NAC Guest server allow password change

hi,
i see there is an option to "allow password change" or "force password change" for guest roles in the NGS. But when i created a guest account using this guest role, after webauthentication , there is no prompt to change password. Is this the intended behaviour or is there anything else that i need to configure. Looking at it, i am not sure how the NGS would allow a "guest user" to really overwrite the password by allowing password change. ? is that not a security risk as well for the NGS ? my setup has 5508 anchor controller and NGS communicating via RADIUS.
regards
Joe

Rob,
We had much the same issue, more around using AD for SSO for sponsors as well as using the NGS as the hotspot.
The way around it for us was to have the NGS sit on the inside of the network, with a FQDN (fully qualified domain name) that had a public IP address to the outside world, but also a CNAME to an internal address on the inside of the network and ran NAT on our firewall at the DMZ to link the public and private IP together.
The flow looks something like this:-
Wireless Client --> (public IP: NAT'd to private IP) --> Firewall --> NGS on internal network
NGS on internal network <-- (private IP) sponsor
NGS on internal network <-- (private IP) active-directory
The reason we use a CNAME internally is so we can maintain the FQDN which is publically signed by an external CA.
This seems to work ok. Also the anchor-controller we have for guest access also has a FQDN assigned to it's virtual interface which is also publically signed by an external CA.
This stops all the security pop-ups and provides a more seemless experience to wireless clients associating with the network.
Security is taken care of by strictly controlling access to the NGS both on the anchor controller using ACL's and also on the DMZ firewall. So if traffic targetting the NGS comes in from the internet intended for the NGS from an untrusted/unknown IP range/tcp port then it will not be permitted.
Hope this makes sense?

Similar Messages

NAC Guest Server, How to change the password for a single user?

We have a NAC Guest Server which creates a complex password for all new users created.
We would like to have normal/simple password for a single user. How can I get this done on a NAC Guest Server.
Thanks in advance.

Hi,
You can setup 3 different flavours of passwords:
http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_guestpol.html#wp1063249.
a. Username Policy 1 - Email address as username
Use the guest's email address as the username. If an overlapping account with the same email address exists, a random number is added to the end of the email address to make the username unique. Overlapping accounts are accounts that have the same email address and are valid for an overlapping period of time.
b. Username Policy 2 - Create username based on first and last names
Create a username based on combining the first name and last name of the guest. You can set a Minimum username length for this username from 1 to 20 characters (default is 10). User names shorter than the minimum length are padded up to the minimum specified length with a random number.
c. Username Policy 3 - Create random username
Create a username based upon a random mixture of Alphabetic, Numeric or Other characters. Type the characters to include to generate the random characters and the number to use from each set of characters.
Note: The total length of the username is determined by the total number of characters included.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

NAC guest server CLI password recovery

I've changed the password according to the procedure.
Now after a reboot I can't login:
localhost login:
Login incorrect
I tried
admin/admin
root/cisco
root/configured pwd
nothing works!
I can't access the server via web (license key need to be installed but for this I've need the MAC of eth0. But for this I need to be logged in.
I can't find any solution on the web

I have the same issue that we lost the password of console and SSH and web admin.
wanted to know if reseting the password will erase the configuration or not..???

NAC Guest Server, unable to login with sponsor

We have a Cisco NAC Guest Server (version 2.0.5).
I created some sponsors and wanted them to be in another sponsor user group than the default group. So I created a sponsor user group and changed the group permissions (Allow Login is set to Yes, edit account .. are set to Own Accounts).
No I wanted to try out the new sponsors but I can't login to the NAC Server. I get a "username or password invalid" as reply. If I change the sponsor user group of the user to DEFAULT, everything is working.
The logfile on the NAC Server shows the following error:
Oct 4 13:05:14 s100059 NGS_SPONSOR: [audit NGS 0 10.106.161.5] Login failure: xxx
xxx is the username of the sponsor.
Why can't I login with the sponsor when he's in anoter sponsor group than DEFAULT?
Martin

