NAC Guest Server with WLC

Dear All,
I just need to confirm that is it possible that we add same WLC to CAS(wireless users) and NAC Guest Server(wireless guest users) or I must need one more WLC for NAC guest server.
Regards,

Hello Nomair
You do not need seperate WLC's.. NAC guest servers are just normal radius servers, used for authentication. You can integrate your existing WLC's, which are added on IB or OOB to your CAS, with the guest server. I'm attaching a doc which gives info on how to setup wlc's and guest servers.
Hope this helps.. all the best.. happy new year to you. rate replies if found useful..
Raj

Similar Messages

  • NAC Guest Server and WLC's

    Just wanted to know if this will work or not...
    I was looking at a design from a client and they had two CAM and CAS plus a Guest server. My client wants to use the equipment above for guest access. The problem I'm having is that I'm building a wireless network with guest anchor WLC's in the DMZ. So my wireless users will be tunneled to the DMZ controller. Also, the WLC can have a splash page uploaded to it and also authenticate users locally in the DB. They don't want any remediation, just authentication.... is this a waste of money or would would actually implement this?

    I've some (very) basic questions.
    Let's say guest vlan = x
    1)vlan x should be created on the foreign controllers as on the anchor controller, with the same properties
    2)on the anchor controller a dynamic interface has to be created acting as default gateway for the guest clients.
    3)it's advised to place the guest server in the guest vlan? Eg. Somewhere in the server farm?
    4)Once traffic coming from the guests is arrived at the anchor controller. (I know to less of WLC ;)) Will it forwarded with as source IP, the IP of the anchor controller towards the anchor default gateway (firewall or internet router?)
    4)authentication: user connect to SSID guest and opens a browser. The user is redirected and a login page is displayed. Is this page downloaded from the anchor controller? I think it is and pushed via WCS. So Guest NAC server has nothing to deal with this page? Correct?
    The anchor controller polls the nac guest server with the given credentials. Anchor controller forwards the credentials to the NAC guest server. The NGS replies with authenticated or not. If authenticated. The guest can browse. Probably on regular base, the anchor controller will poll the NAC guest in order to check if he's still authenticated and if enabled pass information to the NAC guest for accounting. Is this somehow ok?
    I've found to open the following ports in the firewall:
    UDP 97 for EoIP
    UDP 16666 for intercontroller traffic
    and 1812/1813 for Radius.
    Thanks in advance

  • NAC guest server with RADIUS authentication for guests issue.

    Hi all,
    We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
    The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
    https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
    -----START QUOTE-----
    Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
    •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
    •Self Service—This option allows guest self service. After selection proceed to Step 8.
    •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
    ----- END QUOTE-----
    Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
    Regards
    Kevin Woodhouse

    Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
    Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

  • NAC Guest Server with LDAP

    Hello,
    I'm trying to get a NAC Guest server associated with an LDAP Server.
    I was able to get the NAC Manager working with the same parameters, but the Guest isn't working tough.
    My question is...where can I find useful logs about LDAP authentication withing the Guest Server?
    any ideas?
    thanks.

    Dennis,
    Bump up the logging on all categories and check in the ensuing support logs. Also doing a packet capture might show you more information on what's going on.
    HTH,
    Faisal

  • NAC Guest Server and WLC, WCS

    I have setup a NAC Guest Server to allow users to sign up guest account via Active Directory. How do I tight this into WLC or WCS?

    Hi
    Try this:
    http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809d6b9a.shtml
    Regards
    Greg

  • NAC Guest server with tokens

    Has anybody implemented NAC guest server in conjunction with SMS tokens.
    Is there some docs. on how to?

    The following APIs allow administrators to create, delete, and view local user accounts on the CAM:
    •getlocaluserlist
    •addlocaluser
    •deletelocaluser
    Local users are those internally validated by the CAM as opposed to an external authentication server. These APIs are intended to support guest access for dynamic token user access generation, providing the ability to:
    •Use a webpage to access Cisco NAC Appliance API to insert a visitor username/password combination, such as [email protected]/jdoe112805, and then assign a role, such as guest1day.
    •Delete all guest users associated with the guest access role for that day.
    •List all usernames associated with the guest access role.
    These APIs support most implementations of guest user access dynamic token/password generation and allow the removal of those users for a guest role.
    You must create the front-end generation password/token. For accounting purposes, Cisco NAC Appliance provides RADIUS accounting functionality only.
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_apiapx.html#wp1012025

  • Wired WebAuth only with NAC Guest Server (No ACS)

