NAC guest server and guest proxy filtering issue.

Hi all
Continuing our issues log for the NAC guest server install, our toplogy and issue is as follows:
We have a guest NAC server and a 4404 anchor controller successfully deployed in the DMZ, the anchor WLC has a mobilty anchor which is a WISM on the corporate network, DHCP services for guest clients are issued with no problems from the WLC in the DMZ. The first port of the DMZ controller is located on the DMZ and the second port directly connects to the firewall interface.
All works correctly, DNS, DHCP, NTP, SNMP etc all work fine through the firewall.
What options do I have to filter Internet access in this scenario, we have Websense and Nokia firewalls, don't think I can use WCCP as I have nowhere to place it, the second connection on the WLC is directly connected to the firewal so nowhere to intercept the traffic, our security team has tried some tricks on the Nokia to try to redirect the traffic on the firewall using a type of redirect, WPAD, I can't see as an option. Any ideas. If I place the second interface into the DMZ, could I use WCCP that way maybe, but won't traffic still have to go to the firewall??
options please ??

Well you will need to use a 3rd party certificate.. Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
Here is a link for the NGS:
http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems. So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

Similar Messages

SAN certificate for external access for edge server and reverse proxy

Hello
I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
For external access and mobile user's , Iwant to enable all the feature for external user's .
im planning to purchase san certificate ,
my first question do I need only one SAN for both my edge server and the reverse proxy ?
my second question about the name's that shoud be added to the certificate ?
sip.mydomain.com
av.mydomain.com
webconf.mydomain.com
what else I should add ? I want to add the names for all feature access.
Kind Regards
MK

Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network. Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
SAN on your cert.
Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only.
Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
can present the third party certificate.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications
This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

TMS server and WinSXS - HD space issues

I was wondering if anyone else is having a problem with disk space on their TMS servers? I'm running TMS 14.4.2 on a virtual server, and my hard drive is filling up with various files. I have gone in an deleted some old software versions from the TMS folder, but the big culprit is my Windows directory! It is currently at 25GB and growing - inetpub and winsxs are the problem folders.
Various windows forums say that there isn't anything you can do about the files in winsxs, and Cisco TAC advised me to carefully remove some files from the inetpub folder (subfolder Logs). Am I the only one having these issues?
The TMS installation guide states that only 4GB of disk space is required for the application footprint, but doesn't say what the recommended harddrive size is. Let me clarify this, however - I'm using an external SQL database - NOT local.
My TMS server has been acting odd lately, and I have had to restart some services from time to time, or do a full reboot. I'm quite certain that my VM server is running as per Cisco's recommendations:
Cisco TMS can be installed in a virtualized server environment as long as the virtual machine is allocated
sufficient dedicated resources to meet the server and hardware requirements for installation. The resources
allocated to the Cisco TMS server instance must be dedicated, and not shared with other server instances.
My OS is Windows Server 2008 R2 Standard, Service Pack 1., 7GB RAM, Intel Xeon CPU E5-2670 0 @ 2.60 GHz 2.60 GHz, 64 bit.
If you have any feedback or suggestions, I'd appreciate it.

Would be interesting to know which HD size you provisioned and how much free space you have left now. I always recommend around or more than 100GB for the C: drive then you most like have no stress.
Storage is cheap, trouble you have now is stressful.
Many strange symptoms of TMS can be fixed by deinstalling and reinstalling TMS (and TMSPE if used) connecting the same DBs afterwards
As you use an external database, what you could do is to stop the old TMS, install a new windows server and TMS and then reconnect to the same database. If you do not trust you windows nor the TMS install.
(also possibe, deinstall tms on the old one, resize the partition, reinstall TMS).
This guide is a bit older but might help you here as well:
https://supportforums.cisco.com/document/108271/migrating-telepresence-management-suite-tms-new-serverpdf
Sure, strangeness of TMS could also be an issue with the DB, OS, something in your network, ...

DHCP server and ip helper-address issue

Question,
By accident I had configured an IP HELPER-ADDRESS on a VLAN interface pointing to a DHCP server with an IP addrees in the same VLAN ( ip subnet ).
Some users had complaints and there were BAD ADDRESS entries in our DHCP server registered.
Can anyone explain to me why this is an issue please ?
My guess is that the the DHCP server receives the DHCPREQUEST from the client via the braodcast request and via the unicast request from the ip helper-address configuration. But does this really interfere with the DHCPACK and DHCPOFFER packets afterwards ?

