Cisco NAC Authentication Server Order ??

Hi all,
1_ Is there a way to specify an order for the authentication servers on NAC Manager v4.7.2 ? what the customer needs is if the primary auth server (AD) fails than it fails over to Radius ? Is this possible ?
2_ Is there a way to map a role to an auth server ?
Thanks in advance.
Dumlu

Dumlu,
If you're setting up AD SSO, this is the way it works right now. You'll have to define either RADIUS or LDAP auth provider, and if then the AD SSO fails, they would be given the choice to login using that provider.
For your other question, yes you can map roles to providers. When you define a provider you can provide a default role that the provider will use.
HTH,
Faisal

Similar Messages

Cisco NAC Guest Server for Wireless Users integration with IP telephony

Hi Team
I have a client who has the following requirement. The cleint requires a Guest server inorder to serve wireless needs for guests at their office. They want the guest to get their authentication codes via SMS. The cleint will have a lobby IP Phone where the guest will press the services button confgiured on the IP Phone. IT will then prompt the guest to enter his mobile number. Once the guest enters his mobile number, the guest will recieve a text via sms gateway with login credentials. They want to offload this from the receptionist and it is for this reason that they require this functionality.
Has anyone done this sort of deployment ? We have already proposed NAC guest server and Wireless controller but we do not know whether the XML application for subscribing the service on the IP Phone is available directly with cisco or does it need to developed.
Kindly advice on the same.
Regards
Azeem

Hi Vishal,
Please note that if you want to return ACLs (and usually in wired web auth you need to), you will have to integrate with ACS as NGS itself cannot return ACLs in the reply radius attributes.
Basically the process is as follows:
1 - Client plugs cable on switch.
2 - Web auth is triggered on the port.
3 - default ACL permiting only DNS and DHCP is applyed so that the client PC can obtain IP address and open a browser.
4 - Client will be redirected to the NGS hotspot login page.
5 - Client will enter credentials.
6 - Client broswer will send an HTTP POST packet containing the credentials.
7 - The switch will intercept the POS packets and retrieve the credentials entered.
8 - The switch will send Radius Access-Request to the ACS.
9 - The ACS will use the NGS as External Identity source to authenticate the client.
10 - The NGS will reply with Radius Access-Accept to the ACS and the ACS will reply to the switch including the ACL in the Access-Accept.
11 - the Switch authorizes the client on the port and applies the ACL it received from the ACS.
Please follow the document Nicolas posted as it is a good one.
HTH,
Thanks

Cisco NAC Guest Server

Is there any custom reports for security log on NAC Guest Server?
I want to have report show all guest accounts has been created by the employees for the last month from the Security officer view.

yes you can do this.
in the admin console look at the permissions for the sponsor group.
what i've done is created a superuser account and assigned it to a superuser sponsor group. the superuser sponsor group can see & manage all accounts. default group sponsors can only see & manage their own accounts and they dont have the management reporting capability.

Cisco NAC Guest Server and shellshock

Hello,
We are running NAC server v2.0.2 and would like to know if it's vulnerable to shellshock as the bug report CSCur05629 isn't clear on this.

Well you will need to use a 3rd party certificate.. Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
Here is a link for the NGS:
http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems. So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

NAC guest server with RADIUS authentication for guests issue.

Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin Woodhouse

Well I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion.

NAC Guest Server SMTP Authentication

Does anyone know if you are able to set your SMTP server in the NAC Guest Server to do SMTP Authentication? Our old Exchange server just let us specify the SMTP server and send the guest accounts their Username and Password to their outside accounts. Our new Exchange server requires SMTP authentication, but we do not see the option available in the NAC Guest Server interface. We are running NAC Guest Server 1.1.3. Any ideas would be appreciated. Thanks!

I have Cisco NAC Guester server 2.0.2 and have sort of similar issues.
I configured the Base DN to the OU of the sponsor groups in AD and then map that particular group in roles. Users from that group can log on fine and create guest accounts.
The problem is, it seems that other users from that OU seems to be able to log on as sponsors too. How do I restrcit this to just that sponsore group? I tried changing the Base DN to the OU of the sponsore group then enter CN=sponsorgroup to narrow it to just that group but still other users can log in as sponsors.

