local.
GUI:
If you select Group Type as 'local', the WLC will first check the if the user exists in the local database and will then fallback to the Server Group only if the Lobby Ambassador user is not found in the local database.
Note: Please be aware of this bug CSCvs87163which is fixed in 17.3.
CLI:
Group Type as group.
Lobby And Lobbyist Definition
GUI:
If you select Group Type as group and no fallback to local option checked, the WLC will just check the user against the Server Group and will not check in its local database.
CLI:
Group Type as group and the fallback to local option is checked.
GUI:
If you select Group Type as 'group' and the Fallback to local option is checked, the WLC will check the user against the Server Group and will query the local database only if the TACACS Server times out in the response. If the server sends a reject, the user won't be authenticated, even if it exists on the local database.
CLI:
Step 4. Create an Authorization Method List.
The Authorization Method List will define the authorization type that is needed for the Lobby Ambassador which in this case will be exec. It is also attached to the same Server Group that is configured. It is also allowed to select if the authentication is done locally on the WLC or external to a TACACS+ Server.
GUI:
Navigate to Configuration > Security > AAA > AAA Method List > Authorization > + Add as shown in the image.
When the configuration window opens, provide a name, select the type option as exec and assign the Server Group created previously.
Be aware that the Group Type applies the same way it is explained in the Authentication Method List part.
CLI:
Group Type as local.
Group Type as group.
Group Type as group and the Fallback to local option is checked.
Step 5. Assign the methods. Once the methods are configured, they have to be assigned to the options in order to login to the WLC to create the guest user such as line VTY or HTTP (GUI). These steps cannot be done from GUI, hence they need to be done from CLI.
HTTP/GUI authentication:
When you make changes to the HTTP configurations, it is best to restart the HTTP and HTTPS services:
Line VTY:
Step 6. Define the remote user. The username created on ISE for the Lobby Ambassador has to be defined as a remote username on the WLC. If the remote username is not defined in the WLC, the authentication will go through correctly, however, the user will be granted with full access to the WLC instead of only access to the Lobby Ambassador privileges. This configuration can be done only via CLI.
CLI:
Configure ISE - TACACS+
Step 1. Enable Device Admin. Navigate to Administration > System > Deployment. Before you proceed any further, select Enable Device Admin Service and ensure that ISE has been enabled as shown in the image.
Step 2. Add the WLC to ISE. Navigate to Administration > Network Resources > Network Devices > Add. The WLC needs to be added to ISE. When you add the WLC to ISE, enable TACACS+ Authentication Settings and configure the needed parameters as shown in the image.
When the configuration window opens to provide a name, IP ADD, enable TACACS+ Authentication Settings and enter the needed Shared Secret.
Step 3. Create the Lobby Ambassador user on ISE. Navigate to Administration > Identity Management > Identities > Users > Add. Add to ISE, the username and password assigned to the Lobby Ambassador who will create the guest users. This is the username the Administrator assigns to the Lobby Ambassador as shown in the image.
When the configuration window opens, provide the name and password for the Lobby Ambassador user. Also, ensure that the Status is Enabled.
Step 4. Create a Results TACACS+ Profile. Navigate to Work Centres > Device Administration > Policy Elements > Results > TACACS Profiles as shown in the image. With this profile, return the needed attributes to the WLC in order to place the user as a Lobby Ambassador.
When the configuration window opens, provide a name to the profile, also configure a Default Privileged 15 and a Custom Attribute as Type Mandatory, name as user-type and value lobby-admin. Also, let the Common Task Type be selected as Shell as shown in the image.
Step 5. Create a Policy Set. Navigate to Work Centers > Device Administration > Device Admin Policy Sets as shown in the image. The conditions to configure the policy rely upon the Administrator decision. For this document, the Network Access-Username condition and the Default Device Admin protocol are used. It is mandatory to ensure under the Authorization Policy that the profile configured under the Results Authorization is selected, that way you can return the needed attributes to the WLC.
When the configuration window opens, configure the Authorization Policy. The Authentication Policy can be left as default as shown in the image.
Verify
Use this section to confirm that your configuration works properly.
This is how the Lobby Ambassador GUI looks like after successful authentication.
Troubleshoot
This section provides information you can use to troubleshoot your configuration.
Authenticate RADIUS
For RADIUS authentication, these debugs can be used:
Ensure the right method list is selected from the debug. Also, the needed attributes are returned by the ISE Server with the right username, user-type and privilege.
Authenticate TACACS+
For TACACS+ authentication, this debug can be used:
Ensure that the authentication is processed with the right username and ISE IP ADD. Also, the status 'PASS' should be seen. In the same debug, right after the authentication phase, the authorization process will be presented. In this authorization, phase ensures the right username is used along with the correct ISE IP ADD. From this phase, you should be able to see the attributes that are configured on ISE that state the WLC as a Lobby Ambassador user with the right privilege.
Authentication phase example:
Authorization phase example:
The debug examples mentioned previously for RADIUS and TACACS+ have the key steps for a successful login. The debugs are more verbose and the output will be bigger. In order to disable the debugs, this command can be used: