Cisco WLC Administrator Radius authentication

In order to authenticate a user via a RADIUS server, for controller       login and management, you must add the user to the RADIUS database with the       IETF RADIUS attributes Service-Type attribute set to the appropriate value       according to the user's privileges.

• In order to set read-write privileges for the user, set the           Service-Type Attribute to Administrative.
• In order to set read-only privileges for the user, set the           Service-Type Attribute to           NAS-Prompt.
• For Lobby Ambassador you have to return IETF RADIUS Service-Type attribute set to Callback       Administrative.

Please find config example:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080782507.shtml.