Cisco NAC Guest Server Installation and Configuration Guide Release 2.1 November 2012
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
Text Part Number: OL-28256-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Cisco NAC Guest Server Installation and Configuration Guide © 2013 Cisco Systems, Inc. All rights reserved.
CONTENTS
About This Guide xi Audience xi Purpose xi New Features in this Release xi Product Documentation xii Documentation Updates xiii Obtaining Documentation and Submitting a Service Request xiii Document Conventions xiii
CHAPTER 1 Welcome to Cisco NAC Guest Server 1-1 Introduction 1-1 Guest Access Concepts 1-1 Before You Start 1-2 Package Contents 1-2 Rack Mounting 1-3 Cisco NAC Guest Server Licensing 1-3 Upgrading Firmware 1-3 Additional Information 1-3
CHAPTER 2 Installing Cisco NAC Guest Server 2-1 Connecting the Cisco NAC Guest Server 2-1 Command Line Configuration 2-4 Initial Log In 2-4 Configure IP Address and Default Gateway 2-5 Change Root Password 2-8 Next Steps 2-8 Re-Imaging the Appliance 2-9 Configuring Boot Settings on NAC-3415 / NAC-3315 Based Appliances 2-12
CHAPTER 3 System Setup 3-1 Installing the Product License and Accessing the Administration Interface 3-1 Obtain and Install Cisco NAC Guest Server License 3-2 Access Cisco NAC Guest Server Administration Interface 3-3
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 iii Contents
Configuring Network Settings 3-4 Date and Time Settings 3-6 Access Restrictions 3-7 Administration Access 3-7 Sponsor Access 3-8 Configuring SSL Certificates 3-9 Accessing the Guest Server Using HTTP or HTTPS 3-9 Generating Temporary Certificates/ CSRs/ Private Key 3-11 Generating Self-Signed SSL Certificates Through CLI 3-12 Downloading Certificate Files 3-13 Downloading the Certificate 3-13 Downloading the Private Key 3-13 Uploading Certificate Files 3-14 Uploading a Private Key 3-14 Configuring Administrator Authentication 3-15 Add New Admin Account 3-15 Edit Existing Admin Account 3-17 Delete Existing Admin Account 3-18 Admin Session Timeout 3-19 Configuring RADIUS for Administrator Authentication 3-19
CHAPTER 4 Configuring Sponsor Authentication 4-1 Configuring Local Sponsor Authentication 4-1 Add New Local User Account 4-1 Edit Existing User Account 4-3 Delete Existing User Account 4-4 Configuring Active Directory (AD) Authentication 4-6 Add Active Directory Domain Controller 4-7 Edit Existing Domain Controller 4-8 Delete Existing Domain Controller Entry 4-10 Configuring LDAP Authentication 4-10 Add an LDAP Server 4-11 Edit an Existing LDAP Server 4-13 Delete an Existing LDAP Server Entry 4-15 Configuring RADIUS Authentication 4-16 Add a RADIUS Server 4-16 Edit an Existing RADIUS Server 4-17 Delete an Existing RADIUS Server Entry 4-18 Configuring Sponsor Authentication Settings 4-19
Cisco NAC Guest Server Installation and Configuration Guide iv OL-28256-01 Contents
Changing the Order of Authentication Servers 4-19 Session Timeouts 4-20 Configuring Active Directory Single Sign-On 4-20 Requirements for Active Directory Single Sign-On 4-21 Mapping User Group with AD SSO 4-22 Configuring AD SSO on Multiple Domains 4-23 Verifying the Configuration for Multiple Domain 4-24 Configuring AD SSO on Multiple Forests 4-24 Verifying the Configuration for Multiple Forest 4-26 Troubleshooting the AD SSO Configuration 4-26
CHAPTER 5 Configuring Sponsor User Groups 5-1 Adding Sponsor User Groups 5-2 Editing Sponsor User Groups 5-5 Deleting User Groups 5-8 Specifying the Order of Sponsor User Groups 5-9 Mapping to Active Directory Groups 5-10 Mapping to LDAP Groups 5-11 Mapping to RADIUS Groups 5-12 Assigning Guest Roles 5-13 Assigning Time Profiles 5-14
CHAPTER 6 Configuring Guest Policies 6-1 Setting Username Policy 6-1 Setting Password Policy 6-3 Setting Guest Details Policy 6-4 Configuring Guest Roles 6-5 Adding Guest Roles 6-5 Editing Guest Roles 6-6 Edit NAC Roles 6-6 Edit RADIUS Attributes 6-7 Edit Locations 6-8 Edit Authentication Settings 6-9 Configuring Time Profiles 6-10 Adding Time Profiles 6-10 Editing Time Profiles 6-12 Deleting Time Profiles 6-14
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 v Contents
External Guest Authentication 6-14
CHAPTER 7 Integrating with Cisco NAC Appliance 7-1 Adding Clean Access Manager Entries 7-2 Editing Clean Access Manager Entries 7-3 Deleting Clean Access Manager Entries 7-4 Configuring the CAM for Reporting 7-5 Adding RADIUS Accounting Server 7-5 Configure CAM to Format RADIUS Accounting Data 7-6
CHAPTER 8 Configuring RADIUS Clients 8-1 Overview 8-1 Adding RADIUS Clients 8-2 Editing RADIUS Clients 8-3 Deleting RADIUS Clients 8-5
CHAPTER 9 Guest Activity Logging 9-1 Configuring Syslog Monitoring Settings 9-1 Guest Activity Logging with Replication Enabled 9-2
CHAPTER 10 Guest Account Notification 10-1 Configuring Email Notification 10-2 Configuring SMS Notification 10-3 Print Notification 10-4
CHAPTER 11 Customizing the Application 11-1 User Interface Templates 11-1 Adding a User Interface Template 11-2 Editing a User Interface Template 11-3 Editing the Print Template 11-5 Editing the Email Template 11-7 Editing the SMS Template 11-8 Using Time Profiles 11-10 Deleting a Template 11-11 Setting the Default Interface Mapping 11-11 Setting User Default Redirection 11-11
Cisco NAC Guest Server Installation and Configuration Guide vi OL-28256-01 Contents
