Cisco NAC Guest Server for Wireless Users integration with IP telephony

Similar Messages

• NAC Guest server for wired and wireless

  Hi
  My customer wants the NGS to install for both wired and wireless users. For wireless users we can integrate it with the WLC but i don't know how it will work for wired users at the same time. Pls suggest.
  Thanks

  Hi Vishal,
  Please note that if you want to return ACLs (and usually in wired web auth you need to), you will have to integrate with ACS as NGS itself cannot return ACLs in the reply radius attributes.
  Basically the process is as follows:
  1 - Client plugs cable on switch.
  2 - Web auth is triggered on the port.
  3 - default ACL permiting only DNS and DHCP is applyed so that the client PC can obtain IP address and open a browser.
  4 - Client will be redirected to the NGS hotspot login page.
  5 - Client will enter credentials.
  6 - Client broswer will send an HTTP POST packet containing the credentials.
  7 - The switch will intercept the POS packets and retrieve the credentials entered.
  8 - The switch will send Radius Access-Request to the ACS.
  9 - The ACS will use the NGS as External Identity source to authenticate the client.
  10 - The NGS will reply with Radius Access-Accept to the ACS and the ACS will reply to the switch including the ACL in the Access-Accept.
  11 - the Switch authorizes the client on the port and applies the ACL it received from the ACS.
  Please follow the document Nicolas posted as it is a good one.
  HTH,
  Thanks

• Cisco NAC Guest Server

  Is there any custom reports for security log on NAC Guest Server?
  I want to have report show all guest accounts has been created by the employees for the last month from the Security officer view.

  yes you can do this.
  in the admin console look at the permissions for the sponsor group.
  what i've done is created a superuser account and assigned it to a superuser sponsor group. the superuser sponsor group can see & manage all accounts. default group sponsors can only see & manage their own accounts and they dont have the management reporting capability.

• Cisco NAC Guest Server and shellshock

  Hello,
  We are running NAC server v2.0.2 and would like to know if it's vulnerable to shellshock as the bug report CSCur05629 isn't clear on this. 

  Well you will need to use a 3rd party certificate..  Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  Here is a link for the NGS:
  http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
  The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems.  So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

• NAC guest server with RADIUS authentication for guests issue.

  Hi all,
  We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
  The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
  https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
  -----START QUOTE-----
  Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
  •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
  •Self Service—This option allows guest self service. After selection proceed to Step 8.
  •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
  ----- END QUOTE-----
  Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
  Regards
  Kevin Woodhouse

  Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
  Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

• NAC Guest Server hiw to delete/remove Guest User

  Hi,
  we are working with Cisco NAC Guest Server V2.0
  Does anybody in the Communitie knows, how to delete/remove a Guest User, who's Account is Suspended or no longer needed in the Guest User Database.
  Please let me know.
  Sent from Cisco Technical Support iPad App

  tx,
  hm, can you tell me why, it is in future releases availble?
  hajo
  Sent from Cisco Technical Support iPad App

• NAC Guest Server

  Hi Guru,
  Do we need Cisco NAC appliance or Wireless controller with Cisco NAC Guest Server, or Cisco NAC Guest server can work independently?
  Is there any way to implement Cisco NAC Guest server without NAC appliance or wireless LAN controller?
  Best Regards,
  Ahmed Shahzad.    

  Hi, Tiago,
  I read through the doc you mentioned above and able to get NGS working with ACS via internal database or AD for wired web-auth. Which means, when I plugged a guest PC onto the network, open a broswer, enter either a ACS internal user ID or a domain user ID, the web-auth will work and download the dACL from ACS.
  BTW, I am using switch to intercept HTTP and send them to NGS for web login.
  However, when I tried to enter a Guest ID which got created by NGS, it always failed. And I have the following questions, where the document is not clear.
  1) The sample login page in NGS reference to an IP "1.1.1.1" and the document says it should NOT be used anywhere but needs to be resolvable. What does that mean?
  2) The sample login page in NGS has a HTML code to add "NGS" as the realm which will show as "ngs\guestusername" in the ACS failed log. Why do we need to add that?
  3) The sample login page in NGS use "@" as the realm seperator. What happen if I use email address as username in NGS, which is the default setting?
  4) The sample login page in NGS uses "https://1.1.1.1", can we change that to HTTP? Does it requires crypto image for the switch?
  I am getting different type of error in ACS, one is 11014 RADIUS packet contains invalid attribute(s), one is Authentication against RADIUS Token server failed.
  Please help