    Ok, I have been fighting this for two days now.  I want to use the webauth function on some of our Cisco 3750Gs ver
    12.2(55)SE5 for guest access.  I'm trying to use our NAC Guest Server ver: 2.0.3 as the backend portal and Radius server.  We do not have ACS or any of the other components of ISE or NAC.  I think the issue is the NGS server is not sending the d(ACL) back to switch.  Guest work work fine from our WLCs. 
    switch debug:   No Attributes in swtich debug
    Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Config NAS IP: 199.46.201.26
    Mar 22 12:56:00.448 CDT: RADIUS/ENCODE(0000030C): acct_session_id: 1012
    Mar 22 12:56:00.448 CDT: RADIUS(0000030C): sending
    Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Send Access-Request to 10.199.33.20:1812 id 1645/19, len 177
    Mar 22 12:56:00.448 CDT: RADIUS:  authenticator 99 95 59 55 09 A9 D9 E1 - 2B 01 90 36 1B 8A 41 92
    Mar 22 12:56:00.448 CDT: RADIUS:  User-Name           [1]   20  "[email protected]"
    Mar 22 12:56:00.448 CDT: RADIUS:  User-Password       [2]   18  *
    Mar 22 12:56:00.448 CDT: RADIUS:  Framed-IP-Address   [8]   6   199.46.201.231
    Mar 22 12:56:00.448 CDT: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
    Mar 22 12:56:00.448 CDT: RADIUS:  Message-Authenticato[80]  18
    Mar 22 12:56:00.448 CDT: RADIUS:   A2 57 B5 F2 A6 FB 46 71 D0 EA 26 54 95 90 F4 D0             [ WFq&T]
    Mar 22 12:56:00.448 CDT: RADIUS:  Vendor, Cisco       [26]  49
    Mar 22 12:56:00.448 CDT: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=C72EC91A000002FC0A6CD698"
    Mar 22 12:56:00.448 CDT: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
    Mar 22 12:56:00.448 CDT: RADIUS:  NAS-Port            [5]   6   50106
    Mar 22 12:56:00.448 CDT: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/6"
    Mar 22 12:56:00.448 CDT: RADIUS:  NAS-IP-Address      [4]   6   199.46.201.26
    Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Started 5 sec timeout
    Mar 22 12:56:01.454 CDT: RADIUS: Received from id 1645/19 10.199.33.20:1812, Access-Reject, len 20
    Mar 22 12:56:01.454 CDT: RADIUS:  authenticator 92 98 05 84 6E 4B CF DD - B5 D7 90 25 10 59 7B E7
    Mar 22 12:56:01.454 CDT: RADIUS(0000030C): Received from id 1645/19
    NGS log:
    rad_recv: Access-Request packet from host 199.46.201.26 port 1645, id=19, length=177
        User-Name = "[email protected]"
        User-Password = "5rRmpPt9"
        Framed-IP-Address = 199.46.201.231
        Service-Type = Outbound-User
        Message-Authenticator = 0xa257b5f2a6fb4671d0ea26549590f4d0
        Cisco-AVPair = "audit-session-id=C72EC91A000002FC0A6CD698"
        NAS-Port-Type = Ethernet
        NAS-Port = 50106
        NAS-Port-Id = "GigabitEthernet1/0/6"
        NAS-IP-Address = 199.46.201.26
    +- entering group authorize {...}
    [radius-user-auth]     expand: %{User-Name} -> [email protected]
    [radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
    [radius-user-auth]     expand: %{NAS-IP-Address} -> 199.46.201.26
    [radius-user-auth]     expand: %{Calling-Station-Id} ->
    Exec-Program output:                          Note:  no attributes here
    Exec-Program: returned: 1
    ++[radius-user-auth] returns reject
    Delaying reject of request 12 for 1 seconds
    Going to the next request
    Waking up in 0.6 seconds.
    Similar debug from NGS but auth request from WLC: See attributes are sent to wlc although not needed
    rad_recv: Access-Request packet from host 10.100.16.100 port 32770, id=22, length=152
        User-Name = "[email protected]"
        User-Password = "5rRmpPt9"
        Service-Type = Login-User
        NAS-IP-Address = 10.100.16.100
        NAS-Port = 13
        NAS-Identifier = "ICTWLC01"
        NAS-Port-Type = Ethernet
        Airespace-Wlan-Id = 514
        Calling-Station-Id = "10.198.12.211"
        Called-Station-Id = "10.100.16.100"
        Message-Authenticator = 0xc9383e767f0c228a2b8a0ece7069f366
    +- entering group authorize {...}
    [radius-user-auth]     expand: %{User-Name} -> [email protected]
    [radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
    [radius-user-auth]     expand: %{NAS-IP-Address} -> 10.100.16.100
    [radius-user-auth]     expand: %{Calling-Station-Id} -> 10.198.12.211
    Exec-Program output: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
    Exec-Program-Wait: plaintext: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
    Exec-Program: returned: 0
    ++[radius-user-auth] returns ok
    [files] users: Matched entry DEFAULT at line 1
    ++[files] returns ok
    Found Auth-Type = Accept
    Auth-Type = Accept, accepting the user
    +- entering group post-auth {...}
    [sql]     expand: %{User-Name} -> [email protected]
    [sql] sql_set_user escaped user --> '[email protected]'
    [sql]     expand: %{User-Password} -> 5rRmpPt9
    [sql]     expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
    rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
    rlm_sql (sql): Reserving sql socket id: 12
    rlm_sql_postgresql: Status: PGRES_COMMAND_OK
    rlm_sql_postgresql: query affected rows = 1
    rlm_sql (sql): Released sql socket id: 12
    ++[sql] returns ok
    Sending Access-Accept of id 22 to 10.100.16.100 port 32770
    Finished request 4.
    Going to the next request
    Waking up in 4.9 seconds.
    rad_recv: Accounting-Request packet from host 10.100.16.100 port 32770, id=30, length=170
    config:
    aaa new-model
    aaa authentication login default group radius
    aaa authentication login console group tacacs+ line
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization exec default group tacacs+ none
    aaa authorization auth-proxy default group radius
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting exec default stop-only group tacacs+
    aaa accounting commands 15 default stop-only group tacacs+
    ip device tracking
    ip auth-proxy auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
    ip auth-proxy proxy http login expired page file flash:expired.html
    ip auth-proxy proxy http login page file flash:login.html
    ip auth-proxy proxy http success page file flash:success.html
    ip auth-proxy proxy http failure page file flash:failed.html
    ip admission auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
    ip admission proxy http login expired page file flash:expired.html
    ip admission proxy http login page file flash:login.html
    ip admission proxy http success page file flash:success.html
    ip admission proxy http failure page file flash:failed.html
    ip admission name web-auth-guest proxy http inactivity-time 60
    dot1x system-auth-control
    identity policy FAILOPEN
    access-group PERMIT
    interface GigabitEthernet1/0/6
    switchport access vlan 301
    switchport mode access
    ip access-group pre-webauth-guest in
    no logging event link-status
    srr-queue bandwidth share 10 10 60 20
    queue-set 2
    priority-queue out
    mls qos trust device cisco-phone
    mls qos trust dscp
    no snmp trap link-status
    auto qos voip cisco-phone
    spanning-tree portfast
    spanning-tree bpduguard enable
    service-policy input AutoQoS-Police-CiscoPhone
    ip admission web-auth-guest
    ip http server
    ip http secure-server
    ip access-list extended PERMIT
    permit ip any any
    ip access-list extended pre-webauth-guest
    permit udp any any eq bootps
    permit udp any any eq domain
    permit tcp any host 10.199.33.20 eq 8443
    permit tcp any host 10.199.33.21 eq 8443
    permit tcp any host 10.100.255.90 eq 8443
    deny   ip any any log
    ip radius source-interface Vlan301
    radius-server attribute 8 include-in-access-req
    radius-server dead-criteria tries 2
    radius-server host 10.199.33.20 auth-port 1812 acct-port 1813 key 7 022E5C782C130A74586F1C0D0D
    radius-server vsa send authentication
    I get the login and AUP page then the failed page... I never see the priv-lvl 15 or the proxyacl?  How do I do this with Guest server only?
    Help!