Alex,
I've not been able to capture the network packets but I can understand if the server would send DHCPNACK requests ( wxhich would be a normal process ).
I just don't understand why so many users suddenly have issues and my DHCP scope is filling up with BAD ADDRESSES.
My assumption is that the client receives 2 valid DHCP responses ( one form the actual DHCP server and another one from the router, acting as DHCP relay agent ) and acknowledges them, but the DHCP process is somewhere corrupted ( either on the DHCP server or the DHCP client ).
I want a technical explanation for this issue :-)

Address Book Server and iOS Default Account Issue

I have a really strange issue with a Lion Server. 10.7.5
There are several user accounts on the machine some are local, some are OD accounts. For the most part they work just fine.
Mail and Calendar accounts seem to be ok and indeed when you set up the Address book account this also work and syncs in both directions.
Here is the odd issue: For certain accounts, iOS devices do not seem to register them to be available to set as default. The device can use them properly, they do sync fine, if you hit 'import SIM contacts' they will show up as options to choose as the destination account, but if you have iCloud and another contact account set up, they do not show up as options to be chosen as the default contacts account. If they are the only contact accounts, then the 'Set Default Account' option does not even appear in the Mail, Contacts, Calendars settings under Contacts. It appears fine under Calendars and Mail.
When I installed more than one of the 'faulty' accounts on a single iOS device, then deactivated all but one, the Default Account option reappeared (there was also an iCloud account present), but it soon disappears on its own.
Has anyone seen this before?
I'm at a bit of a loss.

You should see a "CardDAV" option in the AccountType popup in AddressBook.app. That is what you need to select to use AddressBook Server on OS X 10.6.

SAPUI5 app and Reverse proxy configuration

Hi
Im trying to configure proxyserver for Cross origin resource sharing issue.
The below steps i have configured in my machine.
1. I have developed an application which consumes data through odata.
2. Download and configured Apache server and enabled proxy module as per this url
http://scn.sap.com/community/developer-center/front-end/blog/2013/06/29/solving-same-origin-policy-issue-in-different-ways
3. In httpd.config file added the below reverse proxy setup
ProxyPass /poodata http://HOSTNAME:8000/sap/opu/odata/sap/Z_PORDER_SRV/
ProxyPassReverse /poodata http://HOSTNAME:8000/sap/opu/odata/sap/Z_PORDER_SRV/
4. Changed my service url as
var serviceUrl = "proxy/http/localhost/poodata";
5. Also i have added java-property-utils-1.9.jar and cors-filter-1.8.jar then
in web.xml i have added Eventhough its seems not neccessary.
<filter>
<display-name>CacheControlFilter</display-name>
<filter-name>CacheControlFilter</filter-name>
<filter-class>com.sap.ui5.resource.CacheControlFilter</filter-class>
</filter>
<filter>
<filter-name>CORS</filter-name>
<filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
</filter>
6. Finally when i am executing the application throgh http://localhost:9080/SamplePO/ Its working. But Instead of localhost when im using IP address it shows NO DATA and throws the "500 internal server error - only allowed for local testing"
also the application is trying to fetch data from 'http://10.130.41.158:9080/SamplePO/proxy/http/localhost/poodata/$metadata' where the location should be 'http/localhost/poodata/$metadata'.
I want to access this application in my iPAD through WIFI by passing IP address followed by application name (http://10.130.41.158:9080/SamplePO).
Please help me to fix this issue.
Regards
Yokesvaran Kumarasamy

Hi Michael Herzog / DJ Adams / Frank Welz,
It seems you have v.good knowledge on this, can you please help with this issue.
Thanks in Advance
Regards
Yokesvaran Kumarasamy

Creating Weblogic domain with Admin Server and managed servers on different

I am trying to create Weblogic domain where Admin Server and managed servers on different machines. However I am unable to find any steps which would allow me to do so. The config.sh script always creates an Admin Server. Please help.

Whilst the method that Lawrence gives can result in a domain that is perfectly functional, it is a method that can result in errors as you are having to enter the same information twice. Also you will create two admin servers, as the second domain creation will have the console added to it on the renamed admin server and this will give issues.
The best method to create a domain spamming multiple physical machines, is to create the domain with all the components on the first machine. This means planning the domain and making sure all components are added once; so having the information about the domain written out is wise. Ensure that the WLS software is installed in the same path on each machine before starting.
Then copy the domain that you have created from one machine to the other, keeping the same paths. You can simply copy (I've used this method multiple times without issue) but the supported way would be to use the WLST PACK and UNPACK methods. These create and extract domains from templates. Some more information on these is given here -> http://docs.oracle.com/cd/E13179_01/common/docs100/pack/intro.html#wp1069056

NAC guest server with RADIUS authentication for guests issue.

Hi all,
We have just finally successfully installed our Cisco NAC guest server. We have version 2 of the server and basically the topology consists of a wism at the core of the network and a 4402 controller at the dmz, then out the firewall, no issues with that. We do however have a few problems, how can we provide access through a proxy without using pak files obviously, and is there a way to specify different proxies for different guest traffic, based on IP or a radius attribute etc.
The second problem is more serious; refer to the documentation below from the configuration guide for guest nac server v2. It states that hotspots can be used and the Authentication option would allow radius authentication for guests, I’ve been told otherwise by Cisco and they say it can’t be done, has anyone got radius authentication working for guests.
https://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_hotspots.html
-----START QUOTE-----
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation:
•Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers for details.) Select the relevant payment provider and proceed to Step 8.
•Self Service—This option allows guest self service. After selection proceed to Step 8.
•Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9.
----- END QUOTE-----
Your help is much appreciated on this, I’ve been looking forward to this project for a long time and it’s a bit of an anti climax that I can’t authenticate guests with radius (We use ACS and I was hoping to hook radius into an ODBC database we have setup called open galaxy)
Regards
Kevin Woodhouse

Well I will try to answer your 2nd questions.... will it work... yes. It is like any other radius server (high end:)) But why would you do this for guest.... there is no reason to open up a port on your FW and to add guest accounts to and worse... add them in AD. Your guest anchor can supply a web-auth, is able to have a lobby admin account to create guest acounts and if you look at it, it leaves everything in the DMZ.
Now if you are looking at the self service.... what does that really give you.... you won't be able to controll who gets on, people will use bogus info and last but not least.... I have never gotten that to work right. Had the BU send me codes that never worked, but again... that was like a year ago and maybe they fixed that. That is my opinion.

