NAC Guest Server and Multiple Guest SSID's/Splashpages

Similar Messages

• NAC Guest Server and WLC's

  Just wanted to know if this will work or not...
  I was looking at a design from a client and they had two CAM and CAS plus a Guest server. My client wants to use the equipment above for guest access. The problem I'm having is that I'm building a wireless network with guest anchor WLC's in the DMZ. So my wireless users will be tunneled to the DMZ controller. Also, the WLC can have a splash page uploaded to it and also authenticate users locally in the DB. They don't want any remediation, just authentication.... is this a waste of money or would would actually implement this?

  I've some (very) basic questions.
  Let's say guest vlan = x
  1)vlan x should be created on the foreign controllers as on the anchor controller, with the same properties
  2)on the anchor controller a dynamic interface has to be created acting as default gateway for the guest clients.
  3)it's advised to place the guest server in the guest vlan? Eg. Somewhere in the server farm?
  4)Once traffic coming from the guests is arrived at the anchor controller. (I know to less of WLC ;)) Will it forwarded with as source IP, the IP of the anchor controller towards the anchor default gateway (firewall or internet router?)
  4)authentication: user connect to SSID guest and opens a browser. The user is redirected and a login page is displayed. Is this page downloaded from the anchor controller? I think it is and pushed via WCS. So Guest NAC server has nothing to deal with this page? Correct?
  The anchor controller polls the nac guest server with the given credentials. Anchor controller forwards the credentials to the NAC guest server. The NGS replies with authenticated or not. If authenticated. The guest can browse. Probably on regular base, the anchor controller will poll the NAC guest in order to check if he's still authenticated and if enabled pass information to the NAC guest for accounting. Is this somehow ok?
  I've found to open the following ports in the firewall:
  UDP 97 for EoIP
  UDP 16666 for intercontroller traffic
  and 1812/1813 for Radius.
  Thanks in advance

• Guest Server and LDAPS

  I've recently setup our NAC Guest Server and cannot get Secure LDAP to work. The config guide says you can use ldap://server or ldaps://server. When I use ldap://server it works but doesn't when I change it to ldaps. Our LDAP server has a Verisign cert. Any ideas?
  Thanks,
  -Dusty

  I've some (very) basic questions.
  Let's say guest vlan = x
  1)vlan x should be created on the foreign controllers as on the anchor controller, with the same properties
  2)on the anchor controller a dynamic interface has to be created acting as default gateway for the guest clients.
  3)it's advised to place the guest server in the guest vlan? Eg. Somewhere in the server farm?
  4)Once traffic coming from the guests is arrived at the anchor controller. (I know to less of WLC ;)) Will it forwarded with as source IP, the IP of the anchor controller towards the anchor default gateway (firewall or internet router?)
  4)authentication: user connect to SSID guest and opens a browser. The user is redirected and a login page is displayed. Is this page downloaded from the anchor controller? I think it is and pushed via WCS. So Guest NAC server has nothing to deal with this page? Correct?
  The anchor controller polls the nac guest server with the given credentials. Anchor controller forwards the credentials to the NAC guest server. The NGS replies with authenticated or not. If authenticated. The guest can browse. Probably on regular base, the anchor controller will poll the NAC guest in order to check if he's still authenticated and if enabled pass information to the NAC guest for accounting. Is this somehow ok?
  I've found to open the following ports in the firewall:
  UDP 97 for EoIP
  UDP 16666 for intercontroller traffic
  and 1812/1813 for Radius.
  Thanks in advance

• NAC guest server and pre-configured duration of accounts

  There seems to be a bug in the way the NAC guest server handles the pre-configured duration of guest accounts.
  I have followed the manual and I did:
  - Configured 3 durations (24h, 48h and 1 week) under the templates/accounts/accounts durations.
  - And set "maximun duration of account" under User Groups
  As I understand I should now be able to select one of the three configured durations when I login as a sponsor.
  However I only get the number which I specified under User Group.
  The odd thing is that if I change the Maximum duration under User Group, I get this as the only choice (e.g. 14 days).
  Have other experienced this?
  Best regards,
  Steffen Lindemann

  You can use any one of the option ie number of days or number of hours.
  For days;
  Authentication > User Groups > Add Group | Edit Group includes two new settings for Number of days in the future the account can be created and Maximum duration of account (in days)
  For hours:
  User Interface > Templates > Add Template | Edit Template > Accounts > Account Duration
  http://www.cisco.com/en/US/docs/security/nac/guestserver/release_notes/11/gsrn110.html

• NAC guest server and guest proxy filtering issue.