    Without the ACS, only with the NAC guest is possible?
    They can send me sample configuration?

  • NAC Guest Server, unable to login with sponsor

    We have a Cisco NAC Guest Server (version 2.0.5).
    I created some sponsors and wanted them to be in another sponsor user group than the default group. So I created a sponsor user group and changed the group permissions (Allow Login is set to Yes, edit account .. are set to Own Accounts).
    No I wanted to try out the new sponsors but I can't login to the NAC Server. I get a "username or password invalid" as reply. If I change the sponsor user group of the user to DEFAULT, everything is working.
    The logfile on the NAC Server shows the following error:
    Oct  4 13:05:14 s100059 NGS_SPONSOR: [audit NGS 0 10.106.161.5] Login failure: xxx
    xxx is the username of the sponsor.
    Why can't I login with the sponsor when he's in anoter sponsor group than DEFAULT?
    Martin

    If credentials work on CCMuser CUPSuser I would suspect either some kind of communication problem between the clients and the servers and/or misconfiguration (user/device/line association, device owner, roles, CTI/CCMCIP profiles, etc) on CUCM/CUPS.
    Specially because you mention the same happens with CUPC.
    HTH
    java
    if this helps, please rate
    www.cisco.com/go/pdihelpdesk

  • Wired WebAuth with NAC Guest Server

    Hi,
    I am trying to get wired WebAuth working with NAC Guest Server. In the switch_login.html file example, what should be changed for this line:
    ngsOptions.actionUrl = https://1.1.1.1/;
    Should this be an IP address on the switch? Shoul I have this pointing to the success.html page like this:
    ngsOptions.actionUrl = "https://1.1.1.1/success.html";
    When I log on, and accept the AUP, my browser just sits there trying to access Https://1.1.1.1/?redirect-url=blah blah blah
    Thanks,
    Peter