NAC Guest Server and WLC's

Just wanted to know if this will work or not...
I was looking at a design from a client and they had two CAM and CAS plus a Guest server. My client wants to use the equipment above for guest access. The problem I'm having is that I'm building a wireless network with guest anchor WLC's in the DMZ. So my wireless users will be tunneled to the DMZ controller. Also, the WLC can have a splash page uploaded to it and also authenticate users locally in the DB. They don't want any remediation, just authentication.... is this a waste of money or would would actually implement this?

I've some (very) basic questions.
Let's say guest vlan = x
1)vlan x should be created on the foreign controllers as on the anchor controller, with the same properties
2)on the anchor controller a dynamic interface has to be created acting as default gateway for the guest clients.
3)it's advised to place the guest server in the guest vlan? Eg. Somewhere in the server farm?
4)Once traffic coming from the guests is arrived at the anchor controller. (I know to less of WLC ;)) Will it forwarded with as source IP, the IP of the anchor controller towards the anchor default gateway (firewall or internet router?)
4)authentication: user connect to SSID guest and opens a browser. The user is redirected and a login page is displayed. Is this page downloaded from the anchor controller? I think it is and pushed via WCS. So Guest NAC server has nothing to deal with this page? Correct?
The anchor controller polls the nac guest server with the given credentials. Anchor controller forwards the credentials to the NAC guest server. The NGS replies with authenticated or not. If authenticated. The guest can browse. Probably on regular base, the anchor controller will poll the NAC guest in order to check if he's still authenticated and if enabled pass information to the NAC guest for accounting. Is this somehow ok?
I've found to open the following ports in the firewall:
UDP 97 for EoIP
UDP 16666 for intercontroller traffic
and 1812/1813 for Radius.
Thanks in advance

NAC guest server hangs and guest portal is not working

Hi all ,
Our guest nac server NAC3315 is oftenly getting hung state . And our guest wireless network is not working . We are able to ping the NAC server but web page is not opening for the clients if they connected to guest network.
Any clue on this ....
Thanks!,
Regards,
Vijay.

All actions within the Cisco NAC Guest Server are logged into the database. This enables you to see any action that occurred as part of the normal operating process of the application.
To access the system log from the administration interface select Server > System Log from the left hand menu
Please check the Error Logs for troubleshooting of NGS

NAC guest server and pre-configured duration of accounts

There seems to be a bug in the way the NAC guest server handles the pre-configured duration of guest accounts.
I have followed the manual and I did:
- Configured 3 durations (24h, 48h and 1 week) under the templates/accounts/accounts durations.
- And set "maximun duration of account" under User Groups
As I understand I should now be able to select one of the three configured durations when I login as a sponsor.
However I only get the number which I specified under User Group.
The odd thing is that if I change the Maximum duration under User Group, I get this as the only choice (e.g. 14 days).
Have other experienced this?
Best regards,
Steffen Lindemann

You can use any one of the option ie number of days or number of hours.
For days;
Authentication > User Groups > Add Group | Edit Group includes two new settings for Number of days in the future the account can be created and Maximum duration of account (in days)
For hours:
User Interface > Templates > Add Template | Edit Template > Accounts > Account Duration
http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/11/gsrn110.html

NAC Guest Server and Multiple Guest SSID's/Splashpages

Hi All,
If I have multiple guest SSID's on a single controller and I use NGS as the Radius. How do I configure NGS to "send" the clients to differnet login pages corresponding to the SSID they came from.
I can configure different splash pages in HotSpots section but how do I map the different SSID's from the controller to the different splash pages. Then I guess that raises the question when I generate guest users on NGS is it possile to only allow them associate to a specific SSID.
TIA,
Eoin.

Hi Nicolas,
Thanks for the reply. I can see that config on the WLC and have used it before where there is only a single guest SSID. What I dont know is if the NAC Guest server sees radius requests coming from different guest SSID's on the same WLC. How does the NAC Guest server apply the correct guest policy to that user. And when sponsors genereate guest accounts how do they specific which policy is to be applied to that guest so it can only get access to a specfic guest network/SSID I'm not sure where the "mapping" of accounts/splash pages/policies takes place on the NAC guest server. I've only ever set up NAC Guest when there has been a single guest SSID.
Regards,
Eoin.

NAC Guest Server and WLC, WCS

I have setup a NAC Guest Server to allow users to sign up guest account via Active Directory. How do I tight this into WLC or WCS?

