NAC DHCP server subnet-list issue

Hello everyone,
I currently setup the CAS as a layer 3 IB deployment, and use the CAS as the DHCP server for our remote subnets.
My issuse is when I configure the IP address pool, I have to check option "Retrict range to REALY IP", and can only put one IP address of the remote router IP address to make the DHCP server function working.
But our remote routers are configured HSRP for the user subnets, and I find that it use the physical ip address instead of the virtaul ip address to encapsulate the DHCP rely packets. If I put the HSRP virtual IP, it could not work. If I put the primary router's physical interface IP, how about it failover to the standby router?
Could anyone help me for this problem?
Thanks in advance.
Jason

Never had this issue before, it should not occur under normal circumstances.
Two tips:
1: Although not 100% applicable, please verify that your config includes the command: ip subnet zero.
2: Verify that your IOS is recent and not ED, T or whatsoever. If possible load a GD image.
Regards,
Leo

Similar Messages

  • DHCP server bad address issue

    Hi,
    I'm having an issue with ip address conflict or "bad_address"
    I've checked for rogue dhcp server with wireshark. One issue i'm having is that the mac address of the device getting the bad_address issue on the dhcp server is only 8 characters. There is no such device like that on my network. This would be occuring every
    other week. Removing it solved the problem, but how do i find the culprit of this problem?
    Thanks.

    What confuses me, is that it works fine at one site with all of your Windows 7 machines, but not the other. So something up with the DHCP Server? As I asked before, is it multihomed? If RRAS is installe on it, that constitutes multihoming, too.
    OTH, Windows 7/Vista's DHCP Lease behavior is a bit different than XP. And keep in mind, we can't discount server side issues, yet, or we can look at this as a combo of the facts. In addition, if anything is on a VLAN, then that's another layer of "something"
    else that we need to look at.
    Anyway, here are my notes on Windwos 7/Vista DHCP lease behavior differences:
    Windows 7 DHCP Lease Behavior is different than Windows XP upon startup
    DHCP Client Behavior
    http://blogs.technet.com/b/networking/archive/2009/01/29/dhcp-client-behavior.aspx
    If the DHCP client obtained a lease from a DHCP server on a previous occasion, and the lease is still valid (not expired) at system startup, the client tries to renew its lease. 
    If, during the renewal attempt, the client fails to locate any DHCP server, it attempts to ping the default gateway listed in the lease, and proceeds in one of the following ways:
    •If the ping is successful, the DHCP client assumes that it is still located on the same network where it obtained its current lease, and continues to use the lease as long as the lease is still valid.  By default the client then attempts, in the background,
    to renew its lease when 50 percent of its assigned lease time has expired.
    •If the ping fails, the DHCP client assumes that it has been moved to a network where a DHCP server is not available.  The client then auto-configures its IP address by using the settings on the Alternate Configuration tab.  When the client is auto-configured,
    it attempts to locate a DHCP server and obtain a lease.
    As a workaround, you can force a Windows Vista or Windows 7 DHCP client to keep the old DHCP lease by adding registry key “DontPingGateway” if connectivity fails, see the resolution in the KB article below:
    Windows Vista does not keep its DHCP IP address if a DHCP server is not available (works for Windows 7, too):
    http://support.microsoft.com/kb/958336
    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • DHCP Server Issue

    Hi,
    We are facing a very weird issue with one of our DHCP server. The DHCP server is Windows 2008 Server. We have configured the scope. The clients are getting the IP address from DHCP server, and the lease is showing in the DHCP console. But after some time
    the Lease information gets removed from DHCP Server Console. The client still keeps that IP and we can ping that PC. Lease information keeps coming and going from Console. If I check the DHCP log file I can see that DHCP server is assigning same IP to same
    host again and again.
    Sometime the same IP gets assigned to other PC and IP conflict occurs. We have tried changing the DHCP server but same issue.
    Please suggest

    Hi,
    You referred the issue occurred on one of the DHCP servers. Could you tell the relationship among the issued on and the others?
    Can you share a snippet log file that is unusual?
    Meanwhile, you can try the articles. Especially for the subtitle “The DHCP server appears to have suffered some data corruption or loss.”
    Troubleshooting DHCP servers
    http://technet.microsoft.com/en-us/library/cc779112(v=ws.10).aspx#BKMK_4