CHAPTER 12 Configuring Hotspots 12-1 Configuring Hotspot Sites 12-1 Adding Hotspot Sites 12-1 Edit Existing Hotspot Site 12-5 Delete Existing Hotspot Site 12-6 Configuring Payment Providers 12-6 Adding a Payment Provider 12-7 Editing Payment Provider 12-8 Creating Hotspot Web Pages 12-9 Integrating with Wireless LAN Controller 12-9 Integrating with Switch 12-9 Creating a Login Page (WLC) 12-10 Creating a Login Page (Switch) 12-11 Adding Realms Support (Switch) 12-12 Customizing the Login Page 12-13 Acceptable Usage Policy (WLC) 12-14 Acceptable Usage Policy (Switch) 12-14 Creating a Self Service Page (WLC) 12-15 Creating a Self Service Page (Switch) 12-17 Customizing the Self Service Page 12-18 Auto Login 12-19 Modifying Additional Fields 12-20 Creating a Billing Page (WLC) 12-21 Create a Billing Page (Switch) 12-24 Customizing the Billing Page 12-25 Creating a Password Change Page (WLC and Switch) 12-26 Authentication Options 12-27 The ngsOptions Configuration Object 12-29 Overriding Error/Status Messages 12-29 Overriding Form Labels 12-29 Default Error/Status Messages 12-30 Default Form Labels 12-32
CHAPTER 13 Backup and Restore 13-1 Configuring Backup 13-1 Saving Backup Settings 13-2 Taking Snapshots 13-3 Scheduling Backups 13-3 Restoring Backups 13-4
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 vii Contents
CHAPTER 14 Replication and High Availability 14-1 Configuring Replication 14-1 Configuring Provisioning 14-3 Replication Status 14-4 Recovering from Failures 14-4 Network Connectivity 14-4 Device Failure 14-4 Deployment Considerations 14-5 Connectivity 14-5 Load Balancing 14-5 Web Interface 14-5 RADIUS Interface 14-5 Data Replication 14-6
CHAPTER 15 Management, Logging and Troubleshooting 15-1 SNMP Configuration 15-1 SNMP Agent Configuration 15-1 Configuring SNMP Version 1 15-2 Configuring SNMP Version 2c 15-3 Configuring SNMP Version 3 15-3 Configuring SNMP Allowed Addresses 15-3 SNMP Trap Support 15-3 Configuring SNMP Traps 15-4 SNMP MIB Files 15-4 System Logging 15-5 Audit Logs 15-5 Application Logs 15-7 Support Logs 15-8 Log Settings 15-9
CHAPTER 16 Licensing 16-1 Licensing 16-1
CHAPTER 17 Sponsor Documentation 17-1 Introduction to Cisco NAC Guest Server 17-1 Connecting to the Cisco NAC Guest Server 17-1 Change Default Settings 17-3 Change Password 17-4
Cisco NAC Guest Server Installation and Configuration Guide viii OL-28256-01 Contents
Report Settings 17-5 Creating Guest User Accounts 17-6 Print Account Details 17-8 Email Account Details 17-8 Text Message Account Details (SMS) 17-8 Multiple Guest Accounts 17-9 Creating Multiple Accounts from Text Entry 17-9 Creating Multiple Accounts from CSV File 17-10 Creating Multiple Random Accounts 17-11 Printing/Email/SMS Multiple Accounts 17-12 Viewing Bulk Account Groups 17-13 Viewing Bulk Account Groups 17-14 Finding Bulk Account Groups by Username 17-14 Finding Bulk Account Groups on the Active Accounts Report 17-14 Managing Guest Accounts 17-15 Editing Guest Accounts 17-16 Advanced Search 17-17 Suspending Guest Accounts 17-18 Viewing Active Accounts and Resending Details 17-19 Reporting on Guest Users 17-19 Sponsor Reporting 17-21 Summary Reports 17-22 Sponsors Activity Report 17-22 Access Reports 17-23
APPENDIX A API Support A-1 Overview A-1 Authentication Requirements A-1 Time Format A-2 API Operations A-2 XML Response A-2 create A-3 create Example Use A-3 edit A-5 edit Example Use A-6 getDetails A-8 getDetails Example Use A-8 suspend A-9
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 ix Contents
suspend Example Use A-10 notifyEmail A-10 notifyEmail Example Use A-10 notifySms A-10 notifySms Example Use A-10 getVersion A-11 getVersion Example Use A-11 search A-11 search Example Use A-12 search Example Use with StartTime, EndTime, Timezone A-13 Status Codes A-14 Error Codes A-14 Valid Timezones A-14
APPENDIX B Open Source License Acknowledgements B-1 Notices B-1 OpenSSL/Open SSL Project B-1 License Issues B-1 B-3
Cisco NAC Guest Server Installation and Configuration Guide x OL-28256-01
About This Guide
April 30, 2013, OL-28256-01 This preface includes the following sections: • Audience • Purpose • New Features in this Release • Product Documentation • Documentation Updates • Obtaining Documentation and Submitting a Service Request • Document Conventions
Audience
This guide is for network administrators who are implementing Cisco NAC Guest Server to provision guest access on their networks. Cisco NAC Guest Server works alongside Cisco NAC Appliance, Cisco Unified Wireless Networks and other Cisco Network Enforcement devices which provide the captive portal and enforcement point for guest access.
Purpose
The Cisco NAC Guest Server Installation and Configuration Guide describes how to install and configure the Cisco NAC Guest Server appliance. It describes the simple initial installation of the appliance via CLI and the configuration and administration of the Guest Access Portal through the web-based interface.
New Features in this Release
For a brief summary of the new features and enhancements available in this release, refer to the “New and Changed Information” section of the Release Notes for Cisco NAC Guest Server, Release 2.1.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 xi About This Guide
Product Documentation
Table 1 lists documents that are available for Cisco NAC Guest Server on Cisco.com at the following URL: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
Tip To access external URLs referenced in this document, right-click the link in Adobe Acrobat and select “Open in Weblink in Browser.”