• NAC Guest Server and WLC's

  Just wanted to know if this will work or not...
  I was looking at a design from a client and they had two CAM and CAS plus a Guest server. My client wants to use the equipment above for guest access. The problem I'm having is that I'm building a wireless network with guest anchor WLC's in the DMZ. So my wireless users will be tunneled to the DMZ controller. Also, the WLC can have a splash page uploaded to it and also authenticate users locally in the DB. They don't want any remediation, just authentication.... is this a waste of money or would would actually implement this?

  I've some (very) basic questions.
  Let's say guest vlan = x
  1)vlan x should be created on the foreign controllers as on the anchor controller, with the same properties
  2)on the anchor controller a dynamic interface has to be created acting as default gateway for the guest clients.
  3)it's advised to place the guest server in the guest vlan? Eg. Somewhere in the server farm?
  4)Once traffic coming from the guests is arrived at the anchor controller. (I know to less of WLC ;)) Will it forwarded with as source IP, the IP of the anchor controller towards the anchor default gateway (firewall or internet router?)
  4)authentication: user connect to SSID guest and opens a browser. The user is redirected and a login page is displayed. Is this page downloaded from the anchor controller? I think it is and pushed via WCS. So Guest NAC server has nothing to deal with this page? Correct?
  The anchor controller polls the nac guest server with the given credentials. Anchor controller forwards the credentials to the NAC guest server. The NGS replies with authenticated or not. If authenticated. The guest can browse. Probably on regular base, the anchor controller will poll the NAC guest in order to check if he's still authenticated and if enabled pass information to the NAC guest for accounting. Is this somehow ok?
  I've found to open the following ports in the firewall:
  UDP 97 for EoIP
  UDP 16666 for intercontroller traffic
  and 1812/1813 for Radius.
  Thanks in advance

• NAC guest server hangs and guest portal is not working

  Hi all ,
  Our guest nac server NAC3315 is oftenly getting hung state . And our guest wireless network is not working . We are able to ping the NAC server but web page is not opening for the clients if they connected to guest network.
  Any clue on this ....
  Thanks!,
  Regards,
  Vijay.

  All  actions within the Cisco NAC Guest Server are logged into the database.  This enables you to see any action that occurred as part of the normal  operating process of the application.
  To access the system log from the administration interface select Server > System Log from the left hand menu
  Please check the Error Logs for troubleshooting of NGS

• NAC Guest Server, unable to login with sponsor

  We have a Cisco NAC Guest Server (version 2.0.5).
  I created some sponsors and wanted them to be in another sponsor user group than the default group. So I created a sponsor user group and changed the group permissions (Allow Login is set to Yes, edit account .. are set to Own Accounts).
  No I wanted to try out the new sponsors but I can't login to the NAC Server. I get a "username or password invalid" as reply. If I change the sponsor user group of the user to DEFAULT, everything is working.
  The logfile on the NAC Server shows the following error:
  Oct  4 13:05:14 s100059 NGS_SPONSOR: [audit NGS 0 10.106.161.5] Login failure: xxx
  xxx is the username of the sponsor.
  Why can't I login with the sponsor when he's in anoter sponsor group than DEFAULT?
  Martin

  If credentials work on CCMuser CUPSuser I would suspect either some kind of communication problem between the clients and the servers and/or misconfiguration (user/device/line association, device owner, roles, CTI/CCMCIP profiles, etc) on CUCM/CUPS.
  Specially because you mention the same happens with CUPC.
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• NAC Guest Server and WLC, WCS

  I have setup a NAC Guest Server to allow users to sign up guest account via Active Directory. How do I tight this into WLC or WCS?