  • NAC guest server-user poster assesment problem

    Dear all,
    Please assist me for NAC guest server poster assesment issue.
    Scenario is like we have NAC guest server and all wireless guest users authenticate through Guest Server.
    Its working fine.
    But customer  wants to apply poster assement on guest users through existing CAS and CAM.
    Guest_users-------AP-------WLC------- NAC_Guest_Server----------internet

    Thanks for reply.
    Actually in my network we have cas and cam integrate with WLC for internal users. Its working fine.No issue. Poster assesment and authentication working fine.
    We have also NGS server which is integrate with WLC for web authentication fow guest wireless users.
    It is also working fine.Authentication happened through NGS server succesfully.
    But now I wanted to force poster assesment for wireless guest users which are authenticated through NGS server.

  • WLC 5508 Internal DHCP server issues

    Hi,
    I am hoping to get your feedback around the dhcp issues I am facing with Two Centrally Switched Wireless LANs. I have tried to explain the setup and the problems below and would appreciate it if anyone can suggest a solution for the problems I am facing:
    The setup is as follows:
    - I have a WLC 5508 which has been configured with 4 SSIDs, out of which 2 are using Central Authentication and Switching.
    - I have an LWAP connected to the WLC in HREAP mode.
    - WLC is configured as the DHCP server for clients connecting to the SSID 'Guest'. For the rest, I am using external dhcp server.
    - Only one scope for Guest Interface is setup on the WLC. 
    Problems:
    1. As far as I know, for WLC to act as internal dhcp server, it is mandatory to have the proxy enabled, but the Clients connecting to SSID 'Internet' are
    unable to get an ip address from the external dhcp server, if dhcp proxy is enabled on the WLC. If i disable the proxy, it all works fine.
    2. DHCP does not release the ip addresses assigned to clients even after they are logged out.
    3. If a machine which was earlier connected to 'Guest' SSID connects to the 'Internet' SSID, it requests the same ip it was assigned by the WLC which it was assigned under 'Guest', but gets tagged with the Vlan configured on the management interface.  
    ************Output from the Controller********************
    (Cisco Controller) >show sysinfo
    Manufacturer's Name.............................. Cisco Systems Inc.
    Product Name..................................... Cisco Controller
    Product Version.................................. 7.0.116.0
    Bootloader Version............................... 1.0.1
    Field Recovery Image Version..................... 6.0.182.0
    Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
    Build Type....................................... DATA + WPS + LDPE
    (Cisco Controller) >show interface summary
    Interface Name                   Port Vlan Id  IP Address         Type        Ap Mgr        Gu                                                                            
    est
    guest                                        1    301      10.255.255.30    Dynamic   No              No                                                                            
    management                          1    100      172.17.1.30        Static          Yes            No                                                          
    service-port                              N/A  N/A      192.168.0.1       Static         No               No                                                                            
    virtual                                        N/A   N/A      10.0.0.1              Static         No               No                                                                            
    (Cisco Controller) >show wlan summary
    Number of WLANs.................................. 4
    WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
    1        LAN                                    Enabled   management
    2        Internet                               Enabled   management
    3        Managment Assets          Enabled   management
    4        Guest                                  Enabled   guest
    (Cisco Controller) >show dhcp detailed guest
    Scope: guest
    Enabled.......................................... Yes
    Lease Time....................................... 86400 (1 day )
    Pool Start....................................... 10.255.255.31
    Pool End......................................... 10.255.255.254
    Network.......................................... 10.255.255.0
    Netmask.......................................... 255.255.255.0
    Default Routers.................................. 10.255.255.1  0.0.0.0  0.0.0.0
    DNS Domain.......................................
    DNS.............................................. 8.8.8.8  8.8.4.4  0.0.0.0
    Netbios Name Servers............................. 0.0.0.0  0.0.0.0  0.0.0.0
    (Cisco Controller) >show interface detailed management
    Interface Name................................... management
    MAC Address...................................... e8:b7:48:9b:84:20
    IP Address....................................... 172.17.1.30
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 172.17.1.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 100
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1
    Primary Physical Port............................ 1
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. 172.30.50.1
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... Yes
    Guest Interface.................................. No
    L2 Multicast..................................... Enabled
    (Cisco Controller) >show interface detailed guest
    Interface Name................................... guest
    MAC Address...................................... e8:b7:48:9b:84:24
    IP Address....................................... 10.255.255.30
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 10.255.255.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 301
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1
    Primary Physical Port............................ 1
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. Unconfigured
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... No
    Guest Interface.................................. No
    L2 Multicast..................................... Enabled
    (Cisco Controller) >show dhcp leases
           MAC                IP         Lease Time Remaining
    00:21:6a:9c:03:04    10.255.255.46    23 hours 52 minutes 42 seconds        <<<<<<< lease remains even when the client is disconnected.
    *********Example of Client connected to the right Vlan with an ip address from the incorrect interface. *************
    (Cisco Controller) >show client detail 00:21:6a:9c:03:04
    Client MAC Address............................... 00:21:6a:9c:03:04
    Client Username ................................. N/A
    AP MAC Address................................... a0:cf:5b:00:49:c0
    AP Name.......................................... mel
    Client State..................................... Associated
    Client NAC OOB State............................. Access
    Wireless LAN Id.................................. 2                 <<<<<<<<   'Internet' SSID
    BSSID............................................ a0:cf:5b:00:49:ce
    Connected For ................................... 319 secs
    Channel.......................................... 36
    IP Address....................................... 10.255.255.46      <<<<<<< IP address assigned from the 'Guest' Interface or dhcp scope on the WLC
    Association Id................................... 1
    Authentication Algorithm......................... Open System
    Reason Code...................................... 1
    Status Code...................................... 0
    Session Timeout.................................. 1800
    Client CCX version............................... 4
    Client E2E version............................... 1
    QoS Level........................................ Silver
    802.1P Priority Tag.............................. disabled
    WMM Support...................................... Enabled
    Power Save....................................... OFF
    Mobility State................................... Local
    Mobility Move Count.............................. 0
    Security Policy Completed........................ Yes
    Policy Manager State............................. RUN
    Policy Manager Rule Created...................... Yes
    ACL Name......................................... none
    ACL Applied Status............................... Unavailable
    Policy Type...................................... N/A
    Encryption Cipher................................ None
    Management Frame Protection...................... No
    EAP Type......................................... Unknown
    H-REAP Data Switching............................ Central       <<<<<<<<<
    H-REAP Authentication............................ Central       <<<<<<<<<<
    Interface........................................ management
    VLAN............................................. 100           <<<<<<<<<<< right Vlan
    Quarantine VLAN.................................. 0
    Access VLAN...................................... 100