    FYI,
    In my case I WAS getting the switch_login.html web page being displayed, but after entering credentials and submitting the Acceptable Use Policy page, I did NOT 'see' any radius traffic between the switch (C2960S 12.2(55)SE3) and the ACS 5.3 radius server?!.
    I used the sample .html docs that you can find on the NAC Guest Server in the 'samples' folder on that server. I used WCP app to copy them to my PC/laptop before modifying where relevant and copying to flash on switch and to the wireless 'hotspot' folders on the NGS.
    I went through the following document in url below line by line, paragraph by paragraph and found that I had left out the following command in the configuration:
    aaa authentication login default group radius
    see doc at:
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html#wp392553
    So I added it in and I am now seeing the radius debug traffic being redirected to the ACS by the switch when a user submits the credentials.
    aaa new-model
    aaa authentication login default group radius
    aaa authentication login VTY-USER-LOGIN local
    aaa authentication dot1x default group radius
    aaa authorization console
    aaa authorization exec EXEC-LOCAL local
    aaa authorization network default group radius
    aaa authorization auth-proxy default group radius
    aaa accounting auth-proxy default start-stop group radius
    aaa accounting dot1x default start-stop group radius
    with debug radius enabled:
    Feb  1 13:36:09 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to down
    TEST-802.1X#
    Feb  1 13:36:10 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to down
    TEST-802.1X#
    Feb  1 13:36:18 PST: %AUTHMGR-5-START: Starting 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
    TEST-802.1X#
    Feb  1 13:36:20 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to up
    Feb  1 13:36:21 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to up
    TEST-802.1X#
    Feb  1 13:36:27 PST: %DOT1X-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID
    Feb  1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
    Feb  1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
    Feb  1 13:36:27 PST: %AUTHMGR-5-START: Starting 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
    Feb  1 13:36:27.367 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X
    Feb  1 13:36:27.367 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74
    Feb  1 13:36:27.367 PST: RADIUS/ENCODE(0000058E): acct_session_id: 1421
    Feb  1 13:36:27.367 PST: RADIUS(0000058E): sending
    Feb  1 13:36:27.367 PST: RADIUS(0000058E): Send Access-Request to 10.167.77.70:1645 id 1645/14, len 211
    Feb  1 13:36:27.372 PST: RADIUS:  authenticator 2E F0 62 2D 43 D9 7D 2A - 7C 88 0A 52 B9 6E 78 A8
    Feb  1 13:36:27.372 PST: RADIUS:  User-Name           [1]   14  "848f69f0fcc7"
    Feb  1 13:36:27.372 PST: RADIUS:  User-Password       [2]   18  *
    Feb  1 13:36:27.372 PST: RADIUS:  Service-Type        [6]   6   Call Check                [10]
    Feb  1 13:36:27.372 PST: RADIUS:  Framed-MTU          [12]  6   1500                     
    Feb  1 13:36:27.372 PST: RADIUS:  Called-Station-Id   [30]  19  "20-37-06-C8-68-84"
    Feb  1 13:36:27.372 PST: RADIUS:  Calling-Station-Id  [31]  19  "84-8F-69-F0-FC-C7"
    Feb  1 13:36:27.372 PST: RADIUS:  Message-Authenticato[80]  18 
    Feb  1 13:36:27.372 PST: RADIUS:   11 20 B4 9A B6 E2 56 30 AC EC 43 CD 17 13 3E 14             [  V0C>]
    Feb  1 13:36:27.372 PST: RADIUS:  EAP-Key-Name        [102] 2   *
    Feb  1 13:36:27.372 PST: RADIUS:  Vendor, Cisco       [26]  49 
    Feb  1 13:36:27.372 PST: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0AA7404A0000054E16335518"
    Feb  1 13:36:27.372 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
    Feb  1 13:36:27.372 PST: RADIUS:  NAS-Port            [5]   6   50104                    
    Feb  1 13:36:27.372 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"
    Feb  1 13:36:27.372 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             
    Feb  1 13:36:27.372 PST: RADIUS(0000058E): Started 5 sec timeout
    Feb  1 13:36:27.377 PST: RADIUS: Received from id 1645/14 10.167.77.70:1645, Access-Reject, len 38
    Feb  1 13:36:27.377 PST: RADIUS:  authenticator 68 CE 3D C8 C3 BC B2 69 - DB 33 F5 C0 FF 30 D6 33
    Feb  1 13:36:27.377 PST: RADIUS:  Message-Authenticato[80]  18 
    Feb  1 13:36:27.377 PST: RADIUS:   82 3D 31 0A C7 A2 E0 62 D5 B7 6B 26 B8 A0 0B 46            [ =1bk&F]
    Feb  1 13:36:27.377 PST: RADIUS(0000058E): Received from id 1645/14
    Feb  1 13:36:27 PST: %MAB-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
    Feb  1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
    Feb  1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
    Feb  1 13:36:27 PST: %AUTHMGR-5-START: Starting 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
    Feb  1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'success' from 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
    Feb  1 13:36:27 PST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
    Feb  1 13:36:27.933 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X
    Feb  1 13:36:27.933 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74
    Feb  1 13:36:27.933 PST: RADIUS(0000058E): sending