If credentials work on CCMuser CUPSuser I would suspect either some kind of communication problem between the clients and the servers and/or misconfiguration (user/device/line association, device owner, roles, CTI/CCMCIP profiles, etc) on CUCM/CUPS.
Specially because you mention the same happens with CUPC.
HTH
java
if this helps, please rate
www.cisco.com/go/pdihelpdesk

Wired WebAuth with NAC Guest Server

Hi,
I am trying to get wired WebAuth working with NAC Guest Server. In the switch_login.html file example, what should be changed for this line:
ngsOptions.actionUrl = https://1.1.1.1/;
Should this be an IP address on the switch? Shoul I have this pointing to the success.html page like this:
ngsOptions.actionUrl = "https://1.1.1.1/success.html";
When I log on, and accept the AUP, my browser just sits there trying to access Https://1.1.1.1/?redirect-url=blah blah blah
Thanks,
Peter

FYI,
In my case I WAS getting the switch_login.html web page being displayed, but after entering credentials and submitting the Acceptable Use Policy page, I did NOT 'see' any radius traffic between the switch (C2960S 12.2(55)SE3) and the ACS 5.3 radius server?!.
I used the sample .html docs that you can find on the NAC Guest Server in the 'samples' folder on that server. I used WCP app to copy them to my PC/laptop before modifying where relevant and copying to flash on switch and to the wireless 'hotspot' folders on the NGS.
I went through the following document in url below line by line, paragraph by paragraph and found that I had left out the following command in the configuration:
aaa authentication login default group radius
see doc at:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html#wp392553
So I added it in and I am now seeing the radius debug traffic being redirected to the ACS by the switch when a user submits the credentials.
aaa new-model
aaa authentication login default group radius
aaa authentication login VTY-USER-LOGIN local
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec EXEC-LOCAL local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
with debug radius enabled:
Feb 1 13:36:09 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to down
TEST-802.1X#
Feb 1 13:36:10 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to down
TEST-802.1X#
Feb 1 13:36:18 PST: %AUTHMGR-5-START: Starting 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
TEST-802.1X#
Feb 1 13:36:20 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to up
Feb 1 13:36:21 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to up
TEST-802.1X#
Feb 1 13:36:27 PST: %DOT1X-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID
Feb 1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-5-START: Starting 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27.367 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X
Feb 1 13:36:27.367 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74
Feb 1 13:36:27.367 PST: RADIUS/ENCODE(0000058E): acct_session_id: 1421
Feb 1 13:36:27.367 PST: RADIUS(0000058E): sending
Feb 1 13:36:27.367 PST: RADIUS(0000058E): Send Access-Request to 10.167.77.70:1645 id 1645/14, len 211
Feb 1 13:36:27.372 PST: RADIUS: authenticator 2E F0 62 2D 43 D9 7D 2A - 7C 88 0A 52 B9 6E 78 A8
Feb 1 13:36:27.372 PST: RADIUS: User-Name           [1]   14 "848f69f0fcc7"
Feb 1 13:36:27.372 PST: RADIUS: User-Password       [2]   18 *
Feb 1 13:36:27.372 PST: RADIUS: Service-Type        [6]   6   Call Check                [10]
Feb 1 13:36:27.372 PST: RADIUS: Framed-MTU          [12] 6   1500
Feb 1 13:36:27.372 PST: RADIUS: Called-Station-Id   [30] 19 "20-37-06-C8-68-84"
Feb 1 13:36:27.372 PST: RADIUS: Calling-Station-Id [31] 19 "84-8F-69-F0-FC-C7"