Table 1 Cisco NAC Appliance Document Set
Document Title Refer to This Document For Information On: Release Notes for Cisco NAC Guest Server, Details on the latest Cisco NAC Guest Server Release 2.1 release. Cisco NAC Guest Server Installation and Hardware information, initial installation, setup and Configuration Guide (this document) configuration instructions for Cisco NAC Guest Server. Cisco NAC Appliance Service Contract / Information on service contract support, licensing Licensing Support support and RMA support for Cisco NAC Appliance, Cisco NAC Profiler and Cisco NAC Guest Server. Cisco NAC Appliance Product Literature Online links to Ordering Guide Bulletins, Data Sheets, Q&A and Chalk Talk presentations. Cisco NAC Appliance - Clean Access Manager Configuration guides for the Clean Access Manager Installation and Configuration Guide and Clean Access Server. Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide Cisco Wireless LAN Controller Configuration Configuration information for Cisco Wireless LAN Guide, Release Controllers (version 4.0.219 and later).
Cisco NAC Guest Server Installation and Configuration Guide xii OL-28256-01 About This Guide
Documentation Updates
Table 2 Updates to Cisco NAC Guest Server Installation and Configuration Guide, Release 2.1
Date Description 11/27/12 Cisco NAC Guest Server Release 2.1.
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html. Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Document Conventions
Item Convention Indicates command line output. Screen font Indicates information you enter. Boldface font Indicates variables for which you supply values. Italic font Indicates web admin console modules, menus, tabs, links and Boldface font submenu links. Indicates a menu item to be selected. Administration > User Pages
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 xiii About This Guide
Cisco NAC Guest Server Installation and Configuration Guide xiv OL-28256-01
CHAPTER1
Welcome to Cisco NAC Guest Server
Introduction
The Cisco NAC Guest Server is a complete provisioning, management, and reporting system that provides temporary network access for guests, visitors, contractors, consultants, or customers. The Cisco NAC Guest Server works alongside Cisco NAC Appliance, Cisco Wireless LAN Controllers, and other Cisco Network Enforcement devices, which provide the captive portal and enforcement point for guest access. Cisco NAC Guest Server allows any user with privileges to easily create temporary guest accounts and sponsor guests. Cisco NAC Guest Server performs full authentication of sponsors, the users who create guest accounts, and allows sponsors to provide account details to the guest by printout, email, or SMS. The entire experience, from user account creation to guest network access, is stored for audit and reporting. When guest accounts are created, they are either provisioned within the Cisco NAC Appliance Manager (Clean Access Manager) or stored within the built-in database on the Cisco NAC Guest Server. When using the Guest Server’s built-in database, external network access devices, such as the Cisco Wireless LAN Controller, can authenticate users against the Guest Server using the RADIUS (Remote Authentication Dial In User Service) protocol. The Cisco NAC Guest Server provisions the guest account for the amount of time specified when the account is created. Upon expiry of the account, the Guest Server either deletes the account directly from the Cisco NAC Appliance Manager or sends a RADIUS message which notifies the network access device (NAD) of the amount of valid time remaining for the account before the NAD should remove the user. Cisco NAC Guest Server provides vital guest network access accounting by consolidating the entire audit trail from guest account creation to guest use of the account so that reports can be performed through a central management interface.
Guest Access Concepts
Cisco NAC Guest Server makes use of a number of terms to explain the components needed to provide guest access.
Guest User The guest user is the person who needs a guest user account to access the network.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 1-1 Chapter 1 Welcome to Cisco NAC Guest Server Before You Start
Sponsor The sponsor user is the person who creates the guest user account. This person is often an employee of the organization that provides the network access. Sponsors can be specific individuals with certain job roles, or can be any employee who can authenticate against a corporate directory such as Microsoft Active Directory (AD).
Admin The admin user is the administrator who configures and maintains the Cisco NAC Guest Server appliance.
Network Enforcement Device These devices are the network infrastructure components that provide the network access. Additionally, network enforcement devices are responsible for pushing guest users to a captive portal where they can enter their guest account details. When a guest enters his or her temporary user name and password, the network enforcement device checks those credentials against the guest accounts created by the Guest Server.
Guest Server The Cisco NAC Guest Server ties together all the pieces of guest access. The Guest Server links the sponsor creating the guest account, the account details passed to the guest, the guest authentication against the network enforcement device, and the network enforcement device’s verification of the guest with the Guest Server. Additionally, the Cisco NAC Guest Server consolidates accounting information from network enforcement devices to provide a single point of guest access reporting.
Before You Start
This section describes the following: • Package Contents • Rack Mounting • Cisco NAC Guest Server Licensing • Upgrading Firmware • Additional Information
Package Contents
Verify the contents of the packing box as shown in Figure 1-1, to ensure that you have received all items necessary to install your Cisco NAC Guest Server. Save the packing material in case you need to repack the unit. If any item is missing or damaged, contact your Cisco representative or reseller for instructions.
Cisco NAC Guest Server Installation and Configuration Guide 1-2 OL-28256-01 Chapter 1 Welcome to Cisco NAC Guest Server Before You Start
Figure 1-1 Shipping Box Contents
DB-9 serial null modem cable RJ-45 cable (straight-through)
Documentation AC power cord
InformationCisco Cisco NAC Important Packet GettingAppliance Started InformationSafety
Guide
Cisco NAC Guest Server
Rack mounting kit 185434
Note As product software is preloaded onto the Cisco NAC Guest Server appliance, the shipping contents do not include a separate software installation CD.
Rack Mounting
The Cisco NAC Guest Server occupies one rack unit (1U). A rack-mounting kit is included in the shipment. For rack-mounting information and instructions, refer to the 1U Rack Hardware Installation Instructions for HP Products document also included in the shipment.
Cisco NAC Guest Server Licensing
You need to obtain and install a FlexLM product license for your Cisco NAC Guest Server via its web interface for your system to work. See Installing the Product License and Accessing the Administration Interface, page 3-1 for instructions on how to obtain and install license(s) for your system. For additional details, refer to Cisco NAC Appliance Service Contract / Licensing Support.
Upgrading Firmware
The Cisco NAC Guest Server is based on the following: • The NAC-3415 is based on UCS C220 M3 server platform. • The NAC-3315 is based on the IBM System x3250 M2 server platform. For further details refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).