    Feb  1 13:36:27.933 PST: RADIUS(0000058E): Send Accounting-Request to 10.167.77.70:1646 id 1646/151, len 100
    Feb  1 13:36:27.933 PST: RADIUS:  authenticator D0 F0 04 F3 A5 08 90 BE - A9 07 8D 32 1B 0E 93 AC
    Feb  1 13:36:27.933 PST: RADIUS:  Acct-Session-Id     [44]  10  "0000058D"
    Feb  1 13:36:27.933 PST: RADIUS:  Framed-IP-Address   [8]   6   10.167.72.52             
    Feb  1 13:36:27.933 PST: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
    Feb  1 13:36:27.933 PST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
    Feb  1 13:36:27.933 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
    Feb  1 13:36:27.933 PST: RADIUS:  NAS-Port            [5]   6   50104                    
    Feb  1 13:36:27.933 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"
    Feb  1 13:36:27.933 PST: RADIUS:  Service-Type        [6]   6   Framed                    [2]
    Feb  1 13:36:27.933 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             
    Feb  1 13:36:27.933 PST: RADIUS:  Acct-Delay-Time     [41]  6   0                        
    TEST-802.1X#
    Feb  1 13:36:27.938 PST: RADIUS(0000058E): Started 5 sec timeout
    Feb  1 13:36:27.938 PST: RADIUS: Received from id 1646/151 10.167.77.70:1646, Accounting-response, len 20
    Feb  1 13:36:27.938 PST: RADIUS:  authenticator C2 DC 8D C7 B1 35 67 D9 - 28 2B 56 E4 4A 1E AD 65
    At this point the user enters the credentials on the switch_login.html page and the clicks Submit on the Acceptable Use Policy splash page.
    TEST-802.1X#
    Feb  1 13:36:41.413 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY
    Feb  1 13:36:41.413 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74
    Feb  1 13:36:41.413 PST: RADIUS/ENCODE(0000058F): acct_session_id: 1422
    Feb  1 13:36:41.413 PST: RADIUS(0000058F): sending
    Feb  1 13:36:41.413 PST: RADIUS(0000058F): Send Access-Request to 10.167.77.70:1645 id 1645/15, len 176
    Feb  1 13:36:41.413 PST: RADIUS:  authenticator 6D 34 7E D6 34 B5 CB AC - 09 1F AC 5A 34 97 7D 6B
    Feb  1 13:36:41.413 PST: RADIUS:  User-Name           [1]   11  "testuser1"
    Feb  1 13:36:41.413 PST: RADIUS:  User-Password       [2]   18  *
    Feb  1 13:36:41.413 PST: RADIUS:  Calling-Station-Id  [31]  14  "ip|G
    Feb  1 13:36:41.413 PST: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
    Feb  1 13:36:41.413 PST: RADIUS:  Message-Authenticato[80]  18 
    Feb  1 13:36:41.413 PST: RADIUS:   F8 4D 85 64 05 5E C9 1D D8 11 B2 A3 1A 3A 76 E0             [ Md^:v]
    Feb  1 13:36:41.413 PST: RADIUS:  Vendor, Cisco       [26]  49 
    Feb  1 13:36:41.418 PST: RADIUS:   Cisco AVpair       [1]   43  "audit-session-id=0AA7404A0000054E16335518"
    Feb  1 13:36:41.418 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
    Feb  1 13:36:41.418 PST: RADIUS:  NAS-Port            [5]   6   50104                    
    Feb  1 13:36:41.418 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"
    Feb  1 13:36:41.418 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             
    Feb  1 13:36:41.418 PST: RADIUS(0000058F): Started 5 sec timeout
    Feb  1 13:36:41.424 PST: RADIUS: Received from id 1645/15 10.167.77.70:1645, Access-Accept, len 173
    Feb  1 13:36:41.424 PST: RADIUS:  authenticator 28 48 DE B5 1A 0A 71 5A - 3B 8B 7A 12 FB EA 01 58
    Feb  1 13:36:41.424 PST: RADIUS:  User-Name           [1]   11  "testuser1"
    Feb  1 13:36:41.424 PST: RADIUS:  Class               [25]  28 
    Feb  1 13:36:41.424 PST: RADIUS:   43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36  [CACS:xbc-acs/116]
    Feb  1 13:36:41.424 PST: RADIUS:   34 37 33 32 33 39 2F 31 36 36        [ 473239/166]
    Feb  1 13:36:41.424 PST: RADIUS:  Session-Timeout     [27]  6   3600                     
    Feb  1 13:36:41.424 PST: RADIUS:  Termination-Action  [29]  6   1                        
    Feb  1 13:36:41.424 PST: RADIUS:  Message-Authenticato[80]  18 
    Feb  1 13:36:41.424 PST: RADIUS:   10 80 26 5D 02 C5 15 0C A8 16 AA 35 14 C9 4F 14              [ &]5O]
    Feb  1 13:36:41.424 PST: RADIUS:  Vendor, Cisco       [26]  19 
    Feb  1 13:36:41.429 PST: RADIUS:   Cisco AVpair       [1]   13  "priv-lvl=15"
    Feb  1 13:36:41.429 PST: RADIUS:  Vendor, Cisco       [26]  65 
    Feb  1 13:36:41.429 PST: RADIUS:   Cisco AVpair       [1]   59  "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-GuestACL-4eefc9a0"
    Feb  1 13:36:41.429 PST: RADIUS(0000058F): Received from id 1645/15
    Feb  1 13:36:41.439 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY
    Feb  1 13:36:41.439 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74
    Feb  1 13:36:41.439 PST: RADIUS(0000058F): sending
    Feb  1 13:36:41.439 PST: RADIUS/ENCODE(00000000):Orig. component type = INVALID
    Feb  1 13:36:41.444 PST: RADIUS(00000000): Config NAS IP: 10.167.64.74
    Feb  1 13:36:41.444 PST: RADIUS(00000000): sending
    Feb  1 13:36:41.450 PST: RADIUS(0000058F): Send Accounting-Request to 10.167.77.70:1646 id 1646/152, len 119
    Feb  1 13:36:41.450 PST: RADIUS:  authenticator 23 E3 DA C3 06 5B 37 20 - 67 E2 96 C5 90 1C 71 33
    Feb  1 13:36:41.450 PST: RADIUS:  Acct-Session-Id     [44]  10  "0000058E"
    Feb  1 13:36:41.450 PST: RADIUS:  Calling-Station-Id  [31]  14  "10.167.72.52"
    Feb  1 13:36:41.450 PST: RADIUS:  User-Name           [1]   11  "testuser1"
    Feb  1 13:36:41.450 PST: RADIUS:  Acct-Authentic      [45]  6   RADIUS                    [1]