  Hi all
  Continuing our issues log for the NAC guest server install, our toplogy and issue is as follows:
  We have a guest NAC server and a 4404 anchor controller successfully deployed in the DMZ, the anchor WLC has a mobilty anchor which is a WISM on the corporate network, DHCP services for guest clients are issued with no problems from the WLC in the DMZ. The first port of the DMZ controller is located on the DMZ and the second port directly connects to the firewall interface.
  All works correctly, DNS, DHCP, NTP, SNMP etc all work fine through the firewall.
  What options do I have to filter Internet access in this scenario, we have Websense and Nokia firewalls, don't think I can use WCCP as I have nowhere to place it, the second connection on the WLC is directly connected to the firewal so nowhere to intercept the traffic, our security team has tried some tricks on the Nokia to try to redirect the traffic on the firewall using a type of redirect, WPAD, I can't see as an option. Any ideas. If I place the second interface into the DMZ, could I use WCCP that way maybe, but won't traffic still have to go to the firewall??
  options please ??

  Well you will need to use a 3rd party certificate..  Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  Here is a link for the NGS:
  http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
  The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems.  So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

• NAC Guest Server and WLC, WCS

  I have setup a NAC Guest Server to allow users to sign up guest account via Active Directory. How do I tight this into WLC or WCS?

  Hi
  Try this:
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809d6b9a.shtml
  Regards
  Greg

• ISE Guest Portal and one more SSID using internal accounts

  Hi Guys,
  I have two SSIDs on WLC, the first is related with ISE Guest Portal and the second is related with employee but i realize that the
  Guest user can access the employee SSID and employee accounts can access the Guest portal page.
  I guess this is happen because i cannot split these databases under "Internal Users" on Authentication Policy.
  How can i restrict the access even if i am using the internal databse?
  thanks a lot

  using the Authorization policy is the right way.  Match the corp ID store to the corp WLAN SSID ID in the AuthZ policy, for example (where Employee is your corp ID store and yyyy is the name of your corp SSID):

• One Oracle Application Server and multiple OC4J Instances

  While we are getting new server (for development) we have to set-up a Development and Production enviroment for our project (dont have previous OAS installation) but on the same machine.
  So, is a good option to have One OAS INstallation (Ora Home) and then create multiple OC4J instances, one for each environment (Development, QA and Production)?, is it possible? How to manage deployments between OC4J instances, simulating different contexts if they are in the same server and under the same HTTP Server? Will be there conflicts?

  Hi,
  you can do this and OracleAs will manage the different instances. The deployment can be done with Enterprise Manager in which case you select the OC4J instance first before deploying. If deploying from JDeveloper, you can specify the OC4J instance when creating the named connection
  Frank

• ITunes networked from G4 "server" and multiple iMac accounts

  HI all,
  1) I'm trying to house my iTunes library on my old G4 (Panther/10.6, w/ significant hardware upgrades) and connect my new iMac (10.9.1, multiple users).  The idea would be that the G4 is always on in a closet and music can be controlled by iPhones wirelessly at any time.  I'm wondering if I need to install some server software on the G4.  Currently, I'm able to use Finder>Go>Connect to Server and bring the iTunes folder onto my iMac desktop.  I have then changed my location of the iTunes library in iTunes>Preferences but it still doesn't seem to bring the Library up.  I'm not sure why.
  2) We have three iPhones and want to share the same Library and purchaces.  Any advice?
  3) I have wired speakers to a stereo receiver and Airport Extreme.  I know it's Express that has the speaker jack but is there another product that will wirelessly receive the music signal and direct wire to my receiver?
  Thanks in advance.

  I meant Panther/10.3

• Cisco NAC Guest Server and shellshock

  Hello,
  We are running NAC server v2.0.2 and would like to know if it's vulnerable to shellshock as the bug report CSCur05629 isn't clear on this. 

  Well you will need to use a 3rd party certificate..  Here is a link to generate and install a 3rd party certificate on the WLC for the use with Web-Auth:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
  Here is a link for the NGS:
  http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fdocs%2Fsecurity%2Fnac%2Fappliance%2Fconfiguration_guide%2F410%2Fcas%2Fcas41ug.pdf&pos=1&strqueryid=2&websessionid=RK88fQNWy8TCDUakpNGLOqZ
  The applicances are using a self generated Cisco certificate which of course is not a trusted certificate store in most of all operating systems.  So using a 3rd party certificate like RapidSSL, Verisign, etc will eliminate the certificate issue.