Additional Information
For late-breaking or additional details for this release, refer to the Release Notes for Cisco NAC Guest Server, Release 2.1.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 1-3 Chapter 1 Welcome to Cisco NAC Guest Server Before You Start
For the latest online updates to this guide, visit http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.ht ml See Product Documentation for a list of related documentation for Cisco NAC Guest Server.
Cisco NAC Guest Server Installation and Configuration Guide 1-4 OL-28256-01
CHAPTER2
Installing Cisco NAC Guest Server
This chapter contains the following sections: • Connecting the Cisco NAC Guest Server • Command Line Configuration • Re-Imaging the Appliance
Connecting the Cisco NAC Guest Server
The Cisco NAC Guest Server runs on the following Cisco NAC Appliance hardware platform and comes preloaded with the Guest Server system image. • NAC-3415 • NAC-3315
Note • Cisco NAC Appliance platform (NAC-3415) supports fresh installation of only Release 2.1. • Next generation Cisco NAC Appliance platform (NAC-3315) supports fresh installation of only Release 2.0.2 and later. • The support for NAC-3310 has been dropped from NAC Guest Server Release 2.0.5.
When you receive the Guest Server, perform the initial configuration described in Command Line Configuration, page 2-4. If you need to perform CD installation to re-image the appliance, refer to Re-Imaging the Appliance, page 2-9 for instructions. To perform initial configuration, you need to connect to your appliance and access its command line, as described below.
Step 1 You can access the Cisco NAC Guest Server command line in one of the following methods: a. Connect a monitor and keyboard directly to the machine via the keyboard/video monitor connectors on the back panel of the machine as shown in Figure 2-2 for NAC-3415 and Figure 2-4 for NAC-3315. b. Connect a null modem serial cable from a workstation (PC/laptop) to the serial port on the appliance. Open a serial connection on the workstation using terminal emulation software (such as HyperTerminal or SecureCRT) with settings set to 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 2-1 Chapter 2 Installing Cisco NAC Guest Server Connecting the Cisco NAC Guest Server
Step 2 Connect a straight-through Category 5 Ethernet cable to the eth0 (NIC1) 10/100/1000 Ethernet port on the back panel of the appliance and to your local area network. Step 3 Connect the AC power cord to the back panel of the appliance and to a grounded AC outlet, and power on the appliance as shown in Figure 2-1 for NAC-3415 and Figure 2-3 for NAC-3315. Step 4 Proceed to the instructions in Command Line Configuration, page 2-4.
Figure 2-1 Cisco NAC Guest Server Front Panel (NAC-3415)
4 6 1 2 3 5 7 8
HDD1 HDD2 HDD3 2 8
HDD4 HDD5 HDD6 HDD7 HDD8 16 33
9 10
1 Power button/power status LED 6 Power supply status LED 2 Identification button/LED 7 Network link activity LED 3 System status LED 8 Asset tag (serial number) 4 Fan status LED 9 KVM connector (used with KVM cable that provides two USB, one VGA, and one serial connector) 5 Temperature status LED 10 Drives (up to eight hot-swappable 2-5-inch drives)
Figure 2-2 Cisco NAC Guest Server Rear Panel (NAC-3415)
1 2 3
PCIe2 PCIe1 PSU1PSU1 PSU2P SU2 83 16 33
4 5 6 7 8 9
Cisco NAC Guest Server Installation and Configuration Guide 2-2 OL-28256-01 Chapter 2 Installing Cisco NAC Guest Server Connecting the Cisco NAC Guest Server
1 Power supplies (up to two) 6 One 10/100/1000 Ethernet dedicated management port 2 Slot 2: Low-profile PCIe slot on riser: 7 Dual 1-Gb Ethernet ports (half-height, half-length, x16 connector, x8 (LAN1 and LAN2) lane width) 3 Slot 1: Standard-profile PCIe slot on riser: 8 USB ports (full-height, half-length, x24 connector, x16 lane width) 4 VGA video connector 9 Rear Identification button/LED 5 Serial port (RJ-45 connector)
Figure 2-3 Cisco NAC Guest Server Front Panel (NAC-3315) 1 3 4 2
Cisco NAC 3315 Series CISCO NAC Manager 195197
5
1 Front USB port 1 4 Hard disk drive (HDD) bay 2 2 Front USB port 2 5 CD-ROM/DVD drive 3 Hard disk drive (HDD) bay 0
Figure 2-4 Cisco NAC Guest Server Rear Panel (NAC-3315)
3 1 2 199789
10 9 7 5 4 8 6
1 Power supply cable socket 6 NIC 2 (eth1) GbE interface 2 NIC 3 (eth2) add-on card 7 NIC 1 (eth0) GbE interface 3 NIC 4 (eth3) add-on card 8 Rear USB port 4 4 Serial port 9 Rear USB port 3 5 Video port 10 Console port
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 2-3 Chapter 2 Installing Cisco NAC Guest Server Command Line Configuration
Command Line Configuration
To configure the Cisco NAC Guest Server appliance, perform the following steps: • Configure IP Address and Default Gateway, page 2-5 so that the appliance can be accessed on the network. • Change Root Password, page 2-8.
Initial Log In
When logging in for the first time after initial installation, or after re-imaging the appliance, you need to set up a password for the root user.
Step 1 Connect to the command line interface using either keyboard and monitor connection to the appliance, or serial console connection. Step 2 Login as the root user. The login user name for the console is root as shown in Figure 2-5.
Figure 2-5 Login as Root
Step 3 Change the password at the root prompt. Type a password and then confirm the password by re-entering it at the prompt, as shown in Figure 2-6.
Note Cisco recommends using a strong password that is not based on a dictionary word, has a minimum of 6 characters, and contains at least 5 different characters.
Cisco NAC Guest Server Installation and Configuration Guide 2-4 OL-28256-01 Chapter 2 Installing Cisco NAC Guest Server Command Line Configuration
Figure 2-6 Changing Root Password
Configure IP Address and Default Gateway
To allow the appliance to be accessed on the network, you need to configure the IP address and default gateway for the first interface on the appliance (eth0 or NIC1). To configure these details, perform the following steps.