    Hi All,
    I have a similar issue where Wireless clients are not receiving automatic addressing from an internal DHCP server. I have multiple interfaces configured on the WLC which are connected to separate VLANS. The manually specified DHCP primary server entry is the same on all interfaces. Some clients are able to authenticate and receive automatic IP configuration but some clients are failing the address assignment process. I have checked connectivity between the WLC and DHCP server, this is confirmed as working. When I carry out a "debug dhcp packet enable", I get the following outputs which seems as if the DHCP discover request from the client is skipped. Your thoughts and inputs on this are appreciated.
    DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: message type = DHCP DISCOVER
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 116 (len 1) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 61 (len 7) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: requested ip = 169.254.223.5
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 12 (len 13) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: vendor class id = MSFT 5.0 (len 8)
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 55 (len 11) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 43 (len 2) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP options end, len 76, actual 68
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP Forwarding DHCP packet (332 octets) packet DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
    Thanks,
    Raj Sandhu

  • NAC implementation wi thout DHCP Server

    Dear Experts,
    Is it possible to deploy NAC without having DHCP server in the network? We have some 300-400 users in the campus and want to enable NAC for them.
    As per my understanding Cisco NAC cannot be deployed without DHCP server in the network, however it is not documented anywhere on the site. Currently all users' machines are configured with static IP.
    We want to do user authentication, AV remediation and Patch deployment through NAC. Is it possible to deploy NAC without DHCP server??
    Thanks in advance.
    nayan       