Feb 1 13:36:27.372 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:27.372 PST: RADIUS:   11 20 B4 9A B6 E2 56 30 AC EC 43 CD 17 13 3E 14             [ V0C>]
Feb 1 13:36:27.372 PST: RADIUS: EAP-Key-Name        [102] 2   *
Feb 1 13:36:27.372 PST: RADIUS: Vendor, Cisco       [26] 49
Feb 1 13:36:27.372 PST: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0AA7404A0000054E16335518"
Feb 1 13:36:27.372 PST: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Feb 1 13:36:27.372 PST: RADIUS: NAS-Port            [5]   6   50104
Feb 1 13:36:27.372 PST: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:27.372 PST: RADIUS: NAS-IP-Address      [4]   6   10.167.64.74
Feb 1 13:36:27.372 PST: RADIUS(0000058E): Started 5 sec timeout
Feb 1 13:36:27.377 PST: RADIUS: Received from id 1645/14 10.167.77.70:1645, Access-Reject, len 38
Feb 1 13:36:27.377 PST: RADIUS: authenticator 68 CE 3D C8 C3 BC B2 69 - DB 33 F5 C0 FF 30 D6 33
Feb 1 13:36:27.377 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:27.377 PST: RADIUS:   82 3D 31 0A C7 A2 E0 62 D5 B7 6B 26 B8 A0 0B 46            [ =1bk&F]
Feb 1 13:36:27.377 PST: RADIUS(0000058E): Received from id 1645/14
Feb 1 13:36:27 PST: %MAB-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-5-START: Starting 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'success' from 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27.933 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X
Feb 1 13:36:27.933 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74
Feb 1 13:36:27.933 PST: RADIUS(0000058E): sending
Feb 1 13:36:27.933 PST: RADIUS(0000058E): Send Accounting-Request to 10.167.77.70:1646 id 1646/151, len 100
Feb 1 13:36:27.933 PST: RADIUS: authenticator D0 F0 04 F3 A5 08 90 BE - A9 07 8D 32 1B 0E 93 AC
Feb 1 13:36:27.933 PST: RADIUS: Acct-Session-Id     [44] 10 "0000058D"
Feb 1 13:36:27.933 PST: RADIUS: Framed-IP-Address   [8]   6   10.167.72.52
Feb 1 13:36:27.933 PST: RADIUS: Acct-Authentic      [45] 6   RADIUS                    [1]
Feb 1 13:36:27.933 PST: RADIUS: Acct-Status-Type    [40] 6   Start                     [1]
Feb 1 13:36:27.933 PST: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Feb 1 13:36:27.933 PST: RADIUS: NAS-Port            [5]   6   50104
Feb 1 13:36:27.933 PST: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:27.933 PST: RADIUS: Service-Type        [6]   6   Framed                    [2]
Feb 1 13:36:27.933 PST: RADIUS: NAS-IP-Address      [4]   6   10.167.64.74
Feb 1 13:36:27.933 PST: RADIUS: Acct-Delay-Time     [41] 6   0
TEST-802.1X#
Feb 1 13:36:27.938 PST: RADIUS(0000058E): Started 5 sec timeout
Feb 1 13:36:27.938 PST: RADIUS: Received from id 1646/151 10.167.77.70:1646, Accounting-response, len 20
Feb 1 13:36:27.938 PST: RADIUS: authenticator C2 DC 8D C7 B1 35 67 D9 - 28 2B 56 E4 4A 1E AD 65
At this point the user enters the credentials on the switch_login.html page and the clicks Submit on the Acceptable Use Policy splash page.
TEST-802.1X#
Feb 1 13:36:41.413 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY
Feb 1 13:36:41.413 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74
Feb 1 13:36:41.413 PST: RADIUS/ENCODE(0000058F): acct_session_id: 1422
Feb 1 13:36:41.413 PST: RADIUS(0000058F): sending
Feb 1 13:36:41.413 PST: RADIUS(0000058F): Send Access-Request to 10.167.77.70:1645 id 1645/15, len 176
Feb 1 13:36:41.413 PST: RADIUS: authenticator 6D 34 7E D6 34 B5 CB AC - 09 1F AC 5A 34 97 7D 6B
Feb 1 13:36:41.413 PST: RADIUS: User-Name           [1]   11 "testuser1"
Feb 1 13:36:41.413 PST: RADIUS: User-Password       [2]   18 *
Feb 1 13:36:41.413 PST: RADIUS: Calling-Station-Id [31] 14 "ip|G