Step 1 Using either a keyboard and monitor connection to the appliance, or serial console connection, authenticate to the command line interface, as shown in Figure 2-7. The user name for the console is root and the password is the one you configured as described in Initial Log In, page 2-4.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 2-5 Chapter 2 Installing Cisco NAC Guest Server Command Line Configuration
Figure 2-7 Authenticating to the Console
Step 2 To configure the network settings, type the command system-config-network and press
Figure 2-8 Choose eth0 Interface
Step 3 Select the eth0 interface from the list using the up and down arrow keys and press
Cisco NAC Guest Server Installation and Configuration Guide 2-6 OL-28256-01 Chapter 2 Installing Cisco NAC Guest Server Command Line Configuration
Figure 2-9 Change Network Configuration Details
Type the following information: • Static IP—The IP Address that you want to assign to the Cisco NAC Guest Server. • Netmask—The corresponding subnet mask. • Default gateway IP—The default gateway for the network. You can use the Tab key, Arrow keys or
Figure 2-10 Quit the Utility
Step 6 At the command line, either reboot the appliance by typing reboot and pressing
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 2-7 Chapter 2 Installing Cisco NAC Guest Server Command Line Configuration
Change Root Password
Note Cisco recommends using a strong password that is not based on a dictionary word, has a minimum of 6 characters, and contains at least 5 different characters.
Step 1 From the command line, enter the command passwd and press
Next Steps
Continue to Chapter 3, “System Setup” to access and configure the admin console.
Cisco NAC Guest Server Installation and Configuration Guide 2-8 OL-28256-01 Chapter 2 Installing Cisco NAC Guest Server Re-Imaging the Appliance
Re-Imaging the Appliance
When the Cisco NAC Guest Server is shipped, a default version of the system image is already preloaded on the unit, so imaging is not required. If you need to re-image the appliance to factory defaults, you can download the system image ISO from Cisco Secure Software Downloads on Cisco.com and burn this ISO file to a blank CD-ROM. Once you have the system image on a bootable CD, you can perform the following steps to install the system image onto the appliance. Refer to the latest version of the Release Notes for Cisco NAC Guest Server, Release 2.1 for additional details.
Caution Imaging the appliance deletes all data on the appliance. There is no method of recovery of data from the Guest Server after imaging has started. Make sure to backup any data that you need before starting this process.
Step 1 Download the ISO image file from the Cisco NAC Guest Server download page. Login with your Cisco.com user credentials to the Cisco Software Download Site at http://www.cisco.com/cisco/web/download/index.html and navigate to Security >Network Admission Control > Cisco NAC Guest Server > Cisco NAC Guest Server 2.1. Step 2 Burn this ISO file to a blank CD-ROM to create a bootable disk. Step 3 Decide whether to perform the installation using a keyboard and monitor connection or over a serial console. a. Connect either a keyboard and monitor to the back of the unit, or b. Attach a null modem cable to the serial port on the back of the appliance. From the computer to which the serial cable is attached, run a terminal emulation program with settings set to: 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control. Step 4 Once you have connected to the appliance, insert the bootable CD into the CD-ROM drive of the appliance. Step 5 Power on the appliance. If the appliance is already started, switch it off and then switch it on again. Step 6 The appliance should now boot from the CD-ROM drive and the initial install is displayed as shown in Figure 2-11.
Caution If your Cisco NAC Guest Server does not read the software on the CD ROM drive and instead attempts to boot from the hard disk, you need to change the appliance settings to boot from CD ROM as described in Configuring Boot Settings on NAC-3415 / NAC-3315 Based Appliances, page 2-12.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 2-9 Chapter 2 Installing Cisco NAC Guest Server Re-Imaging the Appliance
Figure 2-11 Initial Install
Step 7 At the Initial Installation, run the installation according to the method you are connected to the appliance: • If directly connected using a keyboard and monitor, type install and press
Figure 2-12 Transferring Install Image
Step 9 When the install image is successfully transferred, the system reboots automatically as shown in Figure 2-13.
Cisco NAC Guest Server Installation and Configuration Guide 2-10 OL-28256-01 Chapter 2 Installing Cisco NAC Guest Server Re-Imaging the Appliance
Figure 2-13 Appliance Reboots
Step 10 The CD-ROM automatically ejects from the appliance.
Note Remove the CD and store it safely so that the appliance does not accidentally reboot from it at a later time.
Step 11 The Cisco NAC Guest Server appliance boots and runs the final setup of the image automatically. The imaging process is complete when the login is displayed as shown in Figure 2-14.
Figure 2-14 Imaging Complete
Step 12 Continue to the instructions in Initial Log In, page 2-4 to complete the installation.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 2-11 Chapter 2 Installing Cisco NAC Guest Server Re-Imaging the Appliance
Configuring Boot Settings on NAC-3415 / NAC-3315 Based Appliances
If your appliance does not read the software on the CD ROM drive, and instead attempts to boot from the hard disk, use the following steps to configure the appliance to boot from CD ROM before attempting to re-image or upgrade the Cisco NAC Guest Server from CD.
Step 1 Press the F10 key while the system is booting. Step 2 Go to the Boot menu as shown in Figure 2-15.
Figure 2-15 Boot Menu
Step 3 Change the setting to boot from CD ROM by selecting CD-ROM Drive from the menu and pressing the plus (+) key as shown in Figure 2-16.
Cisco NAC Guest Server Installation and Configuration Guide 2-12 OL-28256-01 Chapter 2 Installing Cisco NAC Guest Server Re-Imaging the Appliance
Figure 2-16 Boot from CD-ROM Drive
Step 4 Press the F10 key to Save and Exit.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 2-13 Chapter 2 Installing Cisco NAC Guest Server Re-Imaging the Appliance
Cisco NAC Guest Server Installation and Configuration Guide 2-14 OL-28256-01
CHAPTER3
System Setup
The Cisco NAC Guest Server is administered entirely using a web interface over either HTTP or HTTPS. After initial installation, the system can be configured through the web interface to provide the networking configuration for the appliance and other system settings that are important such as time and the SSL certificate. This chapter includes the following sections: • Installing the Product License and Accessing the Administration Interface • Configuring Network Settings • Date and Time Settings • Configuring SSL Certificates • Configuring Administrator Authentication
Installing the Product License and Accessing the Administration Interface
Before accessing the web administration interface of the Cisco NAC Guest Server, you need to install a product license. You can obtain a license using the instructions in the PAK shipped with the appliance or by registering for a evaluation license at https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?FormId=146.
