Cisco :: 4400 WLC / WCS - Monitoring Lobby Admin User Activity
Jan 26, 2011
We currently have about 8 WLC 4400 series controllers deployed around the company, one of these controllers is acting as an Achor controller for GUEST wifi access for visitors to the company, as a result of this we have many users with "LobbyAdmin" access to setup users.
We have recently introduced a Cisco WCS to manage these devices but its not fully implemented/active to see all WLC's.I need to be able to report on the LobbyAdmin users to see who is setting up accounts and for who etc. Currently access to the WLC/WCS is done via Local admin accounts. All accounts for the LobbyAdmin people are setup on our anchor controller.
I have added the anchor controller for this to the WCS system but when looking in Administration/AAA/Groups the LobbyAdmin groups shows No Members.Is there a way that i can import the Lobby Admin names from the anchor WLC to the WCS so i can do reports/audit checks on these users?
View 2 Replies
ADVERTISEMENT
Mar 27, 2011
Is there anyway to monitor client who is downloading , using the most bandwidth in Cisco wireless environment ? i have 1240 ap and 4400 controller environment.
View 1 Replies
View Related
Jan 23, 2012
How to configure a LobbyAdmin account for WLC 7.0 on a 5.1 ACS? I'm very new to ACS 5. How to configure it.
I've got the ACS policy working that allows me to login to the WLC using a user account with full rights but the Lobby admin account can login with full rights as well. I've tried setting the custome attributes in the shell profiles with role0-mandatory-LobbyAmbassador, task0-Mandatory-Configure Guest User and task1-Mandatory-Lobby Ambassador User Preferences but it still doesn't work.
View 18 Replies
View Related
May 12, 2011
I was wondering if there is a way to limit the ability of the "lobby admin" account to only be able to give out 24 hour wireless access? The situation is this, we are going to move the roles of guest wireless over to our lobby administrators, but we are afraid they might break policy and give out 30 day wireless access so they dont have to keep renewing guest access each day. We want to limit access to 24 hour "tokens" for all guest unless its a unique situation.
View 2 Replies
View Related
Jan 25, 2012
Any way to create multiple lobby admin account on ACS and each account will have access to only specific WLANs on the WLC?
View 6 Replies
View Related
Apr 15, 2012
Why do need Cisco NAC guest server when we have WLC 5508 already configured. The Guest user access can be given by the WLC itself too. We can create users in WLC also and grant access to the user to access internet for specific time frame. My query is - what is so different in Cisco NGS that it is considered good in terms of Guest users access. What are the advatages of NGS.
View 4 Replies
View Related
Feb 14, 2013
I have two 5508 WLCs. Both have APs attached to them. If I create a guest account with the lobby administrator on one, will that user account be able to log in to the network if the client is attached to the ohter WLC? So far, I have found that I need to create the same user on both WLC's, in order to have the user login.
View 2 Replies
View Related
Apr 28, 2011
Is there any way to hide my activity on the network? My network administrator monitors our network activity, specifically chat.
View 1 Replies
View Related
Oct 16, 2012
I want to secure our WLAN via Web Authentication with our new Cisco 2504 WLC. But where do i find user activity logs?
View 2 Replies
View Related
Nov 30, 2011
Users are facing issue since a long time now . Whenever user connected to wireless is idle say 10 -20 seconds he gets disconnected This happens for all the users and even Mac/Win 7 I changed Activity Timeout on AP and even rebooted but still when I do show dot11 associations all-client I see activity-timeout
Users don't get disconnected when there is continous flow of data its only when user is idle
When user disconnects and hit refersh it starts working again
View 1 Replies
View Related
Jun 13, 2011
(WLC 4400) which enables employees to browse to a custom made webpage, where they can create an account for company vistors to access the internet. It's important for the employees not use any login credentials, they arrive on a webpage where they specify the login & password which the vistor will enter to browse the internet. Is there any good link to documention about this topic?
View 3 Replies
View Related
May 8, 2012
we have created some administration accounts which should only have the possibility to work on the user database. the useradmin role is to limited to create a user and set a fixed password only, but not able to enable the users authentication against a predefined external identity store. Other roles which makes this possible are far to powerful for a second level adminstrator.The adminstrator should have the possibility the create an user and set the password check against an external database. This is not possible with the predefine role "UserAdmin". Other roles do have to many rights for these users.
View 4 Replies
View Related
Sep 9, 2012
After upgrade to ACS 5.2 appliance , we are trying to configure AAA between Ciscoworks and ACS. Authentication is working but authorization fails , logged user cannot access to admin parameters. I've configured attributes manually but it doesn't work.Does ACS 5.2 support integration with CiscoWorks?
View 1 Replies
View Related
Jul 20, 2011
I have a desktop without a wireless card and i want my network to be wireless so i bought a d-link wireless card for the desktop, the system then discover the wireless network but could not connect it kept on trying to authenticate, it did not even ask me for the web security key, what do I do
View 1 Replies
View Related
Jan 15, 2013
i have a Cisco Router 8803G and i would like following commands to be run by telnet:
1) erase an admin user
2) change the password of an admin user
View 2 Replies
View Related
Jan 12, 2011
ACE 4710 TACACS issues ,How to setup user with Admin context access permission. I have enable the TACACS and it can directly put me in Context mode not in Admin Context mode .