NAC Guest Server

Hi Guru,
Do we need Cisco NAC appliance or Wireless controller with Cisco NAC Guest Server, or Cisco NAC Guest server can work independently?
Is there any way to implement Cisco NAC Guest server without NAC appliance or wireless LAN controller?
Best Regards,
Ahmed Shahzad.

Hi, Tiago,
I read through the doc you mentioned above and able to get NGS working with ACS via internal database or AD for wired web-auth. Which means, when I plugged a guest PC onto the network, open a broswer, enter either a ACS internal user ID or a domain user ID, the web-auth will work and download the dACL from ACS.
BTW, I am using switch to intercept HTTP and send them to NGS for web login.
However, when I tried to enter a Guest ID which got created by NGS, it always failed. And I have the following questions, where the document is not clear.
1) The sample login page in NGS reference to an IP "1.1.1.1" and the document says it should NOT be used anywhere but needs to be resolvable. What does that mean?
2) The sample login page in NGS has a HTML code to add "NGS" as the realm which will show as "ngs\guestusername" in the ACS failed log. Why do we need to add that?
3) The sample login page in NGS use "@" as the realm seperator. What happen if I use email address as username in NGS, which is the default setting?
4) The sample login page in NGS uses "https://1.1.1.1", can we change that to HTTP? Does it requires crypto image for the switch?
I am getting different type of error in ACS, one is 11014 RADIUS packet contains invalid attribute(s), one is Authentication against RADIUS Token server failed.
Please help

NAC guest server hangs and guest portal is not working

Hi all ,
Our guest nac server NAC3315 is oftenly getting hung state . And our guest wireless network is not working . We are able to ping the NAC server but web page is not opening for the clients if they connected to guest network.
Any clue on this ....
Thanks!,
Regards,
Vijay.

All actions within the Cisco NAC Guest Server are logged into the database. This enables you to see any action that occurred as part of the normal operating process of the application.
To access the system log from the administration interface select Server > System Log from the left hand menu
Please check the Error Logs for troubleshooting of NGS

NAC Guest Server hiw to delete/remove Guest User

Hi,
we are working with Cisco NAC Guest Server V2.0
Does anybody in the Communitie knows, how to delete/remove a Guest User, who's Account is Suspended or no longer needed in the Guest User Database.
Please let me know.
Sent from Cisco Technical Support iPad App

tx,
hm, can you tell me why, it is in future releases availble?
hajo
Sent from Cisco Technical Support iPad App

NAC Guest Server, unable to login with sponsor

We have a Cisco NAC Guest Server (version 2.0.5).
I created some sponsors and wanted them to be in another sponsor user group than the default group. So I created a sponsor user group and changed the group permissions (Allow Login is set to Yes, edit account .. are set to Own Accounts).
No I wanted to try out the new sponsors but I can't login to the NAC Server. I get a "username or password invalid" as reply. If I change the sponsor user group of the user to DEFAULT, everything is working.
The logfile on the NAC Server shows the following error:
Oct 4 13:05:14 s100059 NGS_SPONSOR: [audit NGS 0 10.106.161.5] Login failure: xxx
xxx is the username of the sponsor.
Why can't I login with the sponsor when he's in anoter sponsor group than DEFAULT?
Martin

If credentials work on CCMuser CUPSuser I would suspect either some kind of communication problem between the clients and the servers and/or misconfiguration (user/device/line association, device owner, roles, CTI/CCMCIP profiles, etc) on CUCM/CUPS.
Specially because you mention the same happens with CUPC.
HTH
java
if this helps, please rate
www.cisco.com/go/pdihelpdesk

NAC GUEST SERVER HA & REPLICATION

Hi
We are planning on a NAC Guest Server HA pair (1st NGS in One location & 2nd NGS in someother 2nd location) in Active/Active Scenerio. The two NGS boxes in 2 locations are facilitated with a L2TP tunnel to establish communication between them using a single VIP.
Could anyone please let me know on the precautionary steps needs to be followed and how the replication, HA & load balancning happens in this scenario?
Appreciate your response on this. Thanks
Daniel