Note For additional details on evaluation licenses refer to Cisco NAC Appliance Service Contract / Licensing Support.
This section describes the following: • Obtain and Install Cisco NAC Guest Server License • Access Cisco NAC Guest Server Administration Interface
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 3-1 Chapter 3 System Setup Installing the Product License and Accessing the Administration Interface
Obtain and Install Cisco NAC Guest Server License
Use the following steps to obtain and install your FlexLM product license files for Cisco NAC Guest Server.
Step 1 With FlexLM licensing, you receive a Product Authorization Key (PAK) for each Guest Server that you purchase. The PAK is affixed as a sticky label on the Software License Claim Certificate card that is included in your package.
Warning The PAK is NOT the Cisco NAC Guest Server license. The PAK is used to obtain the Cisco NAC Guest Server license, as described below.
Step 2 Log in as a registered CCO user and fill out the Customer Registration form found at the PAK Cisco Technical Support site: http://www.cisco.com/go/license. During customer registration, submit each PAK you received and the eth0 MAC address of your Cisco NAC Guest Server.
Note For convenience, the top part of the Cisco NAC Guest Server License Form as shown in Figure 3-1, lists the MAC address of the Guest Server appliance.
Warning The eth0 MAC address entered in the customer registration form for the Guest Server must be in UPPER CASE (i.e. hexadecimal letters must be capitalized). Do not enter colons (“:”) in between characters.
Please follow the instructions on the license web pages carefully to ensure that the correct MAC addresses are entered. Step 3 For each PAK that you submit, a license file is generated and sent to you by email. Step 4 Save each license file you receive to disk. Step 5 Open a web browser to the Cisco NAC Guest Server Administration interface by entering the IP address that you configured through the command line as the URL, followed by /admin: • For HTTP access, open http://
Cisco NAC Guest Server Installation and Configuration Guide 3-2 OL-28256-01 Chapter 3 System Setup Installing the Product License and Accessing the Administration Interface
Figure 3-1 Cisco NAC Guest Server License Form (example)
Step 7 Click Upload License to install the license.
Access Cisco NAC Guest Server Administration Interface
Step 1 If you have installed a license, the admin login is automatically displayed. Otherwise, open a web browser to the Cisco NAC Guest Server Administration interface by entering the IP address that you configured through the command line as the URL, followed by /admin: • For HTTP access, open http://
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 3-3 Chapter 3 System Setup Configuring Network Settings
Figure 3-2 Admin Login
Note Cisco recommends setting up SSL access and change the default admin user password for security. Refer to Configuring SSL Certificates, page 3-9 and Edit Existing Admin Account, page 3-17 for details.
Note Entering the Guest Server IP address without the” /admin” as the URL brings up the sponsor interface. See Chapter 4, “Configuring Sponsor Authentication” for details.
Configuring Network Settings
Configure remaining network settings before performing any other operation. This minimizes the need to restart the appliance later on.
Step 1 Upon logging into the administration interface, by default, the home page displays the Authentication > Sponsors >Authentication Order page as shown in Figure 3-3.
Cisco NAC Guest Server Installation and Configuration Guide 3-4 OL-28256-01 Chapter 3 System Setup Configuring Network Settings
Figure 3-3 Administration Home Page
Step 2 From the administration home page, select Server > Network Settings from the left panel to go to the Network Settings page. This page provides all the network settings that can be changed on the Cisco NAC Guest Server appliance as shown in Figure 3-4.
Figure 3-4 Network Settings
You can change the following Network Settings: • Hostname—Assign the name of the appliance as defined in DNS (without DNS suffix). • IP Address—Modify the IP address of the eth0 interface on the appliance. • Subnet Mask—Enter the corresponding subnet mask. • Gateway—Modify the default gateway for the network to which the appliance is connected. • Domain—Enter the domain name for your organization (e.g. cisco.com). • Primary DNS—Enter the IP address of the primary DNS server. • Secondary DNS—Enter the IP address of the secondary DNS server. Step 3 Click the Save Settings button to save the changes that you made.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 3-5 Chapter 3 System Setup Date and Time Settings
Step 4 Once changes are saved, you need to restart the Guest Server to ensure all processes use the correct IP address. Click the Reboot Server button, and the restart process will begin on the Guest Server within 60 seconds.
Note Modifications to Server settings require a reboot. You can modify and save multiple Server settings at a time before a reboot, but you must click Reboot Server for the changes to be applied.
Date and Time Settings
Correct date and time are critical to the Cisco NAC Guest Server. The Guest Server authenticates guest users based upon the time their accounts are valid. It is important for the time to be correct so that guest accounts are created and removed at the correct time. If possible, Cisco recommends using a Network Time Protocol (NTP) server to synchronize the time and date.
Step 1 From the administration interface, select Server > Date/Time Settings to display the Date/Time Settings page as shown in Figure 3-5.
Figure 3-5 Date/Time Settings
Step 2 Select the correct System Date and System Time for the location of the Guest Server. Step 3 Select the correct System Timezone for the location of the Guest Server. Step 4 Click the Save Settings button to apply the System Timezone.
Note Changing the System Timezone automatically adjusts the date and time on the server.
Cisco NAC Guest Server Installation and Configuration Guide 3-6 OL-28256-01 Chapter 3 System Setup Access Restrictions
Step 5 If you have one, two or three NTP servers available on the network, click the Use NTP to set System Date & Time checkbox. Step 6 Enter the IP address of each NTP server available into the fields provided. Step 7 Click the Save Settings button to apply the changes.
Note When setting the NTP server it may take some time for synchronization. Synchronization occurs much faster if the time is set close to the NTP server (and saved by clicking the Save Settings button) before saving the NTP Server settings.