View 8 Replies
View Related
Jul 12, 2010
I have manually configured the E2000 and set the admin password. When I was trying to log back in, I could not. I reset and reconfigured and set the password again. I still could not log in using "admin" and the password I set up. I thought I was losing my mind. Just on a hunch, I used the SSID name instead of "admin", then entered the password that worked. I am able to login, but I need the username to be admin, not the SSID. Has anyine else had this issue? Any way to change the administrator name back to admin??
View 5 Replies
View Related
Aug 28, 2012
I'm crazy with this version of ACS, it is totally diferent than ACS 4.2, which is familiar for me and seems to difficult to config for me.Although I have red a lot of post about problems with the integration WCS 7.0 and ACS 5.2 using TACACs+ for admin or lobby access to the web portal I can't do login into WCS as Lobby ambassador using ACS 5.2 because always show me the error "User has no usergroups assigned".Steps I followed:
- I create a "shell profile" with the custom attributes of the group "lobby ambassador".
- In default device admin / authorization, I create a rule matching this "shell profile".
I see lot os Hit counts and passed in logs, but the message written previously.In ACS 4.2 I had to create the custom attribute "HTTP" and string "Wireless- WCS" to work with, but now I don't know if it is necessary and I don't know how to do it.
View 5 Replies
View Related
Jul 14, 2012
We've set our WCS up to do AAA through our ACS 5.3 which works great. So in order to log into the WCS for Administration or as a Lobby Ambassador (to create guest users etc) the AAA is all done by the ACS, GREAT!
I have assigned a set of users the Lobby Ambassador role as passed that back through TACACS to the WCS, so those users have their role setup as Lobby Ambassador and are limited from doing anything else, as expected.
What I want to know is: With normal local AAA on the WCS, when you created a Lobby Ambassador account, you could give the account a set of defaults for any guests accounts created by that Lobby Ambassador account, which was good, so Lobby Ambassadors couldn't set up unlimited time accounts and stuff like that.
What I want to know now is that since I'm now doing all the AAA on the ACS, is there an attribute I can pass to the WCS in the Shell Profile, along with the roles etc telling the WCS what the guest user creation defaults for the Lobby Ambassador account is, so that we can continue to limit the defaults of any guest account that the Lobby Ambassador accounts create, as it used to be? We'd really like different lobby ambassadors to be able to do different things as well. i.e., Lobby Ambassador X can only create accounts for one region. Lobby Ambassador Y can create Unlimited time accounts where the others can not. We used to do this by assigning different guest user creation defaults to different lobby ambassador accounts on the WCS.
View 1 Replies
View Related
Jan 16, 2012
I was wondering if the 2504 has the lobby ambassador feature available. Customer requires temp username/passwords for guests managed through web gui. I couldn't find conclusive documentation it was included so I figured I'd check here before calling Cisco.
View 2 Replies
View Related
Sep 23, 2012
Is there a module or way to create a Guest Access Lobby on the ASA 5525? We currenly leverage the WLC to do this for us, but are moving to a routed access enviornment which is causing some issues. We would like to offload the guest access responsibility to the ASA if possible.
View 1 Replies
View Related
Jul 27, 2012
We presently have a guest wireless solution in place using 4400/5508 WLC controllers authenticating guests via a NAC Guest server. This has functioned well for the last year or so, but now our security team has requested that we begin logging guest activity. I already have RADIUS accounting set up on the WLAN configuration pointing to the NGS,I have added the NGS to the syslog set up on the controller (I have tried various syslog levels) but I am not receiving any guest activity info in the reports on the NGS. Any way for getting this data?
View 2 Replies
View Related
Apr 29, 2012
we recently purchased a sg300-52. i was told i would need to setup a port trunk to connect it our main catalyst. However, i was able to connect a patch cable on the two devices and ping endpoint devices on both switches. I also noticed that the activity lights are constantly blinking. I'm not sure why. Is there something i can do to slow the activity light? it blicks constantly even in times of very low activity by the endpoint.
View 2 Replies
View Related
Sep 22, 2011
We are running ACS 5.2 patch 6 and want to restrict access for users to be able to add devices to the system.For example, admin person in site A can only add devices into the site A group and cannot see/access other sites groups.
View 1 Replies
View Related
Apr 20, 2009
We are using an ASA 5510 and remote access (SSL VPN) using the AnyConnect client.
Is it possible to display a user message when a user connects using the AnyConnect client, matching a specific dynamic access policy? Can the message be displayed when the action is "Continue" rather than "Terminate"? I can't seem to get this to work and wondered if there was a LUA function to do this.
We have a DAP which gives a restricted ACL when the user's anti-virus is out of date, and I wanted to notify the user to update their anti-virus and reconnect.
View 4 Replies
View Related
Oct 10, 2011
I want to create a local user in my Cisco ASA 5520 to allow the user to use the ASDM in Read-Only mode. I want the user to view the Dashboard only.