Initial replication is configured by setting one of the Cisco NAC Guest Servers to copy all of the data from the other Guest Server. The Guest Server that is configured to copy the data from the other device is first set to delete all of its own data. This ensures that no conflicts exist. Cisco recommends setting up replication at initial installation of Cisco NAC Guest Server, or when adding a new Guest Server to an existing implementation. Once one of the Guest Servers has received a copy of the data from the other device they are synchronized and replication is turned on. Any data that is updated on one Guest Server is then automatically replicated to the other Guest Server.

Nac Guest Server Replication

Hi;
I configured the replication between two NAC Guest Servers. But replication is not happening because of the TWIN Service . Always its status is stopped. Could you please give some suggestions for this

Initial replication is configured by setting one of the Cisco NAC Guest Servers to copy all of the data from the other Guest Server. The Guest Server that is configured to copy the data from the other device is first set to delete all of its own data. This ensures that no conflicts exist. Cisco recommends setting up replication at initial installation of Cisco NAC Guest Server, or when adding a new Guest Server to an existing implementation. Once one of the Guest Servers has received a copy of the data from the other device they are synchronized and replication is turned on. Any data that is updated on one Guest Server is then automatically replicated to the other Guest Server.

Cisco NAC server hang issue

Hi All Cisco NAC Experts, I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
The CAS server was recovered after manually power cycle the hardware.
After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
That will be great if any one can help me out for the same.
Thanks,
Eric

Hi Bro
This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
If all else fail, then a hardware swap would seem like the next best thing.

Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

Hi,
     I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
FQDN: active.test.com
Domain Name : test.com
User : ccasso
2011-02-05 12:00:30.225 +0700 WARN com.perfigo.wlan.jmx.adsso.GSSServer
- Server was not running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server starting server ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server is now running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - SPN : [ccasso/[email protected]]
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - done building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - KDC(s) :[10.0.240.100]
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: writing to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - creating login context ...
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - created login context ...javax.security.auth.login.LoginCon
text@5ad7b2
2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer
- Unable to start server ... KDC has no support for encryption type (14)
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Notifying GSSServer status Stopped
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- server is exiting .

Hi,
This error means that your DC does not support the encryption method the ACS wants to use.
Usually this happens when you run 2008 Server with 2003 functionality...
You will need to run ktpass.exe according to the DC you are running:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
For Windows 2008 Server at 2003 Server functional level:
ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

NCipher server not in operational mode : Cisco NAC

One of the NAC server got rebooted and then while restart i am getting an error nCipher server not in operational mode. Please change the settings on back of the card. Also error-sshd-server not running.
Please let me know how to make the ncipher in operational mode and change the mode of NAC in FIPS mode.
It is very urgent. Please let me know the solution.
Regards,
Tarunava

The Cisco NAC is 3315 and software version is 4.1.2.
Below are the error logs.
[root@PLHO_CAS_01 ~]# cd /perfigo/common/bin/
[root@PLHO_CAS_01 bin]# ./test_fips.sh info
Installed FIPS card is nCipher
Info-FIPS file exists
NFastApp_Connect failed: ServerNotRunning
Error-card is not in operational mode
Error-httpd worker is in Non FIPS mode
Error-sshd not up
System not in FIPS mode
[root@PLHO_CAS_01 bin]#
[root@PLHO_CAS_01 ~]# /etc/init.d/sshd start
Starting sshd:WARNING: initlog is deprecated and will be removed in a future rel
ease
key_load_private_pem: RSA_blinding_on failed
Could not load host key: /root/.perfigo/sec/tomcat.key
Disabling protocol version 2. Could not load host key
sshd: no hostkeys available -- exiting.
[FAILED]
[root@PLHO_CAS_01 ~]# /etc/init.d/httpd start
Starting httpd: Syntax error on line 167 of /etc/httpd/conf/httpd.conf:
DocumentRoot must be a directory
[FAILED]

Cisco NAC Authentication Server Order ??

Similar Messages

Maybe you are looking for