Guest Server and LDAPS

Similar Messages

• Directory server and ldap TLS on windows platform

  Any body, tested "sun directory server" and "ldap tls" on windows platform"??? cause I tried it, and I cant established a secure connection. On other platform, and I speack about solaris 9, evry thing is ok. Some comments??

  It's a rather unusual way to use attribute subtypes. You may be able to do something with the mapping engine in DPS - I'll wait for Sylvain or someone else who knows DPS really well to answer that. But from the perspective of the information model, I have some doubts about this approach. For instance, what happens if you have multiple subtypes on a single-valued attribute?
  Usually, for example, if there is a "preferred" common name as opposed to some other common names, it would be modeled in an entirely different attribute type, such as "preferredName". The subtypes are almost exclusively used for language specification nowadays. That's another question - what happens if you ever need to store multiple languages in your Directory?
  Do you know of anyone else who is using this kind of information model in their Directory?

• Profile server and ldap server login

  To enable my portal to have anonymous login and skip the login menu, from the admin console, i've added "Membership" and "Ldap" under the interactive mode section. This is to allow Ldap or Membership authentication methods enabled at the anonymous page. I tried to use the default login channel to log into the portal using LDAP authentication, but it doesn't work. I can log into the portal via the login channel using "Membership" authentication method. But somehow i have no idea how to "integrate" my membership (profile) authentication with Ldap authentication. (Syncs between profile server and LDAP Server for user name and password). Anyone out there have any idea what went wrong here? Thanks a lot.

  The sp3a release notes shows how you can modify the login channel to work with other authentication modules.
  The sample given is for unix authentication to make that sample work for ldap authentication take a copy of that sample
  cp display_iwtAuthUnix.html display_iwtAuthLdap.html
  now look for form action and replace the form action from /login/Unix to /login/Ldap, now follow the instructions given in the sp3a release notes, replace unix with ldap everywhere and it should work ..

• NAC Guest Server with LDAP

  Hello,
  I'm trying to get a NAC Guest server associated with an LDAP Server.
  I was able to get the NAC Manager working with the same parameters, but the Guest isn't working tough.
  My question is...where can I find useful logs about LDAP authentication withing the Guest Server?
  any ideas?
  thanks.

  Dennis,
  Bump up the logging on all categories and check in the ensuing support logs. Also doing a packet capture might show you more information on what's going on.
  HTH,
  Faisal

• NAC Guest Server and WLC's

  Just wanted to know if this will work or not...
  I was looking at a design from a client and they had two CAM and CAS plus a Guest server. My client wants to use the equipment above for guest access. The problem I'm having is that I'm building a wireless network with guest anchor WLC's in the DMZ. So my wireless users will be tunneled to the DMZ controller. Also, the WLC can have a splash page uploaded to it and also authenticate users locally in the DB. They don't want any remediation, just authentication.... is this a waste of money or would would actually implement this?

  I've some (very) basic questions.
  Let's say guest vlan = x
  1)vlan x should be created on the foreign controllers as on the anchor controller, with the same properties
  2)on the anchor controller a dynamic interface has to be created acting as default gateway for the guest clients.
  3)it's advised to place the guest server in the guest vlan? Eg. Somewhere in the server farm?
  4)Once traffic coming from the guests is arrived at the anchor controller. (I know to less of WLC ;)) Will it forwarded with as source IP, the IP of the anchor controller towards the anchor default gateway (firewall or internet router?)
  4)authentication: user connect to SSID guest and opens a browser. The user is redirected and a login page is displayed. Is this page downloaded from the anchor controller? I think it is and pushed via WCS. So Guest NAC server has nothing to deal with this page? Correct?
  The anchor controller polls the nac guest server with the given credentials. Anchor controller forwards the credentials to the NAC guest server. The NGS replies with authenticated or not. If authenticated. The guest can browse. Probably on regular base, the anchor controller will poll the NAC guest in order to check if he's still authenticated and if enabled pass information to the NAC guest for accounting. Is this somehow ok?
  I've found to open the following ports in the firewall:
  UDP 97 for EoIP
  UDP 16666 for intercontroller traffic
  and 1812/1813 for Radius.
  Thanks in advance