Feb 1 13:36:41.413 PST: RADIUS: Service-Type        [6]   6   Outbound                  [5]
Feb 1 13:36:41.413 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.413 PST: RADIUS:   F8 4D 85 64 05 5E C9 1D D8 11 B2 A3 1A 3A 76 E0             [ Md^:v]
Feb 1 13:36:41.413 PST: RADIUS: Vendor, Cisco       [26] 49
Feb 1 13:36:41.418 PST: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0AA7404A0000054E16335518"
Feb 1 13:36:41.418 PST: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Feb 1 13:36:41.418 PST: RADIUS: NAS-Port            [5]   6   50104
Feb 1 13:36:41.418 PST: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:41.418 PST: RADIUS: NAS-IP-Address      [4]   6   10.167.64.74
Feb 1 13:36:41.418 PST: RADIUS(0000058F): Started 5 sec timeout
Feb 1 13:36:41.424 PST: RADIUS: Received from id 1645/15 10.167.77.70:1645, Access-Accept, len 173
Feb 1 13:36:41.424 PST: RADIUS: authenticator 28 48 DE B5 1A 0A 71 5A - 3B 8B 7A 12 FB EA 01 58
Feb 1 13:36:41.424 PST: RADIUS: User-Name           [1]   11 "testuser1"
Feb 1 13:36:41.424 PST: RADIUS: Class               [25] 28
Feb 1 13:36:41.424 PST: RADIUS:   43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36 [CACS:xbc-acs/116]
Feb 1 13:36:41.424 PST: RADIUS:   34 37 33 32 33 39 2F 31 36 36        [ 473239/166]
Feb 1 13:36:41.424 PST: RADIUS: Session-Timeout     [27] 6   3600
Feb 1 13:36:41.424 PST: RADIUS: Termination-Action [29] 6   1
Feb 1 13:36:41.424 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.424 PST: RADIUS:   10 80 26 5D 02 C5 15 0C A8 16 AA 35 14 C9 4F 14              [ &]5O]
Feb 1 13:36:41.424 PST: RADIUS: Vendor, Cisco       [26] 19
Feb 1 13:36:41.429 PST: RADIUS:   Cisco AVpair       [1]   13 "priv-lvl=15"
Feb 1 13:36:41.429 PST: RADIUS: Vendor, Cisco       [26] 65
Feb 1 13:36:41.429 PST: RADIUS:   Cisco AVpair       [1]   59 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-GuestACL-4eefc9a0"
Feb 1 13:36:41.429 PST: RADIUS(0000058F): Received from id 1645/15
Feb 1 13:36:41.439 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY
Feb 1 13:36:41.439 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74
Feb 1 13:36:41.439 PST: RADIUS(0000058F): sending
Feb 1 13:36:41.439 PST: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Feb 1 13:36:41.444 PST: RADIUS(00000000): Config NAS IP: 10.167.64.74
Feb 1 13:36:41.444 PST: RADIUS(00000000): sending
Feb 1 13:36:41.450 PST: RADIUS(0000058F): Send Accounting-Request to 10.167.77.70:1646 id 1646/152, len 119
Feb 1 13:36:41.450 PST: RADIUS: authenticator 23 E3 DA C3 06 5B 37 20 - 67 E2 96 C5 90 1C 71 33
Feb 1 13:36:41.450 PST: RADIUS: Acct-Session-Id     [44] 10 "0000058E"
Feb 1 13:36:41.450 PST: RADIUS: Calling-Station-Id [31] 14 "10.167.72.52"
Feb 1 13:36:41.450 PST: RADIUS: User-Name           [1]   11 "testuser1"
Feb 1 13:36:41.450 PST: RADIUS: Acct-Authentic      [45] 6   RADIUS                    [1]
Feb 1 13:36:41.455 PST: RADIUS: Acct-Status-Type    [40] 6   Start                     [1]
Feb 1 13:36:41.455 PST: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Feb 1 13:36:41.455 PST: RADIUS: NAS-Port            [5]   6   50104
Feb 1 13:36:41.455 PST: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:41.455 PST: RADIUS: Service-Type        [6]   6   Outbound                  [5]
Feb 1 13:36:41.455 PST: RADIUS: NAS-IP-Address      [4]   6   10.167.64.74
Feb 1 13:36:41.455 PST: RADIUS: Acct-Delay-Time     [41] 6   0
Feb 1 13:36:41.455 PST: RADIUS(0000058F): Started 5 sec timeout
Feb 1 13:36:41.455 PST: RADIUS(00000000): Send Access-Request to 10.167.77.70:1645 id 1645/16, len 137
Feb 1 13:36:41.455 PST: RADIUS: authenticator 02 B0 50 47 EE CC FB 54 - 2A B6 14 23 63 86 DE 18