Step 8 Click the Reboot Server button to restart the NTP process so the new settings take effect.
Note If you modify the Server settings, you need to reboot the system. You can modify and save multiple Server settings at a time, but you must click Reboot Server for the changes to be applied.
Access Restrictions
You can configure Cisco NAC Guest Server to restrict access to only certain IP address ranges for the administration interface and the sponsor interface at any one time.
Administration Access
Step 1 From the administration interface, select Server > Access Restrictions and click the Administration tab as shown in Figure 3-6.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 3-7 Chapter 3 System Setup Access Restrictions
Figure 3-6 Access Restrictions Admin
Step 2 In the Allowed IP Addresses field, type a range of IP addresses that are allowed access to the Guest Server Administration interface, and apply a CIDR subnet range using the dropdown menu. Step 3 Click Add to add addresses to the list. Step 4 Click Save to make the changes permanent.
Note Leaving the IP Range field blank allows all IP addresses to access the Administration interface, if users have the required admin account permissions.
Sponsor Access
Step 1 From the administration interface, select Server > Access Restrictions and click the Sponsor tab as shown in Figure 3-7.
Cisco NAC Guest Server Installation and Configuration Guide 3-8 OL-28256-01 Chapter 3 System Setup Configuring SSL Certificates
Figure 3-7 Access Restrictions Sponsor
Step 2 Type the range of IP addresses that are allowed to access the Sponsor interface, and apply a CIDR subnet range using the dropdown menu. Step 3 Click Save to continue.
Note Leaving the IP Range field blank allows all IP addresses to access the Sponsor interface, if users have the required sponsor account permissions.
Note If you modify the Server settings, you need to reboot the system. You can modify and save multiple Server settings at a time, but you must click Reboot Server for the changes to be applied.
Configuring SSL Certificates
Both sponsors and administrators can access the Cisco NAC Guest Server using either HTTP or HTTPS. For more secure access Cisco recommends using HTTPS. This section describes the following: • Accessing the Guest Server Using HTTP or HTTPS • Generating Temporary Certificates/ CSRs/ Private Key • Downloading Certificate Files • Uploading Certificate Files
Accessing the Guest Server Using HTTP or HTTPS
You can configure whether sponsors and administrators access the portal using HTTP, HTTP and HTTPS, or HTTPS only.
Step 1 From the administration interface, select Server > SSL Settings from the left panel to display the SSL Settings page as shown in Figure 3-8.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 3-9 Chapter 3 System Setup Configuring SSL Certificates
Figure 3-8 SSL Settings Main Page
Step 2 The main SSL Settings page provides the following options: • Allow Only HTTPS—When selected, only allows HTTPS access to the sponsor or administration interfaces of the Guest Server. • Allow Only HTTP—When selected, only allows HTTP access to the sponsor or administration interfaces of the Guest Server. • Allow HTTPS and HTTP—When selected, allows both HTTPS and HTTP access to the sponsor or administration interfaces of the Guest Server. • Allow Only HTTPS (with HTTP Redirected to HTTPS)—When selected, allows sponsors and administrators to access the portal with HTTPS and standard HTTP; however, sponsors and administrators are redirected via HTTPS if using a standard HTTP connection.
Note HTTP to HTTPS redirection is not supported for API access.
Step 3 When you have made your selection, click the Save Settings button.
Note Modifications to Server settings require a reboot. You can modify and save multiple Server settings at a time before a reboot, but you must click Reboot Server for the changes to be applied.
Cisco NAC Guest Server Installation and Configuration Guide 3-10 OL-28256-01 Chapter 3 System Setup Configuring SSL Certificates
Generating Temporary Certificates/ CSRs/ Private Key
Cisco NAC Guest Server ships with a default certificate installed. If you are planning on using HTTPS, Cisco strongly recommends generating a new temporary certificate and private key. When doing this, a certificate signing request (CSR) is also generated that can be used to obtain a Certificate Authority (CA) signed certificate.
Step 1 From the administration interface, select Server > SSL Settings from the left hand menu and click the Create CSR link from the center section of the page as shown in Figure 3-9 to bring up the Create CSR form as shown in Figure 3-10.
Figure 3-9 Certificate Signing Request
Figure 3-10 Create a CSR
Step 2 Provide the details for the temporary certificate and CSR in the Create CSR form: • Common Name (FQDN or IP Address)—This is either the IP address of the Cisco NAC Guest Server, or the fully qualified domain name (FQDN) for the Guest Server. The FQDN must resolve correctly in DNS. • Organization—The name of your organization or company. • Organizational Unit (Section)—The name of the department or business unit that owns the device. • Locality (e.g. City)—The city where the server is located. • State or Province—The state where the server is located. • Country—Select the relevant country from the dropdown menu.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 3-11 Chapter 3 System Setup Configuring SSL Certificates
Step 3 The Regenerate Private Key checkbox is optional and should be used if you think your existing private key has been compromised. If you regenerate your private key, the current certificate is invalidated and a new self-signed temporary certificate is generated using the new private key and CSR. Select this option to regenerate a private key. Step 4 Click Create. Step 5 The Certificate Signing Request page is again displayed as shown in Figure 3-9. If you chose to regenerate the private key, you will be prompted to restart the server. You need to restart the server to use the new certificate and private key. Step 6 The Create Temporary Certificate from CSR and Download CSR options are now available as shown in Figure 3-11.
Figure 3-11 Create CSR and Download CSR
Step 7 Selecting Create Temporary Certificate from CSR generates a temporary certificate from the previously requested Certificate Signing Request that you created in Steps 1 to 4. Step 8 You can download the CSR by clicking the Download CSR option in Figure 3-11. Once you have sent the CSR to a Certificate Authority and obtained the CA-signed certificate in return, you can upload it by following the instructions in the Uploading Certificate Files, page 3-14. Step 9 To use the new temporary certificate you must restart the web server process. Click the Reboot Server button as shown in Figure 3-8.
Note Modifications to Server settings require a reboot. You can modify and save multiple Server settings at a time before a reboot, but you must click Reboot Server for the changes to be applied.