• NAC guest server and pre-configured duration of accounts

  There seems to be a bug in the way the NAC guest server handles the pre-configured duration of guest accounts.
  I have followed the manual and I did:
  - Configured 3 durations (24h, 48h and 1 week) under the templates/accounts/accounts durations.
  - And set "maximun duration of account" under User Groups
  As I understand I should now be able to select one of the three configured durations when I login as a sponsor.
  However I only get the number which I specified under User Group.
  The odd thing is that if I change the Maximum duration under User Group, I get this as the only choice (e.g. 14 days).
  Have other experienced this?
  Best regards,
  Steffen Lindemann

  You can use any one of the option ie number of days or number of hours.
  For days;
  Authentication > User Groups > Add Group | Edit Group includes two new settings for Number of days in the future the account can be created and Maximum duration of account (in days)
  For hours:
  User Interface > Templates > Add Template | Edit Template > Accounts > Account Duration
  http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/11/gsrn110.html

• NAC Guest Server and Multiple Guest SSID's/Splashpages

  Hi All,
  If I have multiple guest SSID's on a single controller and I use NGS as the Radius. How do I configure NGS to "send" the clients to differnet login pages corresponding to the SSID they came from.
  I can configure different splash pages in HotSpots section but how do I map the different SSID's from the controller to the different splash pages. Then I guess that raises the question when I generate guest users on NGS is it possile to only allow them associate to a specific SSID.
  TIA,
  Eoin.

  Hi Nicolas,
  Thanks for the reply. I can see that config on the WLC and have used it before where there is only a single guest SSID. What I dont know is if the NAC Guest server sees radius requests coming from different guest SSID's on the same WLC. How does the NAC Guest server apply the correct guest policy to that user. And when sponsors genereate guest accounts how do they specific which policy is to be applied to that guest so it can only get access to a specfic guest network/SSID I'm not sure where the "mapping" of accounts/splash pages/policies takes place on the NAC guest server. I've only ever set up NAC Guest when there has been a single guest SSID.
  Regards,
  Eoin.

• NAC guest server and guest proxy filtering issue.

  Hi all
  Continuing our issues log for the NAC guest server install, our toplogy and issue is as follows:
  We have a guest NAC server and a 4404 anchor controller successfully deployed in the DMZ, the anchor WLC has a mobilty anchor which is a WISM on the corporate network, DHCP services for guest clients are issued with no problems from the WLC in the DMZ. The first port of the DMZ controller is located on the DMZ and the second port directly connects to the firewall interface.
  All works correctly, DNS, DHCP, NTP, SNMP etc all work fine through the firewall.
  What options do I have to filter Internet access in this scenario, we have Websense and Nokia firewalls, don't think I can use WCCP as I have nowhere to place it, the second connection on the WLC is directly connected to the firewal so nowhere to intercept the traffic, our security team has tried some tricks on the Nokia to try to redirect the traffic on the firewall using a type of redirect, WPAD, I can't see as an option. Any ideas. If I place the second interface into the DMZ, could I use WCCP that way maybe, but won't traffic still have to go to the firewall??
  options please ??

  Well you will need to use a 3rd party certificate..  Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  Here is a link for the NGS:
  http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
  The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems.  So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

• NAC Guest Server and WLC, WCS

  I have setup a NAC Guest Server to allow users to sign up guest account via Active Directory. How do I tight this into WLC or WCS?

  Hi
  Try this:
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809d6b9a.shtml
  Regards
  Greg

• How can I create new user in such that its entries are stored both in profile server and ldap?

   

  Portal only creates a user profile locally within its native ldap server. Two ways you can approach this is to either write a custom auth module that creates a user in the ldap server at the same time or handle it through replication.