Feb 1 13:36:41.455 PST: RADIUS: NAS-IP-Address      [4]   6   10.167.64.74
Feb 1 13:36:41.455 PST: RADIUS: User-Name           [1]   31 "#ACSACL#-IP-GuestACL-4eefc9a0"
Feb 1 13:36:41.455 PST: RADIUS: Vendor, Cisco       [26] 32
Feb 1 13:36:41.455 PST: RADIUS:   Cisco AVpair       [1]   26 "aaa:service=ip_admission"
Feb 1 13:36:41.455 PST: RADIUS: Vendor, Cisco       [26] 30
Feb 1 13:36:41.455 PST: RADIUS:   Cisco AVpair       [1]   24 "aaa:event=acl-download"
Feb 1 13:36:41.455 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.455 PST: RADIUS:   15 EC 10 E7 2F 67 33 DD BC B5 AE 11 E3 C3 19 E1               [ /g3]
Feb 1 13:36:41.455 PST: RADIUS(00000000): Started 5 sec timeout
Feb 1 13:36:41.455 PST: RADIUS: Received from id 1646/152 10.167.77.70:1646, Accounting-response, len 20
Feb 1 13:36:41.455 PST: RADIUS: authenticator AB 0F 81 95 71 A9 61 E0 - 5B B5 D3 2E 8D A2 68 98
Feb 1 13:36:41.460 PST: RADIUS: Received from id 1645/16 10.167.77.70:1645, Access-Accept, len 560
Feb 1 13:36:41.460 PST: RADIUS: authenticator 64 53 94 79 CF CD 05 B0 - ED 12 5C 5B A0 AB 4F FA
Feb 1 13:36:41.460 PST: RADIUS: User-Name           [1]   31 "#ACSACL#-IP-GuestACL-4eefc9a0"
Feb 1 13:36:41.460 PST: RADIUS: Class               [25] 28
Feb 1 13:36:41.460 PST: RADIUS:   43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36 [CACS:xbc-acs/116]
Feb 1 13:36:41.460 PST: RADIUS:   34 37 33 32 33 39 2F 31 36 38        [ 473239/168]
Feb 1 13:36:41.460 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.460 PST: RADIUS:   A1 E6 37 EB 60 3A 28 35 92 56 C5 A9 27 7D 2C E9         [ 7`:(5V'},]
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 38
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   32 "ip:inacl#1=remark **Allow DHCP"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 57
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   51 "ip:inacl#2=permit udp any eq bootpc any eq bootps"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 37
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   31 "ip:inacl#3=remark **Allow DNS"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 47
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   41 "ip:inacl#4=permit udp any any eq domain"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 61
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   55 "ip:inacl#5=remark **Deny access to Corporate Networks"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 53
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   47 "ip:inacl#6=deny ip any 10.0.0.0 0.255.255.255"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 45
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   39 "ip:inacl#7=remark **Permit icmp pings"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 38
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   32 "ip:inacl#8=permit icmp any any"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 50
TEST-802.1X#
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   44 "ip:inacl#9=remark **Permit everything else"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 37
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   31 "ip:inacl#10=permit ip any any"
Feb 1 13:36:41.465 PST: RADIUS(00000000): Received from id 1645/16
TEST-802.1X#
TEST-802.1X#
TEST-802.1X#
interface config looks like:
interface GigabitEthernet1/0/4
description **User/IPphone/Guest
switchport access vlan 702
switchport mode access
switchport voice vlan 704
ip access-group PRE-AUTH in
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication fallback WEB_AUTH_PROFILE
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 3
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