View 1 Replies
View Related
Oct 7, 2012
detect botnet acitivity from network point of view.
View 15 Replies
View Related
Jan 5, 2013
I am using Bit meter (on Windows 7 64-bit) to measure up/down activity on the network adapter connected to the RV042 in load balancing mode. Is there a way I can, in real time, have a visual indication of up/down network activity on the WAN 1 and 2 port separately on the RV042?
View 1 Replies
View Related
Aug 30, 2011
I'm running a wpa2-secured guest ssid on a particular vlan that allows traffic to the web but restricts any access to internal network resources. It had been working fine for a couple of weeks, until the network started intermittenly dropping - at first I tried swapping channels and rebooting, but there has been no progress. I keep a running log at all times as long as the network is still active, but once it drops, the only message I'm getting is
'Line protocol on Interface Dot11Radio0, changed state to down'
My understanding would be that this is the same message logged when a user manually turns off the radio from a terminal window, is this correct? Or am I missing some basic troubleshooting steps?
View 3 Replies
View Related
Aug 2, 2012
I was examining my router's logs the other day and I noticed a recurring entry stating that my PC's IP address was sending packets to the IP 172.16.30.115 on port 80, and that the router was dropping them.Except for the fact that my home LAN uses the 192.168.1.0/24 network EXCLUSIVELY. That is all it has ever used since this router was set up, and the only other networks we have EVER used are 192.168.0.0/24 and 192.168.2.0/24. So why, I wondered, is my PC repeatedly sending (presumably) HTTP traffic to a private IP that is not and never has been on my network?I wasn't worried about what these connections might be doing, since I figured they couldn't do anything, but I was kind of concerned about what was generating this traffic in the first place. So I downloaded Wireshark and ran a capture for 30 minutes. Upon completion, I filtered results to show only packets that contained the IP 172.16.30.115, as either the source or destination IP.Based on the router logs, I expected to see three packets with my PC's source IP address and a random source port sent to 172.16.30.115, port 80 every 10 minutes.And I did see that. These are TCP packets, and they appear to be completely empty. The only thing I noticed about them is that the SYN flag is set. I don't know what the significance of that is, if any, but that's what I noticed.
What I DIDN'T expect to see were the packets that had a source IP of 172.16.30.115. These packets (also TCP) had the ACK and RST flags set, and they contained the text "Go away, we're not home." So not only are there packets being sent to an IP that cannot possibly exist within my network, but there are also packets coming FROM the impossible IP telling me to go away.All of that is scary enough on its own. But then I hopped on Google and did a search for the phrase "go away, we're not home," and almost every result was related to the decline of the Storm worm. After reading about Storm, I was more confused, not less. In its heyday, Storm used UDP traffic to communicate between peers, and my mystery traffic was TCP. Storm usually did not use well-known port numbers, such as 80, which I read was part of what made it so resilient. Not to mention that the most recent posts I could find regarding the Storm worm were dated 2010 and were about the possibility of a second Storm, and I didn't get this PC until May 2011. Plus, even if we ignore all of this and operate under the assumption that I have the Storm worm on my PC, that still doesn't explain the fact that the traffic from my computer is heading to a private IP that is NOT, I repeat, NOT being used on my network, my router says it's dropping this traffic, but my PC is still somehow receiving a response from an IP address that 1) isn't on the network and 2) can't be having any packets forwarded to it, since the router says it's dropping the traffic.So, operating under the worst-case scenario assumption, I used two different virus scanners (not simultaneously, of course) to do the deepest scans they are capable of doing. They both turned up completely clean. In fact, I've had AVG Free installed on my computer since I got it, and even if you look at my virus history you only see a few tracking cookies, a corrupted EXE from the Skype setup folder, and a Trojan dropper that I never even ran because I thought the file properties seemed fishy so I scanned it and promptly deleted it. So I now have to go back to operating under the assumption that I do NOT have the Storm worm, and I am back to the drawing board.
View 2 Replies
View Related
Mar 30, 2012
REmote desktop connection times out when there is no activity, I mean I open rdp to work computer from home ,If I am away from the computer I am not using keyboard , after few minutes I get a blank screen and if it is very longthe connection times out and I have to relogin to my computer, I need suggestion on how to retain the connection so that no blank screen appears and I alos dont loose connection .
View 1 Replies
View Related
Dec 28, 2012
I heard my brothers' conversation in our house. One was asking another, if he is downloading things. The other one replied, saying no, he didn't. And then the one that was asking said, he knew he was lying. He can detect and monitor that person's IP address to know enough if the other person is downloading or not.
View 6 Replies
View Related
May 24, 2011
Sometimes when I actively use the LAN (copy a file or stream media), my PC loses connection to both the internet and LAN. It doesn't always happen though. I can always fix it by opening network connections and disabling Local Area Connection and then re-enabling it. However, if I don't do this, the connection stays off indefinitely. The PC that loses connection is on Windows 7 64-bit with Asus P5K integrated ethernet controller with latest drivers. Modem/router is Linksys WAG320N.
View 10 Replies
View Related