Hi
Try this:
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809d6b9a.shtml
Regards
Greg

Wired WebAuth only with NAC Guest Server (No ACS)

Ok, I have been fighting this for two days now. I want to use the webauth function on some of our Cisco 3750Gs ver
12.2(55)SE5 for guest access. I'm trying to use our NAC Guest Server ver: 2.0.3 as the backend portal and Radius server. We do not have ACS or any of the other components of ISE or NAC. I think the issue is the NGS server is not sending the d(ACL) back to switch. Guest work work fine from our WLCs.
switch debug: No Attributes in swtich debug
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Config NAS IP: 199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS/ENCODE(0000030C): acct_session_id: 1012
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): sending
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Send Access-Request to 10.199.33.20:1812 id 1645/19, len 177
Mar 22 12:56:00.448 CDT: RADIUS: authenticator 99 95 59 55 09 A9 D9 E1 - 2B 01 90 36 1B 8A 41 92
Mar 22 12:56:00.448 CDT: RADIUS: User-Name           [1]   20 "[email protected]"
Mar 22 12:56:00.448 CDT: RADIUS: User-Password       [2]   18 *
Mar 22 12:56:00.448 CDT: RADIUS: Framed-IP-Address   [8]   6   199.46.201.231
Mar 22 12:56:00.448 CDT: RADIUS: Service-Type        [6]   6   Outbound                  [5]
Mar 22 12:56:00.448 CDT: RADIUS: Message-Authenticato[80] 18
Mar 22 12:56:00.448 CDT: RADIUS:   A2 57 B5 F2 A6 FB 46 71 D0 EA 26 54 95 90 F4 D0             [ WFq&T]
Mar 22 12:56:00.448 CDT: RADIUS: Vendor, Cisco       [26] 49
Mar 22 12:56:00.448 CDT: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=C72EC91A000002FC0A6CD698"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port            [5]   6   50106
Mar 22 12:56:00.448 CDT: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/6"
Mar 22 12:56:00.448 CDT: RADIUS: NAS-IP-Address      [4]   6   199.46.201.26
Mar 22 12:56:00.448 CDT: RADIUS(0000030C): Started 5 sec timeout
Mar 22 12:56:01.454 CDT: RADIUS: Received from id 1645/19 10.199.33.20:1812, Access-Reject, len 20
Mar 22 12:56:01.454 CDT: RADIUS: authenticator 92 98 05 84 6E 4B CF DD - B5 D7 90 25 10 59 7B E7
Mar 22 12:56:01.454 CDT: RADIUS(0000030C): Received from id 1645/19
NGS log:
rad_recv: Access-Request packet from host 199.46.201.26 port 1645, id=19, length=177
    User-Name = "[email protected]"
    User-Password = "5rRmpPt9"
    Framed-IP-Address = 199.46.201.231
    Service-Type = Outbound-User
    Message-Authenticator = 0xa257b5f2a6fb4671d0ea26549590f4d0
    Cisco-AVPair = "audit-session-id=C72EC91A000002FC0A6CD698"
    NAS-Port-Type = Ethernet
    NAS-Port = 50106
    NAS-Port-Id = "GigabitEthernet1/0/6"
    NAS-IP-Address = 199.46.201.26
+- entering group authorize {...}
[radius-user-auth]     expand: %{User-Name} -> [email protected]
[radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth]     expand: %{NAS-IP-Address} -> 199.46.201.26
[radius-user-auth]     expand: %{Calling-Station-Id} ->
Exec-Program output:                          Note: no attributes here
Exec-Program: returned: 1
++[radius-user-auth] returns reject
Delaying reject of request 12 for 1 seconds
Going to the next request
Waking up in 0.6 seconds.
Similar debug from NGS but auth request from WLC: See attributes are sent to wlc although not needed
rad_recv: Access-Request packet from host 10.100.16.100 port 32770, id=22, length=152
    User-Name = "[email protected]"
    User-Password = "5rRmpPt9"
    Service-Type = Login-User
    NAS-IP-Address = 10.100.16.100
    NAS-Port = 13
    NAS-Identifier = "ICTWLC01"
    NAS-Port-Type = Ethernet
    Airespace-Wlan-Id = 514