NAC Guest Server - Self Service

Hello all,
I have a problem with NAC Guest Server and the self service feature.
When I use the self service feature with auto login it works fine.
But the customer would like to disable the auto login feature and the guest has to fill in his username /password.
These credentials will created by the NAC
When I click "add user", there is the message: user successful created.
but I don't have the possibilty to reach the login page with username/password with my browser.
But There is no redirect to the login page with username/password and when I refresh the browser or restat my browser, I will always reach the "self service" page.
I hope someone had a similar problem and can help.
thanks
Martin

have you allowed pop-ups on the browsers?
did you try switching the browser?
Regards
F.H

NAC Guest Server 2.0.5

Hello Everybody,
We have NAC Guest Server version 2.0.5, our customer has two requeriments, one of them is to assign manually password to a new account, the second is change the state inactive of the account to active state. As I saw in this version, i can't do it.
Is possible to do both requeriments on a later release of NAC Guest Server?
Thanks

Sri,
You are right this isnt well documented. My guess is that you will download the same upgrade file from cco for the upgrade to 2.0.3 and then follow the same steps. However, that is something that should be documented. Can you open a TAC case and have them file a documentation bug for this.
Thanks,
Tarik Admani
*Please rate helpful posts*

NAC Guest server with tokens

Has anybody implemented NAC guest server in conjunction with SMS tokens.
Is there some docs. on how to?

The following APIs allow administrators to create, delete, and view local user accounts on the CAM:
â¢getlocaluserlist
â¢addlocaluser
â¢deletelocaluser
Local users are those internally validated by the CAM as opposed to an external authentication server. These APIs are intended to support guest access for dynamic token user access generation, providing the ability to:
â¢Use a webpage to access Cisco NAC Appliance API to insert a visitor username/password combination, such as [email protected]/jdoe112805, and then assign a role, such as guest1day.
â¢Delete all guest users associated with the guest access role for that day.
â¢List all usernames associated with the guest access role.
These APIs support most implementations of guest user access dynamic token/password generation and allow the removal of those users for a guest role.
You must create the front-end generation password/token. For accounting purposes, Cisco NAC Appliance provides RADIUS accounting functionality only.
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/413/cam/m_apiapx.html#wp1012025

NAC Guest Server SMTP Authentication

Does anyone know if you are able to set your SMTP server in the NAC Guest Server to do SMTP Authentication? Our old Exchange server just let us specify the SMTP server and send the guest accounts their Username and Password to their outside accounts. Our new Exchange server requires SMTP authentication, but we do not see the option available in the NAC Guest Server interface. We are running NAC Guest Server 1.1.3. Any ideas would be appreciated. Thanks!

I have Cisco NAC Guester server 2.0.2 and have sort of similar issues.
I configured the Base DN to the OU of the sponsor groups in AD and then map that particular group in roles. Users from that group can log on fine and create guest accounts.
The problem is, it seems that other users from that OU seems to be able to log on as sponsors too. How do I restrcit this to just that sponsore group? I tried changing the Base DN to the OU of the sponsore group then enter CN=sponsorgroup to narrow it to just that group but still other users can log in as sponsors.

Wired WebAuth only with NAC Guest Server (No ACS)