    Feb  1 13:36:41.455 PST: RADIUS:  Acct-Status-Type    [40]  6   Start                     [1]
    Feb  1 13:36:41.455 PST: RADIUS:  NAS-Port-Type       [61]  6   Ethernet                  [15]
    Feb  1 13:36:41.455 PST: RADIUS:  NAS-Port            [5]   6   50104                    
    Feb  1 13:36:41.455 PST: RADIUS:  NAS-Port-Id         [87]  22  "GigabitEthernet1/0/4"
    Feb  1 13:36:41.455 PST: RADIUS:  Service-Type        [6]   6   Outbound                  [5]
    Feb  1 13:36:41.455 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             
    Feb  1 13:36:41.455 PST: RADIUS:  Acct-Delay-Time     [41]  6   0                        
    Feb  1 13:36:41.455 PST: RADIUS(0000058F): Started 5 sec timeout
    Feb  1 13:36:41.455 PST: RADIUS(00000000): Send Access-Request to 10.167.77.70:1645 id 1645/16, len 137
    Feb  1 13:36:41.455 PST: RADIUS:  authenticator 02 B0 50 47 EE CC FB 54 - 2A B6 14 23 63 86 DE 18
    Feb  1 13:36:41.455 PST: RADIUS:  NAS-IP-Address      [4]   6   10.167.64.74             
    Feb  1 13:36:41.455 PST: RADIUS:  User-Name           [1]   31  "#ACSACL#-IP-GuestACL-4eefc9a0"
    Feb  1 13:36:41.455 PST: RADIUS:  Vendor, Cisco       [26]  32 
    Feb  1 13:36:41.455 PST: RADIUS:   Cisco AVpair       [1]   26  "aaa:service=ip_admission"
    Feb  1 13:36:41.455 PST: RADIUS:  Vendor, Cisco       [26]  30 
    Feb  1 13:36:41.455 PST: RADIUS:   Cisco AVpair       [1]   24  "aaa:event=acl-download"
    Feb  1 13:36:41.455 PST: RADIUS:  Message-Authenticato[80]  18 
    Feb  1 13:36:41.455 PST: RADIUS:   15 EC 10 E7 2F 67 33 DD BC B5 AE 11 E3 C3 19 E1               [ /g3]
    Feb  1 13:36:41.455 PST: RADIUS(00000000): Started 5 sec timeout
    Feb  1 13:36:41.455 PST: RADIUS: Received from id 1646/152 10.167.77.70:1646, Accounting-response, len 20
    Feb  1 13:36:41.455 PST: RADIUS:  authenticator AB 0F 81 95 71 A9 61 E0 - 5B B5 D3 2E 8D A2 68 98
    Feb  1 13:36:41.460 PST: RADIUS: Received from id 1645/16 10.167.77.70:1645, Access-Accept, len 560
    Feb  1 13:36:41.460 PST: RADIUS:  authenticator 64 53 94 79 CF CD 05 B0 - ED 12 5C 5B A0 AB 4F FA
    Feb  1 13:36:41.460 PST: RADIUS:  User-Name           [1]   31  "#ACSACL#-IP-GuestACL-4eefc9a0"
    Feb  1 13:36:41.460 PST: RADIUS:  Class               [25]  28 
    Feb  1 13:36:41.460 PST: RADIUS:   43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36  [CACS:xbc-acs/116]
    Feb  1 13:36:41.460 PST: RADIUS:   34 37 33 32 33 39 2F 31 36 38        [ 473239/168]
    Feb  1 13:36:41.460 PST: RADIUS:  Message-Authenticato[80]  18 
    Feb  1 13:36:41.460 PST: RADIUS:   A1 E6 37 EB 60 3A 28 35 92 56 C5 A9 27 7D 2C E9         [ 7`:(5V'},]
    Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  38 
    Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   32  "ip:inacl#1=remark **Allow DHCP"
    Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  57 
    Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   51  "ip:inacl#2=permit udp any eq bootpc any eq bootps"
    Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  37 
    Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   31  "ip:inacl#3=remark **Allow DNS"
    Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  47 
    Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   41  "ip:inacl#4=permit udp any any eq domain"
    Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  61 
    Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   55  "ip:inacl#5=remark **Deny access to Corporate Networks"
    Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  53 
    Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   47  "ip:inacl#6=deny ip any 10.0.0.0 0.255.255.255"
    Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  45 
    Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   39  "ip:inacl#7=remark **Permit icmp pings"
    Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  38 
    Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   32  "ip:inacl#8=permit icmp any any"
    Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  50 
    TEST-802.1X#
    Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   44  "ip:inacl#9=remark **Permit everything else"
    Feb  1 13:36:41.460 PST: RADIUS:  Vendor, Cisco       [26]  37 
    Feb  1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   31  "ip:inacl#10=permit ip any any"
    Feb  1 13:36:41.465 PST: RADIUS(00000000): Received from id 1645/16
    TEST-802.1X#
    TEST-802.1X#
    TEST-802.1X# 
    interface config looks like:
    interface GigabitEthernet1/0/4
    description **User/IPphone/Guest
    switchport access vlan 702
    switchport mode access
    switchport voice vlan 704
    ip access-group PRE-AUTH in
    srr-queue bandwidth share 1 30 35 5
    queue-set 2
    priority-queue out
    authentication event fail action next-method
    authentication event server dead action authorize
    authentication host-mode multi-auth
    authentication open
    authentication order dot1x mab webauth
    authentication priority dot1x mab webauth
    authentication port-control auto
    authentication fallback WEB_AUTH_PROFILE
    mab
    mls qos trust device cisco-phone
    mls qos trust cos
    dot1x pae authenticator
    dot1x timeout tx-period 3
    auto qos voip cisco-phone
    spanning-tree portfast
    service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