    Calling-Station-Id = "10.198.12.211"
    Called-Station-Id = "10.100.16.100"
    Message-Authenticator = 0xc9383e767f0c228a2b8a0ece7069f366
+- entering group authorize {...}
[radius-user-auth]     expand: %{User-Name} -> [email protected]
[radius-user-auth]     expand: %{User-Password} -> 5rRmpPt9
[radius-user-auth]     expand: %{NAS-IP-Address} -> 10.100.16.100
[radius-user-auth]     expand: %{Calling-Station-Id} -> 10.198.12.211
Exec-Program output: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program-Wait: plaintext: Session-Timeout := 20002004, cisco-AVPair += priv-lvl=15, cisco-AVPair += auth-proxy:proxyacl#1=permit ip any any
Exec-Program: returned: 0
++[radius-user-auth] returns ok
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
[sql]     expand: %{User-Name} -> [email protected]
[sql] sql_set_user escaped user --> '[email protected]'
[sql]     expand: %{User-Password} -> 5rRmpPt9
[sql]     expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', NOW()) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('[email protected]', '5rRmpPt9', 'Access-Accept', NOW())
rlm_sql (sql): Reserving sql socket id: 12
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
rlm_sql (sql): Released sql socket id: 12
++[sql] returns ok
Sending Access-Accept of id 22 to 10.100.16.100 port 32770
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.100.16.100 port 32770, id=30, length=170
config:
aaa new-model
aaa authentication login default group radius
aaa authentication login console group tacacs+ line
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ none
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting exec default stop-only group tacacs+
aaa accounting commands 15 default stop-only group tacacs+
ip device tracking
ip auth-proxy auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip auth-proxy proxy http login expired page file flash:expired.html
ip auth-proxy proxy http login page file flash:login.html
ip auth-proxy proxy http success page file flash:success.html
ip auth-proxy proxy http failure page file flash:failed.html
ip admission auth-proxy-banner http ^C HawkerBeechcraft Guest Network ^C
ip admission proxy http login expired page file flash:expired.html
ip admission proxy http login page file flash:login.html
ip admission proxy http success page file flash:success.html
ip admission proxy http failure page file flash:failed.html
ip admission name web-auth-guest proxy http inactivity-time 60
dot1x system-auth-control
identity policy FAILOPEN
access-group PERMIT
interface GigabitEthernet1/0/6
switchport access vlan 301
switchport mode access
ip access-group pre-webauth-guest in
no logging event link-status
srr-queue bandwidth share 10 10 60 20
queue-set 2
priority-queue out
mls qos trust device cisco-phone
mls qos trust dscp
no snmp trap link-status
auto qos voip cisco-phone
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input AutoQoS-Police-CiscoPhone
ip admission web-auth-guest
ip http server
ip http secure-server
ip access-list extended PERMIT
permit ip any any
ip access-list extended pre-webauth-guest
permit udp any any eq bootps
permit udp any any eq domain
permit tcp any host 10.199.33.20 eq 8443
permit tcp any host 10.199.33.21 eq 8443
permit tcp any host 10.100.255.90 eq 8443
deny   ip any any log
ip radius source-interface Vlan301
radius-server attribute 8 include-in-access-req
radius-server dead-criteria tries 2
radius-server host 10.199.33.20 auth-port 1812 acct-port 1813 key 7 022E5C782C130A74586F1C0D0D
radius-server vsa send authentication
I get the login and AUP page then the failed page... I never see the priv-lvl 15 or the proxyacl? How do I do this with Guest server only?
Help!