• Cisco NAC Guest Server and shellshock

  Hello,
  We are running NAC server v2.0.2 and would like to know if it's vulnerable to shellshock as the bug report CSCur05629 isn't clear on this. 

  Well you will need to use a 3rd party certificate..  Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  Here is a link for the NGS:
  http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
  The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems.  So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

• NAC Guest Server and Entrust Intermediate CA

  Chaps,
  Trying to install an Entrust cert with a intermediate and root cert, but haivng problems.
  I've managed to install both the imtermediate and root but putting them into a single file.
  The certs and root are accpeted without an error, but after a reboot there is still an error in IE.  Looking at the error the end user cert looks fine but only the intermediate cert is in the chain, not the root.
  Any ideas?  Is this is known issue or am i doing something wrong?
  Jim

  Hi
  I've just had a reply from our Cisco SE. It appears that the TAC already has a case open for this error and it's been escalated to the Development Engineering Team.
  Resolution is to downgrade to version 1.1.2, which I've already done, and it works fine. Please note that v2.0.0 is a ED release.
  regards
  Martyn

• NAC Guest Server - Self Service

  Hello all,
  I have a problem with NAC Guest Server and the self service feature.
  When I use the self service feature with auto login it works fine.
  But the customer would like to disable the auto login feature and the guest has to fill in his username /password.
  These credentials will created by the NAC
  When I click "add user", there is the message: user successful created.
  but I don't have the possibilty to reach the login page with username/password with my browser.
  But There is no redirect to the login page with username/password and when I refresh the browser or restat my browser, I will always reach the "self service" page.
  I hope someone had a similar problem and can help.
  thanks
  Martin

  have you allowed pop-ups on the browsers?
  did you try switching the browser?
  Regards
  F.H

• URL Logging for Guest Traffic using Guest Anchor and ISE

  Hi there all,
  I'm looking for a solution whereby I can log URL information for wireless guest users to ISE. The anchor WLC sits in a DMZ behind an ASA and the ISE is on the internal network. I found this document (see URL below) which is similar but using a NAC Guest Server and not an ISE.
  I'm wondering if anyone has managed to do this using ISE?
  http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080ac2fda.shtml#wlcc

  Hi, Sorry for the late reply, I have been busy with a Proof Of Concept with the ISE.
  I have tried your suggestion and I cannot get the same results as you.
  I notice that the logs in your report were generated by an ASA. Do you know whether the same can be done with a switch dACL?
  i have this configuration...
  dACL
  3k-access#sh ip access-list int fa0/1
       permit udp host 10.1.10.103 any eq domain
       permit icmp host 10.1.10.103 any
       permit tcp host 10.1.10.103 host 10.1.100.21 eq 8443
       permit tcp host 10.1.10.103 host 10.1.252.10 eq www log-input
       deny ip host 10.1.10.103 10.1.0.0 0.0.255.255
       permit ip host 10.1.10.103 any
  Logging config...
  logging esm config
  logging trap debugging
  logging origin-id ip
  logging host 10.1.100.21 transport udp port 20514
  with the above onfiguration, I get a report which shows the syslog messages of successful authentication and download of the dACL, but then when I access a URL, i do not see any events about the URL that was accessed or even the IP that was accessed.
  DO you know if this can be done? maybe I am looking at the wrong report? Can you help?
  Mario

• NAC guest server-user poster assesment problem

  Dear all,
  Please assist me for NAC guest server poster assesment issue.
  Scenario is like we have NAC guest server and all wireless guest users authenticate through Guest Server.
  Its working fine.
  But customer  wants to apply poster assement on guest users through existing CAS and CAM.
  Guest_users-------AP-------WLC------- NAC_Guest_Server----------internet

  Thanks for reply.
  Actually in my network we have cas and cam integrate with WLC for internal users. Its working fine.No issue. Poster assesment and authentication working fine.
  We have also NGS server which is integrate with WLC for web authentication fow guest wireless users.
  It is also working fine.Authentication happened through NGS server succesfully.
  But now I wanted to force poster assesment for wireless guest users which are authenticated through NGS server.