    Hi,
    Here is the basic flow of clean access for both inband and out of band: (http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_white_paper0900aecd802bdc42.html)
    Figure 1. Laptop Attempts to Access the Internal Network
    1.  When the laptop first accesses the network, the Cisco Clean Access  Server determines that the computer's MAC address is not in the list of  certified devices, and that laptop is placed into an unauthenticated  role. While in this role, only User Datagram Protocol (UDP) Port 53  (Domain Name System [DNS]) and Dynamic Host Control Protocol (DHCP)  traffic (via DHCP and VLAN passthrough) is allowed.
    2. The laptop gets an IP address from the DHCP server, but cannot get past the Clean Access Server acting as an IP filter.
    3.  The laptop user opens a browser and is redirected to an SSL-based Web  login page where she enters her credentials, which in turn map her into  the "employee" role.
    4. As an "employee," she is asked to download the Clean Access Agent.
    5.  The Clean Access Agent performs the posture assessment and forwards the  results to the Clean Access Server to make the network admissions  decision.
    Tarik Admani
    *Please rate helpful posts*

  • NAC as DHCP server problem

    Hi guys,
    i have problem use nac server as dhcp server at different subnet.
    one thing that i want to know is dhcp in NAC server support unicast dhcp messages ? 
    because when client use layer 2 connection to nac server, dhcp works fine. i think they use dhcp broadcast message.
    thanks

    Hi,
    Ensure your internal network can ping the DHCP server, which in this case I think is your Hyper-V host. This probably requires that you configure an IP address on your Hyper-V host that matches the subnet you have configured on the DHCP scope.
    When you add a virtual network to Hyper-V, this will add a virtual network adapter on the Hyper-V host. You can see the adapter in ipconfig with a name that matches the name of the virtual switch, for example: Ethernet adapter vEthernet (Internal Network).
    I'm not sure what your goals are here. It sounds like you want to give the VMs access to the Internet, which can be done much more simply by just creating an External virtual network rather than an Internal one with NAT. 
    Whatever your configuration, consider that DHCP works only one of two ways:
    1. DHCP server exists on the same subnet as the scope subnet and shares one of these subnet IP addresses.
    2. DHCP server has a different IP address than the scope, and clients use DHCP relay to get to the DHCP server.
    If you don't have a DHCP relay, then you must use the first method.
    -Greg

  • NAC guest server and guest proxy filtering issue.

    Hi all
    Continuing our issues log for the NAC guest server install, our toplogy and issue is as follows:
    We have a guest NAC server and a 4404 anchor controller successfully deployed in the DMZ, the anchor WLC has a mobilty anchor which is a WISM on the corporate network, DHCP services for guest clients are issued with no problems from the WLC in the DMZ. The first port of the DMZ controller is located on the DMZ and the second port directly connects to the firewall interface.
    All works correctly, DNS, DHCP, NTP, SNMP etc all work fine through the firewall.
    What options do I have to filter Internet access in this scenario, we have Websense and Nokia firewalls, don't think I can use WCCP as I have nowhere to place it, the second connection on the WLC is directly connected to the firewal so nowhere to intercept the traffic, our security team has tried some tricks on the Nokia to try to redirect the traffic on the firewall using a type of redirect, WPAD, I can't see as an option. Any ideas. If I place the second interface into the DMZ, could I use WCCP that way maybe, but won't traffic still have to go to the firewall??
    options please ??

    Well you will need to use a 3rd party certificate..  Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
    Here is a link for the NGS:
    http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
    The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems.  So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

  • DHCP server and ip helper-address issue

    Question,
    By accident I had configured an IP HELPER-ADDRESS on a VLAN interface pointing to a DHCP server with an IP addrees in the same VLAN ( ip subnet ).
    Some users had complaints and there were BAD ADDRESS entries in our DHCP server registered.
    Can anyone explain to me why this is an issue please ?
    My guess is that the the DHCP server receives the DHCPREQUEST from the client via the braodcast request and via the unicast request from the ip helper-address configuration. But does this really interfere with the DHCPACK and DHCPOFFER packets afterwards ?