Without the ACS, only with the NAC guest is possible?
They can send me sample configuration?

Wired WebAuth with NAC Guest Server

Hi,
I am trying to get wired WebAuth working with NAC Guest Server. In the switch_login.html file example, what should be changed for this line:
ngsOptions.actionUrl = https://1.1.1.1/;
Should this be an IP address on the switch? Shoul I have this pointing to the success.html page like this:
ngsOptions.actionUrl = "https://1.1.1.1/success.html";
When I log on, and accept the AUP, my browser just sits there trying to access Https://1.1.1.1/?redirect-url=blah blah blah
Thanks,
Peter

FYI,
In my case I WAS getting the switch_login.html web page being displayed, but after entering credentials and submitting the Acceptable Use Policy page, I did NOT 'see' any radius traffic between the switch (C2960S 12.2(55)SE3) and the ACS 5.3 radius server?!.
I used the sample .html docs that you can find on the NAC Guest Server in the 'samples' folder on that server. I used WCP app to copy them to my PC/laptop before modifying where relevant and copying to flash on switch and to the wireless 'hotspot' folders on the NGS.
I went through the following document in url below line by line, paragraph by paragraph and found that I had left out the following command in the configuration:
aaa authentication login default group radius
see doc at:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Security/TrustSec_1.99/WebAuth/WebAuth_Dep_Guide.html#wp392553
So I added it in and I am now seeing the radius debug traffic being redirected to the ACS by the switch when a user submits the credentials.
aaa new-model
aaa authentication login default group radius
aaa authentication login VTY-USER-LOGIN local
aaa authentication dot1x default group radius
aaa authorization console
aaa authorization exec EXEC-LOCAL local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
with debug radius enabled:
Feb 1 13:36:09 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to down
TEST-802.1X#
Feb 1 13:36:10 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to down
TEST-802.1X#
Feb 1 13:36:18 PST: %AUTHMGR-5-START: Starting 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
TEST-802.1X#
Feb 1 13:36:20 PST: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/4, changed state to up
Feb 1 13:36:21 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/4, changed state to up
TEST-802.1X#
Feb 1 13:36:27 PST: %DOT1X-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID
Feb 1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-5-START: Starting 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27.367 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X
Feb 1 13:36:27.367 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74
Feb 1 13:36:27.367 PST: RADIUS/ENCODE(0000058E): acct_session_id: 1421
Feb 1 13:36:27.367 PST: RADIUS(0000058E): sending
Feb 1 13:36:27.367 PST: RADIUS(0000058E): Send Access-Request to 10.167.77.70:1645 id 1645/14, len 211
Feb 1 13:36:27.372 PST: RADIUS: authenticator 2E F0 62 2D 43 D9 7D 2A - 7C 88 0A 52 B9 6E 78 A8
Feb 1 13:36:27.372 PST: RADIUS: User-Name           [1]   14 "848f69f0fcc7"
Feb 1 13:36:27.372 PST: RADIUS: User-Password       [2]   18 *
Feb 1 13:36:27.372 PST: RADIUS: Service-Type        [6]   6   Call Check                [10]
Feb 1 13:36:27.372 PST: RADIUS: Framed-MTU          [12] 6   1500
Feb 1 13:36:27.372 PST: RADIUS: Called-Station-Id   [30] 19 "20-37-06-C8-68-84"
Feb 1 13:36:27.372 PST: RADIUS: Calling-Station-Id [31] 19 "84-8F-69-F0-FC-C7"
Feb 1 13:36:27.372 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:27.372 PST: RADIUS:   11 20 B4 9A B6 E2 56 30 AC EC 43 CD 17 13 3E 14             [ V0C>]
Feb 1 13:36:27.372 PST: RADIUS: EAP-Key-Name        [102] 2   *
Feb 1 13:36:27.372 PST: RADIUS: Vendor, Cisco       [26] 49
Feb 1 13:36:27.372 PST: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0AA7404A0000054E16335518"
Feb 1 13:36:27.372 PST: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Feb 1 13:36:27.372 PST: RADIUS: NAS-Port            [5]   6   50104
Feb 1 13:36:27.372 PST: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:27.372 PST: RADIUS: NAS-IP-Address      [4]   6   10.167.64.74
Feb 1 13:36:27.372 PST: RADIUS(0000058E): Started 5 sec timeout
Feb 1 13:36:27.377 PST: RADIUS: Received from id 1645/14 10.167.77.70:1645, Access-Reject, len 38
Feb 1 13:36:27.377 PST: RADIUS: authenticator 68 CE 3D C8 C3 BC B2 69 - DB 33 F5 C0 FF 30 D6 33
Feb 1 13:36:27.377 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:27.377 PST: RADIUS:   82 3D 31 0A C7 A2 E0 62 D5 B7 6B 26 B8 A0 0B 46            [ =1bk&F]
Feb 1 13:36:27.377 PST: RADIUS(0000058E): Received from id 1645/14
Feb 1 13:36:27 PST: %MAB-5-FAIL: Authentication failed for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-5-START: Starting 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-7-RESULT: Authentication result 'success' from 'webauth' for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27 PST: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (848f.69f0.fcc7) on Interface Gi1/0/4 AuditSessionID 0AA7404A0000054E16335518