  • Cisco NAC Guest Server for Wireless Users integration with IP telephony

    Hi Team
    I have a client who has the following requirement. The cleint requires a Guest server inorder to serve wireless needs for guests at their office. They want the guest to get their authentication codes via SMS. The cleint will have a lobby IP Phone where the guest will press the services button confgiured on the IP Phone. IT will then prompt the guest to enter his mobile number. Once the guest enters his mobile number, the guest will recieve a text via sms gateway with login credentials. They want to offload this from the receptionist and it is for this reason that they require this functionality.
    Has anyone done this sort of deployment ? We have already proposed NAC guest server and Wireless controller but we do not know whether the XML application for subscribing the service on the IP Phone is available directly with cisco or does it need to developed.
    Kindly advice on the same.
    Regards
    Azeem

    Hi Vishal,
    Please note that if you want to return ACLs (and usually in wired web auth you need to), you will have to integrate with ACS as NGS itself cannot return ACLs in the reply radius attributes.
    Basically the process is as follows:
    1 - Client plugs cable on switch.
    2 - Web auth is triggered on the port.
    3 - default ACL permiting only DNS and DHCP is applyed so that the client PC can obtain IP address and open a browser.
    4 - Client will be redirected to the NGS hotspot login page.
    5 - Client will enter credentials.
    6 - Client broswer will send an HTTP POST packet containing the credentials.
    7 - The switch will intercept the POS packets and retrieve the credentials entered.
    8 - The switch will send Radius Access-Request to the ACS.
    9 - The ACS will use the NGS as External Identity source to authenticate the client.
    10 - The NGS will reply with Radius Access-Accept to the ACS and the ACS will reply to the switch including the ACL in the Access-Accept.
    11 - the Switch authorizes the client on the port and applies the ACL it received from the ACS.
    Please follow the document Nicolas posted as it is a good one.
    HTH,
    Thanks