  Hi
  Try this:
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809d6b9a.shtml
  Regards
  Greg

• Nac Guest Server Replication

  Hi;
  I configured the replication between two NAC Guest Servers. But replication is not happening because of the TWIN Service . Always its status is stopped. Could you please give some suggestions for this

  Initial replication is configured by setting one of the Cisco NAC Guest Servers to copy all of the data from the other Guest Server. The Guest Server that is configured to copy the data from the other device is first set to delete all of its own data. This ensures that no conflicts exist. Cisco recommends setting up replication at initial installation of Cisco NAC Guest Server, or when adding a new Guest Server to an existing implementation. Once one of the Guest Servers has received a copy of the data from the other device they are synchronized and replication is turned on. Any data that is updated on one Guest Server is then automatically replicated to the other Guest Server.

• NAC Guest Server SMTP Authentication

  Does anyone know if you are able to set your SMTP server in the NAC Guest Server to do SMTP Authentication? Our old Exchange server just let us specify the SMTP server and send the guest accounts their Username and Password to their outside accounts.  Our new Exchange server requires SMTP authentication, but we do not see the option available in the NAC Guest Server interface.  We are running NAC Guest Server 1.1.3.  Any ideas would be appreciated.  Thanks!

  I have Cisco NAC Guester server 2.0.2 and have sort of similar issues.
  I configured the Base DN to the OU of the sponsor groups in AD and then map that particular group in roles. Users from that group can log on fine and create guest accounts.
  The problem is, it seems that other users from that OU seems to be able to log on as sponsors too. How do I restrcit this to just that sponsore group? I tried changing the Base DN to the OU of the sponsore group then enter CN=sponsorgroup to narrow it to just that group but still other users can log in as sponsors.

• NAC GUEST SERVER HA & REPLICATION

  Hi
  We are planning on a NAC Guest Server HA pair (1st NGS in One location & 2nd NGS in someother 2nd location) in Active/Active Scenerio. The two NGS boxes in 2 locations are facilitated with a L2TP tunnel to establish communication between them using a single VIP.
  Could anyone please let me know on the precautionary steps needs to be followed and how the replication, HA & load balancning happens in this scenario?
  Appreciate your response on this. Thanks
  Daniel

  Initial replication is configured by setting one of the Cisco NAC Guest Servers to copy all of the data from the other Guest Server. The Guest Server that is configured to copy the data from the other device is first set to delete all of its own data. This ensures that no conflicts exist. Cisco recommends setting up replication at initial installation of Cisco NAC Guest Server, or when adding a new Guest Server to an existing implementation. Once one of the Guest Servers has received a copy of the data from the other device they are synchronized and replication is turned on. Any data that is updated on one Guest Server is then automatically replicated to the other Guest Server.

• NAC Guest Server, How to change the password for a single user?

  We have a NAC Guest Server which creates a complex password for all new users created.
  We would like to have normal/simple password for a single user. How can I get this done on a NAC Guest Server.
  Thanks in advance.

  Hi,
  You can setup 3 different flavours of passwords:
  http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_guestpol.html#wp1063249.
  a. Username Policy 1 - Email address as username
  Use the guest's email address as the username. If an overlapping account with the same email address exists, a random number is added to the end of the email address to make the username unique. Overlapping accounts are accounts that have the same email address and are valid for an overlapping period of time.
  b. Username Policy 2 - Create username based on first and last names
  Create a username based on combining the first name and last name of the guest. You can set a Minimum username length for this username from 1 to 20 characters (default is 10). User names shorter than the minimum length are padded up to the minimum specified length with a random number.
  c. Username Policy 3 - Create random username
  Create a username based upon a random mixture of Alphabetic, Numeric or Other characters. Type the characters to include to generate the random characters and the number to use from each set of characters.
  Note: The total length of the username is determined by the total number of characters included.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.