Ok, I have been fighting this for two days now. I want to use the webauth function on some of our Cisco 3750Gs ver
12.2(55)SE5 for guest access. I'm trying to use our NAC Guest Server ver: 2.0.3 as the backend portal and Radius server. We do not have ACS or any of the other components of ISE or NAC. I think the issue is the NGS server is not sending the d(ACL) back to switch. Guest work work fine from our WLCs.
switch debug: No Attributes in swtich debug
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Config NAS IP: 199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS/ENCODE(0000030C): acct_session_id: 1012
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): sending
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Send Access-Request to 10.199.33.20:1812 id 1645/19, len 177
Mar 22 12:56:00.448 CDT: RADIUS: authenticator 99 95 59 55 09 A9 D9 E1 - 2B 01 90 36 1B 8A 41 92
Mar 22 12:56:00.448 CDT: RADIUS: User-Name           [1]   20 "[email protected]"
Mar 22 12:56:00.448 CDT: RADIUS: User-Password       [2]   18 *
Mar 22 12:56:00.448 CDT: RADIUS: Framed-IP-Address   [8]   6   199.46.201.231
Mar 22 12:56:00.448 CDT: RADIUS: Service-Type        [6]   6   Outbound                  [5]
Mar 22 12:56:00.448 CDT: RADIUS: Message-Authenticato[80] 18
Mar 22 12:56:00.448 CDT: RADIUS:   A2 57 B5 F2 A6 FB 46 71 D0 EA 26 54 95 90 F4 D0             [ WFq&T]
Mar 22 12:56:00.448 CDT: RADIUS: Vendor, Cisco       [26] 49
Mar 22 12:56:00.448 CDT: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C72EC91A000002FC0A6CD698"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port            [5]   6   50106
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/6"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-IP-Address      [4]   6   199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Started 5 sec timeout
Mar 22 12:56:01.454 CDT: RADIUS: Received from id 1645/19 10.199.33.20:1812, Access-Reject, len 20
Mar 22 12:56:01.454 CDT: RADIUS: authenticator 92 98 05 84 6E 4B CF DD - B5 D7 90 25 10 59 7B E7
Mar 22 12:56:01.454 CDT: RADIUS(0000030C): Received from id 1645/19
NGS log:
rad_recv: Access-Request packet from host 199.46.201.26 port 1645, id=19, length=177
    User-Name = "[email protected]"
    User-Password = "5rRmpPt9"
    Framed-IP-Address = 199.46.201.231
    Service-Type = Outbound-User
    Message-Authenticator = 0xa257b5f2a6fb4671d0ea26549590f4d0
    Cisco-AVPair = "audit-session-id=C72EC91A000002FC0A6CD698"
    NAS-Port-Type = Ethernet
    NAS-Port = 50106
    NAS-Port-Id = "GigabitEthernet1/0/6"
    NAS-IP-Address = 199.46.201.26
+- entering group authorize {...}
[radius-user-auth]     expand: %{User-Name} -> [email protected]
[radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth]     expand: %{NAS-IP-Address} -> 199.46.201.26
[radius-user-auth]     expand: %{Calling-Station-Id} ->
Exec-Program output:                          Note: no attributes here
Exec-Program: returned: 1
++[radius-user-auth] returns reject
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Similar debug from NGS but auth request from WLC: See attributes are sent to wlc although not needed
rad_recv: Access-Request packet from host 10.100.16.100 port 32770, id=22, length=152
    User-Name = "[email protected]"
    User-Password = "5rRmpPt9"
    Service-Type = Login-User
    NAS-IP-Address = 10.100.16.100
    NAS-Port = 13
    NAS-Identifier = "ICTWLC01"
    NAS-Port-Type = Ethernet
    Airespace-Wlan-Id = 514
    Calling-Station-Id = "10.198.12.211"
    Called-Station-Id = "10.100.16.100"
    Message-Authenticator = 0xc9383e767f0c228a2b8a0ece7069f366
+- entering group authorize {...}
[radius-user-auth]     expand: %{User-Name} -> [email protected]
[radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth]     expand: %{NAS-IP-Address} -> 10.100.16.100
[radius-user-auth]     expand: %{Calling-Station-Id} -> 10.198.12.211
Exec-Program output: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program-Wait: plaintext: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program: returned: 0
++[radius-user-auth] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
[sql]     expand: %{User-Name} -> [email protected]
[sql] sql_set_user escaped user --> '[email protected]'
[sql]     expand: %{User-Password} -> 5rRmpPt9
[sql]     expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 12
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released sql socket id: 12
++[sql] returns ok
Sending Access-Accept of id 22 to 10.100.16.100 port 32770
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.100.16.100 port 32770, id=30, length=170
config:
aaa new-model
aaa authentication login default group radius
aaa authentication login console group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ none
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
ip device tracking
ip auth-proxy auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip auth-proxy proxy http login expired page file flash:expired.html
ip auth-proxy proxy http login page file flash:login.html
ip auth-proxy proxy http success page file flash:success.html
ip auth-proxy proxy http failure page file flash:failed.html
ip admission auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip admission proxy http login expired page file flash:expired.html
ip admission proxy http login page file flash:login.html
ip admission proxy http success page file flash:success.html
ip admission proxy http failure page file flash:failed.html
ip admission name web-auth-guest proxy http inactivity-time 60
dot1x system-auth-control
identity policy FAILOPEN
access-group PERMIT
interface GigabitEthernet1/0/6
switchport access vlan 301
switchport mode access
ip access-group pre-webauth-guest in
no logging event link-status
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust dscp
no snmp trap link-status
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
ip admission web-auth-guest
ip http server
ip http secure-server
ip access-list extended PERMIT
permit ip any any
ip access-list extended pre-webauth-guest
permit udp any any eq bootps
permit udp any any eq domain
permit tcp any host 10.199.33.20 eq 8443
permit tcp any host 10.199.33.21 eq 8443
permit tcp any host 10.100.255.90 eq 8443
deny   ip any any log
ip radius source-interface Vlan301
radius-server attribute 8 include-in-access-req
radius-server dead-criteria tries 2
radius-server host 10.199.33.20 auth-port 1812 acct-port 1813 key 7 022E5C782C130A74586F1C0D0D
radius-server vsa send authentication
I get the login and AUP page then the failed page... I never see the priv-lvl 15 or the proxyacl? How do I do this with Guest server only?
Help!