Feb 1 13:36:27.933 PST: RADIUS/ENCODE(0000058E):Orig. component type = DOT1X
Feb 1 13:36:27.933 PST: RADIUS(0000058E): Config NAS IP: 10.167.64.74
Feb 1 13:36:27.933 PST: RADIUS(0000058E): sending
Feb 1 13:36:27.933 PST: RADIUS(0000058E): Send Accounting-Request to 10.167.77.70:1646 id 1646/151, len 100
Feb 1 13:36:27.933 PST: RADIUS: authenticator D0 F0 04 F3 A5 08 90 BE - A9 07 8D 32 1B 0E 93 AC
Feb 1 13:36:27.933 PST: RADIUS: Acct-Session-Id     [44] 10 "0000058D"
Feb 1 13:36:27.933 PST: RADIUS: Framed-IP-Address   [8]   6   10.167.72.52
Feb 1 13:36:27.933 PST: RADIUS: Acct-Authentic      [45] 6   RADIUS                    [1]
Feb 1 13:36:27.933 PST: RADIUS: Acct-Status-Type    [40] 6   Start                     [1]
Feb 1 13:36:27.933 PST: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Feb 1 13:36:27.933 PST: RADIUS: NAS-Port            [5]   6   50104
Feb 1 13:36:27.933 PST: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:27.933 PST: RADIUS: Service-Type        [6]   6   Framed                    [2]
Feb 1 13:36:27.933 PST: RADIUS: NAS-IP-Address      [4]   6   10.167.64.74
Feb 1 13:36:27.933 PST: RADIUS: Acct-Delay-Time     [41] 6   0
TEST-802.1X#
Feb 1 13:36:27.938 PST: RADIUS(0000058E): Started 5 sec timeout
Feb 1 13:36:27.938 PST: RADIUS: Received from id 1646/151 10.167.77.70:1646, Accounting-response, len 20
Feb 1 13:36:27.938 PST: RADIUS: authenticator C2 DC 8D C7 B1 35 67 D9 - 28 2B 56 E4 4A 1E AD 65
At this point the user enters the credentials on the switch_login.html page and the clicks Submit on the Acceptable Use Policy splash page.
TEST-802.1X#
Feb 1 13:36:41.413 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY
Feb 1 13:36:41.413 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74
Feb 1 13:36:41.413 PST: RADIUS/ENCODE(0000058F): acct_session_id: 1422
Feb 1 13:36:41.413 PST: RADIUS(0000058F): sending
Feb 1 13:36:41.413 PST: RADIUS(0000058F): Send Access-Request to 10.167.77.70:1645 id 1645/15, len 176
Feb 1 13:36:41.413 PST: RADIUS: authenticator 6D 34 7E D6 34 B5 CB AC - 09 1F AC 5A 34 97 7D 6B
Feb 1 13:36:41.413 PST: RADIUS: User-Name           [1]   11 "testuser1"
Feb 1 13:36:41.413 PST: RADIUS: User-Password       [2]   18 *
Feb 1 13:36:41.413 PST: RADIUS: Calling-Station-Id [31] 14 "ip|G
Feb 1 13:36:41.413 PST: RADIUS: Service-Type        [6]   6   Outbound                  [5]
Feb 1 13:36:41.413 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.413 PST: RADIUS:   F8 4D 85 64 05 5E C9 1D D8 11 B2 A3 1A 3A 76 E0             [ Md^:v]
Feb 1 13:36:41.413 PST: RADIUS: Vendor, Cisco       [26] 49
Feb 1 13:36:41.418 PST: RADIUS:   Cisco AVpair       [1]   43 "audit-session-id=0AA7404A0000054E16335518"
Feb 1 13:36:41.418 PST: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Feb 1 13:36:41.418 PST: RADIUS: NAS-Port            [5]   6   50104
Feb 1 13:36:41.418 PST: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:41.418 PST: RADIUS: NAS-IP-Address      [4]   6   10.167.64.74
Feb 1 13:36:41.418 PST: RADIUS(0000058F): Started 5 sec timeout
Feb 1 13:36:41.424 PST: RADIUS: Received from id 1645/15 10.167.77.70:1645, Access-Accept, len 173
Feb 1 13:36:41.424 PST: RADIUS: authenticator 28 48 DE B5 1A 0A 71 5A - 3B 8B 7A 12 FB EA 01 58
Feb 1 13:36:41.424 PST: RADIUS: User-Name           [1]   11 "testuser1"
Feb 1 13:36:41.424 PST: RADIUS: Class               [25] 28
Feb 1 13:36:41.424 PST: RADIUS:   43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36 [CACS:xbc-acs/116]
Feb 1 13:36:41.424 PST: RADIUS:   34 37 33 32 33 39 2F 31 36 36        [ 473239/166]
Feb 1 13:36:41.424 PST: RADIUS: Session-Timeout     [27] 6   3600
Feb 1 13:36:41.424 PST: RADIUS: Termination-Action [29] 6   1
Feb 1 13:36:41.424 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.424 PST: RADIUS:   10 80 26 5D 02 C5 15 0C A8 16 AA 35 14 C9 4F 14              [ &]5O]
Feb 1 13:36:41.424 PST: RADIUS: Vendor, Cisco       [26] 19
Feb 1 13:36:41.429 PST: RADIUS:   Cisco AVpair       [1]   13 "priv-lvl=15"
Feb 1 13:36:41.429 PST: RADIUS: Vendor, Cisco       [26] 65
Feb 1 13:36:41.429 PST: RADIUS:   Cisco AVpair       [1]   59 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-GuestACL-4eefc9a0"
Feb 1 13:36:41.429 PST: RADIUS(0000058F): Received from id 1645/15
Feb 1 13:36:41.439 PST: RADIUS/ENCODE(0000058F):Orig. component type = AUTH_PROXY
Feb 1 13:36:41.439 PST: RADIUS(0000058F): Config NAS IP: 10.167.64.74
Feb 1 13:36:41.439 PST: RADIUS(0000058F): sending
Feb 1 13:36:41.439 PST: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Feb 1 13:36:41.444 PST: RADIUS(00000000): Config NAS IP: 10.167.64.74
Feb 1 13:36:41.444 PST: RADIUS(00000000): sending
Feb 1 13:36:41.450 PST: RADIUS(0000058F): Send Accounting-Request to 10.167.77.70:1646 id 1646/152, len 119
Feb 1 13:36:41.450 PST: RADIUS: authenticator 23 E3 DA C3 06 5B 37 20 - 67 E2 96 C5 90 1C 71 33
Feb 1 13:36:41.450 PST: RADIUS: Acct-Session-Id     [44] 10 "0000058E"
Feb 1 13:36:41.450 PST: RADIUS: Calling-Station-Id [31] 14 "10.167.72.52"