  • Guest Wireless Users Not Able to Get to NAC Guest Server

    First of all, I appreciate any of the help that can be offered on the post.  Your solutions and suggestions have been valuable, in the past!
    Here's the scenario.  I have two internal WLC's, and one anchor mobility server, in the DMZ.  The internal controllers are part of the 10.x.x.x range, while the DMZ WLC is in the 192.168.1.x range.  We also have a NAC Guest Server, in the DMZ that has a 192.168.1.x address.  Here's the problem, when a guest user uses our guest SSID, they're assigned a 172.16.x.x address, their traffic is intercepted, and they're presented with a login page.  If they don't have login credentials, there's a "Register Here" link that takes them to the NAC Guest Server to self-register.  When they click the "Register Here" link, for some reason they can't get to the NAC guest server.  If I bring up a command prompt, and type in "telnet 192.168.1.x 80", it connects.  The odd thing is that when I was testing, if I login with guest credentials, and then try to go to the NAC Guest Server self-service page, I can get to it with no problem.  Would anyone have any ideas as to why?

    I may have missed something here, but isn't the point of the guest portal that you can't get anywhere on the network (except the guest portal) until you have authenticated?

  • NAC guest server-user poster assesment problem

    Dear all,
    Please assist me for NAC guest server poster assesment issue.
    Scenario is like we have NAC guest server and all wireless guest users authenticate through Guest Server.
    Its working fine.
    But customer  wants to apply poster assement on guest users through existing CAS and CAM.
    Guest_users-------AP-------WLC------- NAC_Guest_Server----------internet

    Thanks for reply.
    Actually in my network we have cas and cam integrate with WLC for internal users. Its working fine.No issue. Poster assesment and authentication working fine.
    We have also NGS server which is integrate with WLC for web authentication fow guest wireless users.
    It is also working fine.Authentication happened through NGS server succesfully.
    But now I wanted to force poster assesment for wireless guest users which are authenticated through NGS server.

  • NAC guest server and guest proxy filtering issue.

    Hi all
    Continuing our issues log for the NAC guest server install, our toplogy and issue is as follows:
    We have a guest NAC server and a 4404 anchor controller successfully deployed in the DMZ, the anchor WLC has a mobilty anchor which is a WISM on the corporate network, DHCP services for guest clients are issued with no problems from the WLC in the DMZ. The first port of the DMZ controller is located on the DMZ and the second port directly connects to the firewall interface.
    All works correctly, DNS, DHCP, NTP, SNMP etc all work fine through the firewall.
    What options do I have to filter Internet access in this scenario, we have Websense and Nokia firewalls, don't think I can use WCCP as I have nowhere to place it, the second connection on the WLC is directly connected to the firewal so nowhere to intercept the traffic, our security team has tried some tricks on the Nokia to try to redirect the traffic on the firewall using a type of redirect, WPAD, I can't see as an option. Any ideas. If I place the second interface into the DMZ, could I use WCCP that way maybe, but won't traffic still have to go to the firewall??
    options please ??

    Well you will need to use a 3rd party certificate..  Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
    Here is a link for the NGS:
    http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
    The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems.  So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

  • NAC Guest Server, How to change the password for a single user?

    We have a NAC Guest Server which creates a complex password for all new users created.
    We would like to have normal/simple password for a single user. How can I get this done on a NAC Guest Server.
    Thanks in advance.

    Hi,
    You can setup 3 different flavours of passwords:
    http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_guestpol.html#wp1063249.
    a. Username Policy 1 - Email address as username
    Use the guest's email address as the username. If an overlapping account with the same email address exists, a random number is added to the end of the email address to make the username unique. Overlapping accounts are accounts that have the same email address and are valid for an overlapping period of time.
    b. Username Policy 2 - Create username based on first and last names
    Create a username based on combining the first name and last name of the guest. You can set a Minimum username length for this username from 1 to 20 characters (default is 10). User names shorter than the minimum length are padded up to the minimum specified length with a random number.
    c. Username Policy 3 - Create random username
    Create a username based upon a random mixture of Alphabetic, Numeric or Other characters. Type the characters to include to generate the random characters and the number to use from each set of characters.
    Note: The total length of the username is determined by the total number of characters included.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • NAC Guest Server - Self Service

    Hello all,
    I have a problem with NAC Guest Server and the self service feature.
    When I use the self service feature with auto login it works fine.
    But the customer would like to disable the auto login feature and the guest has to fill in his username /password.
    These credentials will created by the NAC
    When I click "add user", there is the message: user successful created.
    but I don't have the possibilty to reach the login page with username/password with my browser.
    But There is no redirect to the login page with username/password and when I refresh the browser or restat my browser, I will always reach the "self service" page.
    I hope someone had a similar problem and can help.
    thanks
    Martin

    have you allowed pop-ups on the browsers?
    did you try switching the browser?
    Regards
    F.H

Maybe you are looking for