Without the ACS, only with the NAC guest is possible?
They can send me sample configuration?

NAC guest server with RADIUS authentication for guests issue.

Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin Woodhouse

Well I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion.

NAC guest server and pre-configured duration of accounts

There seems to be a bug in the way the NAC guest server handles the pre-configured duration of guest accounts.
I have followed the manual and I did:
- Configured 3 durations (24h, 48h and 1 week) under the templates/accounts/accounts durations.
- And set "maximun duration of account" under User Groups
As I understand I should now be able to select one of the three configured durations when I login as a sponsor.
However I only get the number which I specified under User Group.
The odd thing is that if I change the Maximum duration under User Group, I get this as the only choice (e.g. 14 days).
Have other experienced this?
Best regards,
Steffen Lindemann

You can use any one of the option ie number of days or number of hours.
For days;
Authentication > User Groups > Add Group | Edit Group includes two new settings for Number of days in the future the account can be created and Maximum duration of account (in days)
For hours:
User Interface > Templates > Add Template | Edit Template > Accounts > Account Duration
http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/11/gsrn110.html

NAC Guest Server - Multiple WLANs

Hi Guys,
Does anyone know is it possible to use the same NAC Guest Server as a sponsor based service for multiple anchored WLANs?
I would like a sponsor based system but with 2 purposes:
One WLAN would be used for guests that in turn would allow them internet only access using a dedicated ADSL service.
The second WLAN would allow contractors to be sponsored and access a seperate corporate network (although still behind the anchor).
Thanks,
N

Hi,
The 3315 is used for other products so the 4 NIC is not specifically used for the NGS so the software only uses radius on its eth0 interface.
http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_install.html
thanks,
Tarik Admani
*Please rate helpful posts*

Nac guest server multiple NIC configuration

Hi Everyone,
I have a nac guest server 3315 appliance with 4 NICs. I want to connect each NIC to 4 different networks without allowing traffic between them. So RADIUS interface will be different from sponsor/admin interface to the NGS.
Does any one have an idea how to achieve this. I have created and assigned a static IP address using system-config-network, but when i do ifconfig i dont see the remaining 3 NICs and the web interface doesnt seem to have provision to create this interfaces.
Many thanks

Hi,
The 3315 is used for other products so the 4 NIC is not specifically used for the NGS so the software only uses radius on its eth0 interface.
http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_install.html
thanks,
Tarik Admani
*Please rate helpful posts*

NAC Guest Server and WLC, WCS

I have setup a NAC Guest Server to allow users to sign up guest account via Active Directory. How do I tight this into WLC or WCS?

Hi
Try this:
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809d6b9a.shtml
Regards
Greg

NAC Guest server allow password change

Similar Messages

Maybe you are looking for