    Alex,
    I've not been able to capture the network packets but I can understand if the server would send DHCPNACK requests ( wxhich would be a normal process ).
    I just don't understand why so many users suddenly have issues and my DHCP scope is filling up with BAD ADDRESSES.
    My assumption is that the client receives 2 valid DHCP responses ( one form the actual DHCP server and another one from the router, acting as DHCP relay agent ) and acknowledges them, but the DHCP process is somewhere corrupted ( either on the DHCP server or the DHCP client ).
    I want a technical explanation for this issue :-)

  • WRT54GC Static DHCP listing issue

    Hello:
    I have the latest firmware installed (1.02.8) and I am running into an issue:
    I currently have my WRT54GC to act as a DHCP server with 100 clients; I set each of my PC's to DHCP, but the WRT54GC will serve the same IP address to each PC ("Static DHCP"). I currently have seven MAC listed in the static DHCP list, but when I attempt to add another MAC and save the settings, it times out. This has happened consistently where it appears only seven MAC's are allowed. I can edit the existing seven without an issue, but adding any more PC's times out the router.
    Any ideas? I have flashed the router a number of times to no effect.
    TIA.
    [8F] The NyQuil KidMessage Edited by nyquilkid on 07-14-2006 07:15 AM
    Message Edited by nyquilkid on 07-14-2006 07:16 AM

    Hi All,
    Ok,first - try to delete 7-th MAC address and IP,then click "save settings"
    When it finished with rebooting,connect and try to fill the 7-th MAC with IP Address.
    It should work!!!
    That happening,cou'se first you should free the MAC Lock  in router's memory,reboot to free it and delete from memory,and then you can fill new MAC Lock function.
    Good Luck!!!
    Message Edited by gochev_george on 03-16-200701:58 AM
    Message Edited by gochev_george on 03-16-200702:00 AM
    Thanks
    Kind Regards
    ing.George Gochev
    DSL and Telecommunications Engineer

  • Project Server 2013: Empty issues, questions and documents list in the PWA task details pane

    Project Server 2012, SharePoint 2013
    I have a task with a few attached issues, risks and documents. And I see links to that in the PWA project plan (as icons).
    But when resource open his PWA task pane attachment lists (issues, risks and documents) are empty.
    Why? How to add documents in that lists?

    Hi,
    I have a solution that might work for you, please follow steps below:
    1) Go to your project schedule, make a small modification to any task on schedule and 'Publish' the project.
    2) While your project is being published and saved, open another window 
    Server Settings -> Manage Queue Jobs
    3) Here you can view the progress of your current Project Publishing update, check if all goes smooth and your project is published successfully without indicating any errors of issues like :
    Reporting transfer WSS links failed ( to view any error look at the last column of table on Manage Queue Job page)
    4) Also in your Project window see if the project is published and not saved as Draft.
    Basically this will give you a fair idea of your project being published or not, if not that there is some problem with your Lists ( Risks, Issues and Documents).
    Regards

  • ISE reimage 1.1.4 on NAC 3355 Server Issues

    g'day All,
    I'm having trouble with an ISE re-image of a NAC 3355 server presently. I have successfully download the iso for 1.1.4 ise and burnt it to dvd, I've gone through the remiage process, with all the packages being installed successfully (or so it appears) there were no issues during the packages being uploaded and installed from the DVD.
    My issue is, when the box reboots and I am presented with the login prompt where I can type 'setup' to start the initial config script, I can enter all the relevant details and the system brings up the newtork interface, pings the default gateway and nameserver successfully (I don't see any errors that the pings have failed) and it appears to start installing ISE.
    I get the on screen message about not using "Ctrl C from this point", then I see the 'installing applications....' on screen message, but rather than seeing the 'Installing ISE' on screen message as detailed in the 1.1.x hardware installation guide, my install jumps straight to on screen message 'generating configurations' then the box reboots.
    Once the box reboots, I am able to log in with the username/password combo I entered in the intial setup script, but I don't get any further on screen messages or prompts to create a database password, etc. I only get the cli prompt. I am able to navigate around the cli fine, I can ping gateway and nameservers from the CLI fine, but if I do a show application, it comes back with nothing. If I do a application configure ise, the cli states that ise is not installed.
    help please guys.
    Cheers,
    JS.