• NAC Guest Server and Entrust Intermediate CA

  Chaps,
  Trying to install an Entrust cert with a intermediate and root cert, but haivng problems.
  I've managed to install both the imtermediate and root but putting them into a single file.
  The certs and root are accpeted without an error, but after a reboot there is still an error in IE.  Looking at the error the end user cert looks fine but only the intermediate cert is in the chain, not the root.
  Any ideas?  Is this is known issue or am i doing something wrong?
  Jim

  Hi
  I've just had a reply from our Cisco SE. It appears that the TAC already has a case open for this error and it's been escalated to the Development Engineering Team.
  Resolution is to downgrade to version 1.1.2, which I've already done, and it works fine. Please note that v2.0.0 is a ED release.
  regards
  Martyn

• Guest network and multiple VLANs

  Hello all,
  I have installed a pair of 5508 controllers in our network. One controller sits inside the network and APs are configured to associate with that controller. The second controller sits on a DMZ interface off the ASA. I have a guest network configured and it works great. I would like to configure additional guest networks at remote locations. Each guest WLAN will have it's own SSID. Is it possible to map all of these to the same VLAN? Or do I need a seperate VLAN and subnet for each SSID.
  Thanks

  Scott,
  Thanks for the reply. I have created different SSIDs and mapped them to the same VLAN. Everything looks good but I'm getting some strange behaviors on the new SSIDs. It appears that users don't authenticate but I've verified the credentials quite a few times. I wanted to make sure that you could map multiple SSIDs to the same VLAN before I continued troubleshooting.

• AP802 (C877VA-W modular AP) and multiple broadcast SSID's

  Hi.
  I now know that in order to have an ssid visible (broadcast) you need to set it as guest-mode in the dot11 config for the ssid. But how do i broadcast more than one ssid? When i try the AP disables the second and subsequent ssid and says only 1 ssid may be guest-mode...
  H
  Sent from Cisco Technical Support iPad App

  You need to add the commands
  Dot11 mbssid globally. Then under the main radio interface mbssid.
  Under the SSID mbssid guest-mode
  Steve
  Sent from Cisco Technical Support iPhone App

• Adobe Media Server and Multiple Storage Drives

  We are running Adobe Media Server 5.  We have had one disk location for all media files up until now, but we are outgrowing our storage and need to begin having multiple volumes. 
  We need a way to specify that some files live on another drive.  We are at a college, and we want to have all of our nursing video on one volume by itself to free up disk space.
  for example, we have always had everything in http:\\domain\vod\nursing or http:\\domain\vod\username.  We need to move http:\\domain\vod\nursing to e:\webroot\vod\nursing, but have everything else continue to work.  It's on the same server. 
  We have been on the phone for hours with Adobe support and have gotten nowhere. 
  We have tried adding a new application with the virtual directory set to e:\webroot\vod\nursing,
  declaring variables in ams.ini, changing the httpd.conf file, etc.  We have not had any luck. 
  Everything always points back to this document: 
  http://help.adobe.com/en_US/flashmediaserver/configadmin/WS5b3ccc516d4fbf351e63e3d119f2925 e64-7fc7.html#WS5b3ccc516d4fbf351e63e3d119f2926bcf-7fea
  We haven't had any luck with following those directions, and adobe support essentially told us they had never heard of this use case? 
  Any advice would be helpful. 
  Thanks!
  Joni

  I talked to our support team and asked them to coordinate with you....And setting up virtual directory should be easy stuff.

• OS X Server and multiple enet cards?

  I have had some trouble finding an answer to this one.
  If I install a second ethernet card in a PowerMac G4, running OS X Server 10.4, can I assign DNS services to one card/network (which is an XSan metadata network) and File Sharing to the other card which is a completely seperate network?
  Powermac G4   Other OS  

  You could do it with the firewall in OS X, but depending on wether you really need a "watertight" setup or not the config could look different.
  DNS can be setup with ACLs (Iike when doing a BIND views setup) so it will only answer requests from a certain network/subnet.
  I know of no way to just use one interface for the AFP server (except using the firewall), SMB can be configured to listen on one interface only and Bonjour could be blocked by the firewall on one interface.