Feb 1 13:36:41.450 PST: RADIUS: User-Name           [1]   11 "testuser1"
Feb 1 13:36:41.450 PST: RADIUS: Acct-Authentic      [45] 6   RADIUS                    [1]
Feb 1 13:36:41.455 PST: RADIUS: Acct-Status-Type    [40] 6   Start                     [1]
Feb 1 13:36:41.455 PST: RADIUS: NAS-Port-Type       [61] 6   Ethernet                  [15]
Feb 1 13:36:41.455 PST: RADIUS: NAS-Port            [5]   6   50104
Feb 1 13:36:41.455 PST: RADIUS: NAS-Port-Id         [87] 22 "GigabitEthernet1/0/4"
Feb 1 13:36:41.455 PST: RADIUS: Service-Type        [6]   6   Outbound                  [5]
Feb 1 13:36:41.455 PST: RADIUS: NAS-IP-Address      [4]   6   10.167.64.74
Feb 1 13:36:41.455 PST: RADIUS: Acct-Delay-Time     [41] 6   0
Feb 1 13:36:41.455 PST: RADIUS(0000058F): Started 5 sec timeout
Feb 1 13:36:41.455 PST: RADIUS(00000000): Send Access-Request to 10.167.77.70:1645 id 1645/16, len 137
Feb 1 13:36:41.455 PST: RADIUS: authenticator 02 B0 50 47 EE CC FB 54 - 2A B6 14 23 63 86 DE 18
Feb 1 13:36:41.455 PST: RADIUS: NAS-IP-Address      [4]   6   10.167.64.74
Feb 1 13:36:41.455 PST: RADIUS: User-Name           [1]   31 "#ACSACL#-IP-GuestACL-4eefc9a0"
Feb 1 13:36:41.455 PST: RADIUS: Vendor, Cisco       [26] 32
Feb 1 13:36:41.455 PST: RADIUS:   Cisco AVpair       [1]   26 "aaa:service=ip_admission"
Feb 1 13:36:41.455 PST: RADIUS: Vendor, Cisco       [26] 30
Feb 1 13:36:41.455 PST: RADIUS:   Cisco AVpair       [1]   24 "aaa:event=acl-download"
Feb 1 13:36:41.455 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.455 PST: RADIUS:   15 EC 10 E7 2F 67 33 DD BC B5 AE 11 E3 C3 19 E1               [ /g3]
Feb 1 13:36:41.455 PST: RADIUS(00000000): Started 5 sec timeout
Feb 1 13:36:41.455 PST: RADIUS: Received from id 1646/152 10.167.77.70:1646, Accounting-response, len 20
Feb 1 13:36:41.455 PST: RADIUS: authenticator AB 0F 81 95 71 A9 61 E0 - 5B B5 D3 2E 8D A2 68 98
Feb 1 13:36:41.460 PST: RADIUS: Received from id 1645/16 10.167.77.70:1645, Access-Accept, len 560
Feb 1 13:36:41.460 PST: RADIUS: authenticator 64 53 94 79 CF CD 05 B0 - ED 12 5C 5B A0 AB 4F FA
Feb 1 13:36:41.460 PST: RADIUS: User-Name           [1]   31 "#ACSACL#-IP-GuestACL-4eefc9a0"
Feb 1 13:36:41.460 PST: RADIUS: Class               [25] 28
Feb 1 13:36:41.460 PST: RADIUS:   43 41 43 53 3A 78 62 63 2D 61 63 73 2F 31 31 36 [CACS:xbc-acs/116]
Feb 1 13:36:41.460 PST: RADIUS:   34 37 33 32 33 39 2F 31 36 38        [ 473239/168]
Feb 1 13:36:41.460 PST: RADIUS: Message-Authenticato[80] 18
Feb 1 13:36:41.460 PST: RADIUS:   A1 E6 37 EB 60 3A 28 35 92 56 C5 A9 27 7D 2C E9         [ 7`:(5V'},]
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 38
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   32 "ip:inacl#1=remark **Allow DHCP"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 57
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   51 "ip:inacl#2=permit udp any eq bootpc any eq bootps"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 37
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   31 "ip:inacl#3=remark **Allow DNS"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 47
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   41 "ip:inacl#4=permit udp any any eq domain"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 61
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   55 "ip:inacl#5=remark **Deny access to Corporate Networks"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 53
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   47 "ip:inacl#6=deny ip any 10.0.0.0 0.255.255.255"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 45
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   39 "ip:inacl#7=remark **Permit icmp pings"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 38
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   32 "ip:inacl#8=permit icmp any any"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 50
TEST-802.1X#
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   44 "ip:inacl#9=remark **Permit everything else"
Feb 1 13:36:41.460 PST: RADIUS: Vendor, Cisco       [26] 37
Feb 1 13:36:41.460 PST: RADIUS:   Cisco AVpair       [1]   31 "ip:inacl#10=permit ip any any"
Feb 1 13:36:41.465 PST: RADIUS(00000000): Received from id 1645/16
TEST-802.1X#
TEST-802.1X#
TEST-802.1X#
interface config looks like:
interface GigabitEthernet1/0/4
description **User/IPphone/Guest
switchport access vlan 702
switchport mode access
switchport voice vlan 704
ip access-group PRE-AUTH in
srr-queue bandwidth share 1 30 35 5
queue-set 2
priority-queue out
authentication event fail action next-method
authentication event server dead action authorize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab webauth
authentication priority dot1x mab webauth
authentication port-control auto
authentication fallback WEB_AUTH_PROFILE
mab
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout tx-period 3
auto qos voip cisco-phone
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY

NAC guest server and guest proxy filtering issue.

Similar Messages

Maybe you are looking for