    Hello James,
    How do you made your install ? Using KVM or Serial port ?
    I had same problems with serial install : I was imaging (1.1.4) some appliance (3315 & 3395) at the same time with one PC/console cable that I plug & unplug from one appliance to another for following the install progress. But on several appliance, I was not prompt for the admin & user database passwords.
    The result was the same than you : The appliance booted, but ISE application was not installed.
    I have got no problems the next time when I have try to reimage the appliance with serial cable but WITHOUT UNPLUG IT from the begining to the end ! The database users/admin DB password were asked and the install was successfull on all my appliances.
    Also you have to check the system time/date/timezone in the BIOS setting of Appliance as describe on the hardware install guide.
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_install_guide.html
    Have you check the MD5 or your ISO ?
    Hope you'll able to finish properly your install.

  • NAC guest server with RADIUS authentication for guests issue.

    Hi all,
    We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
    The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
    https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
    -----START QUOTE-----
    Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
    •Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
    •Self Service—This option allows guest self service. After selection proceed to Step 8.
    •Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
    ----- END QUOTE-----
    Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
    Regards
    Kevin Woodhouse

    Well I will try to answer your 2nd questions.... will it work... yes.  It is like any other radius server (high end:))  But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD.  Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
    Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right.  Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that.  That is my opinion.

  • Best practice configure DHCP server NAC

    hi all,
    any idea how the best practice deploy dhcp on cas? i tired follow user guide configure dhcp on cas but still cannot running smoothly user just only grep ip authenticate.
    - CCA agent very slow appear when user get ip dhcp on authenticate.any idea ?
    - how to integrated profiler with nac appliance .?

    Hi ahmed,
    You have configured your CAS to be your DHCP server, Thats well and good because you are using Real IP mode, Which Supports the CAS to be a DHCP server.
    Remember
    This Setting is only For your Authentication VLAN that your client gets an ip While Authentication ok.
    When your Client switches to Access VLAN , your client trafiic no longer flows through the CAS so CAS is now not responsible for DHCP.
    You'll have to configure another DHCP on the Trusted Side which can Lease IPs to the Acess VLAN Members.
    As you have configured OOB then your client is in Acess VLAN and does not come in contact with the CAS so you need the Trusted side DHCP to give the Client an IP address.
    Here in your Scenario your ACCESS VLANS are 2022,2044
    Hope this helps, Do reply after Testing.
    Thank You
    Regards
    Edward

  • WRT54GX2 DHCP Server issue

    I am using this as an access point rather than router. I have a separate DHCP Server (Windows 2003 Ent. Server). I went in and disabled the DHCP server after upgrading to software 1.01.14, but it still is sending response to DHCP requests. Has anyone ever dealt with a similar problem? I am about to rollback to a previous version of firmware, but needed to upgrade to resolve another issue I was having. TIA
    LRPenguin

    You said that you have a win2003 DHCP server, even if you disable the DHCP capability on the router, your win2003 is the one providing the DHCP address on you computer.

Maybe you are looking for

  • Arabic Language compatability- Will XI accept Arabic accept arabic language

    Hi, I just wanted to know whether XI is compatible with Arabic langauge.I mean , if a message comes in XI which has Arabic text in some fields ,then will XI process this Arabic languae and send the same arabic text to the traget system.I found some t

  • Change the font of Eterm so can use ñ and á chars

    I've been in a lot of sites on the web trying to find a way to make Eterm use fonts that accept spanish chars like ñ or á and have found nothing. Can anyone point me in the right direction?. I have use the xlsfonts command so it showed me the fonts t

  • Feedback on several containerController

    Hi, If you use several dynamic ContainerContainer, the last container must NOT be empty. Otherwise you can get some #1009 error on text selection... in any case, it's my case. In my app, if the text in the TextFlow is not present in all containerCont

  • ORA-19502 while adding a tablespace

    Hello All, I am using ORACLE 10g R2, on LINUX, red hat 5 When i am trying to add a tablespace through Enterprise manager I am getting the below error: Failed to commit: ORA-19502: write error on file "/u01/app/oracle/oradata/IMALREF/MDB_O10_DATA", bl

  • How to swap two primitive dataelements using swap function??

    How to write a swap function that can swap two integer..??