You got it figured out... Administrative is usually easy enough to remember for read-write. I remember read-only is NAS Prompt just because it's the next option below Administrative. So just know that read-only is right below read-write. That might be easier.
Here's my silly way to remember Lobby= Callback Administrative Callback Administrative reminds me of an administrative assistant manning the phones, and it's the administrative assistant that's handing out guest user accounts. So they need Lobby access. Feel free to leverage my silly thought patterns if it helps. Regards, Jeff Rensink : Sr Instructor : iPexpert <http://www.ipexpert.com/> CCIE # 24834 :: Wireless / R&S :: World-Class Cisco Certification Training Direct: +1.810.326.1444 :: Free Videos <http://www.youtube.com/ipexpertinc> :: Free Training / Product Offerings <http://www.facebook.com/ipexpert> :: CCIE Blog <http://blog.ipexpert.com/> :: Twitter <http://www.twitter.com/ipexpert> On Thu, May 15, 2014 at 8:57 AM, Andre Aubet <[email protected]> wrote: > Ok, I found this in another section of the documentation: > > *Note *To create a read-only controller user on the RADIUS sever, you > must set the service type to NAS prompt instead of Callback NAS prompt. If > you set the service type to Callback NAS Prompt, the user authentication > fails while setting it to NAS prompt gives the user read-only access to the > controller. > Also, the Callback Administrative service type gives the user the lobby > ambassador privileges to the controller. > > and guess what, it worked! > > > 2014-05-15 17:46 GMT+02:00 Andre Aubet <[email protected]>: > > Hi all, >> >> I'm trying to setup WLC authentication through RADIUS. >> >> The authentication works successfully for a read-write user (admin), but >> I can't make it work for a read-only user... >> >> I can't find what is wrong in my configuration. >> >> From Cisco documentation, an authorization profile must be configured: >> >> Source: >> http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70sol.html#wp1422107 >> Specify read-only or read-write access to controllers through RADIUS >> authentication, by setting the Service-Type attribute (006) to *Callback >> NAS Prompt* for read-only access or to *Administrative* for read-write >> privileges. If you do not set this attribute, the authentication process >> completes successfully (without an authorization error on the controller), >> but you might be prompted to authenticate again. >> >> >> From the debug, I can't see what is the difference between the ro and rw >> access: >> >> >> - *RW Access = OK - Service-Type 6 = Administrative* >> >> *radiusTransportThread: May 15 17:30:35.293: 00:00:00:36:00:00 *Access-Accept >> received from RADIUS server* 10.35.122.29 for mobile 00:00:00:36:00:00 >> receiveId = 0 >> *radiusTransportThread: May 15 17:30:35.293: AuthorizationResponse: >> 0x13c73d50 >> *radiusTransportThread: May 15 17:30:35.293: >> resultCode...................................0 >> *radiusTransportThread: May 15 17:30:35.293: >> protocolUsed.................................0x00000001 >> *radiusTransportThread: May 15 17:30:35.293: Packet contains 3 AVPs: >> *radiusTransportThread: May 15 17:30:35.293: AVP[01] >> User-Name................................wlc-admin2 (10 bytes) >> *radiusTransportThread: May 15 17:30:35.293: AVP[02] >> *Service-Type.............................0x00000006 >> (6) (4 bytes)* >> *radiusTransportThread: May 15 17:30:35.293: AVP[03] >> Class....................................CACS:CCIEW-ACS/188401509/4628 (29 >> bytes) >> *emWeb: May 15 17:30:35.294: *Authentication succeeded for wlc-admin2* >> >> >> - *RO Access = NOK - Service-Type 9 = Callback NAS Prompt* >> >> *radiusTransportThread: May 15 17:29:19.185: 00:00:00:35:00:00 *Access-Accept >> received from RADIUS server* 10.35.122.29 for mobile 00:00:00:35:00:00 >> receiveId = 0 >> *radiusTransportThread: May 15 17:29:19.185: AuthorizationResponse: >> 0x13c73d50 >> *radiusTransportThread: May 15 17:29:19.185: >> structureSize................................125 >> *radiusTransportThread: May 15 17:29:19.185: >> resultCode...................................0 >> *radiusTransportThread: May 15 17:29:19.185: >> protocolUsed.................................0x00000001 >> *radiusTransportThread: May 15 17:29:19.185: >> proxyState...................................00:00:00:35:00:00-00:00 >> *radiusTransportThread: May 15 17:29:19.185: Packet contains 3 AVPs: >> *radiusTransportThread: May 15 17:29:19.185: AVP[01] >> User-Name................................wlc-exploit2 (12 bytes) >> *radiusTransportThread: May 15 17:29:19.185: AVP[02] >> *Service-Type.............................0x00000009 >> (9) (4 bytes)* >> *radiusTransportThread: May 15 17:29:19.185: AVP[03] >> Class....................................CACS:CCIEW-ACS/188401509/4627 (29 >> bytes) >> *emWeb: May 15 17:29:19.186: *Authentication failed for wlc-exploit2, >> Service Type: 9* >> >> >> >> >> > > _______________________________________________ > Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: > > iPexpert on YouTube: www.youtube.com/ipexpertinc >
_______________________________________________ Free CCIE R&S, Collaboration, Data Center, Wireless & Security Videos :: iPexpert on YouTube: www.youtube.com/ipexpertinc