Tip If you want to install SSL certificates issued by an intermediate CA, you need to perform a CLI procedure. Contact Cisco TAC to receive guidance about this procedure.
Generating Self-Signed SSL Certificates Through CLI
When the administrator tries to install an SSL Certificate that is not relevant in the NAC Guest Server, the following error message is displayed: "The Current Private Key does not Correspond to the Current Certificate". If the user clicks the Reboot Server option, the invalid certificate is uploaded and the GUI becomes inaccessible. The workaround is to generate and install a self-signed SSL Certificate using CLI. This enables the user to access the GUI. Perform the following steps to generate self-signed SSL Certificate using the CLI:
Cisco NAC Guest Server Installation and Configuration Guide 3-12 OL-28256-01 Chapter 3 System Setup Configuring SSL Certificates
Step 1 Generate key and certificate file by entering the following command: openssl req -new -key /etc/pki/tls/private/localhost.key -nodes -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt
Step 2 Enter the approrpriate information to be incorporated into your certificate request, as follows: Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []:
Step 3 Provide a copy of the certificate and key to the postgres by entering the following commands: cp /etc/pki/tls/certs/localhost.crt /var/lib/pgsql/data/server.crt chmod 600 /var/lib/pgsql/data/server.crt chown postgres:postgres /var/lib/pgsql/data/server.crt
cp /etc/pki/tls/private/localhost.key /var/lib/pgsql/data/server.key chmod 600 /var/lib/pgsql/data/server.key chown postgres:postgres /var/lib/pgsql/data/server.key
Step 4 Reboot the server.
You can access the GUI after rebooting the server.
Downloading Certificate Files
Downloading the Certificate
Cisco strongly recommends backing up the certificate and private key. The certificate can be downloaded from the administration interface for manual backup to a secure location.
Step 1 From the administration interface, select Server > SSL Settings from the left hand menu. Step 2 Select Download Current SSL Certificate from the Download Certificate section of the page as shown in Figure 3-12.
Figure 3-12 Download Certificate File
Step 3 Save the SSL Certificate to a secure backup location.
Downloading the Private Key
The private key can only be obtained through an SFTP connection to the Guest Server. For Windows platforms, you can get a free SFTP client from http://winscp.net.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 3-13 Chapter 3 System Setup Configuring SSL Certificates
Step 1 Open an SFTP connection to the Cisco NAC Guest Server. The authentication credentials are the same as for the command line. Login with the root username and password you assigned for this account in the initial setup. Step 2 Download the /etc/pki/tls/private/localhost.key file and store it in a secure backup location.
Uploading Certificate Files
The Cisco NAC Guest Server provides a method of importing/uploading certificate files to the Guest Server appliance. The Upload Certificates option is used to install a CA-signed certificate or to restore Base 64 PEM format certificate files previously backed up.
Note You must upload certificate files in Base 64 PEM format.
The certificate files are not backed up as part of any backup process. You must manually back them up as described in Downloading Certificate Files, page 3-13.
Wildcard certificates are not supported.
Step 1 From the administration interface, select Server > SSL Settings from the left hand menu. Step 2 View the Upload Certificates section at the bottom of the page as shown in Figure 3-13.
Figure 3-13 Upload Certificate Files
Step 3 Click the Browse button to locate the SSL Certificate file or Root CA Certificate file you want to upload and click the Upload button.
Warning When uploading a certificate, it must match the private key installed.
Step 4 If uploading a new Server SSL Certificate, you are prompted to restart the server for the certificate to take effect.
Note Modifications to Server settings require a reboot. You can modify and save multiple Server settings at a time before a reboot, but you must click Reboot Server for the changes to be applied.
Uploading a Private Key
The private key can be uploaded only through an SFTP connection to the Guest Server. For Windows platforms, you can get a free SFTP client from http://winscp.net.
Cisco NAC Guest Server Installation and Configuration Guide 3-14 OL-28256-01 Chapter 3 System Setup Configuring Administrator Authentication
Step 1 Open an SFTP connection to the Cisco NAC Guest Server. The authentication credentials are the same as for the command line. Login with the root username and password you have assigned for this account in the initial setup. Step 2 Upload the key to /etc/pki/tls/private/localhost.key file. Step 3 Change the ownership and file permissions, so that it is owned by root and has permissions of 644. chown root:root /etc/pki/tls/private/localhost.key chmod 644 /etc/pki/tls/private/localhost.key Step 4 Copy the new key to /var/lib/pgsql/data/server.key. cp /etc/pki/tls/private/localhost.key /var/lib/pgsql/data/server.key Step 5 Change the ownership and file permissions, so that it is owned by postgres and has permissions of 700. chown postgres:postgres /var/lib/pgsql/data/server.key chmod 700 /var/lib/pgsql/data/server.key
Warning As it is possible to disable a server or invalidate a server certificate, Cisco strongly recommends that you have a strong knowledge of PKI before working with the server private key directly as described in the method.
Configuring Administrator Authentication
Cisco NAC Guest Server has a single default administrator account, called “admin.” You can additionally configure the Cisco NAC Guest Server to authenticate administrators against an external RADIUS server. The Admin Accounts pages under the Authentication menu allow you to create, edit and delete additional administrator accounts. This section describes the following: • Add New Admin Account • Edit Existing Admin Account • Delete Existing Admin Account • Admin Session Timeout • Configuring RADIUS for Administrator Authentication
Add New Admin Account
Step 1 From the administration interface, select Authentication > Administrators from the left hand menu. Step 2 In the Local Database tab of the Administrators page as shown in Figure 3-14, click the Add Administrator button.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 3-15 Chapter 3 System Setup Configuring Administrator Authentication
Figure 3-14 Administrator Accounts
Step 3 In the Add Administrator page as shown in Figure 3-15, enter all the admin user credentials.
Figure 3-15 Add Admin User
• First Name—Type the first name of the admin user • Surname—Type the last name of the admin user. • Email Address—Type the email address of the admin user • Username—Type the user name for the admin account. • Password—Type the password for the admin account. • Confirm—Retype the password for the admin account Step 4 Click the Add Administrator button. • If there are any errors, the account is not added and an error message is displayed at the top of the page. • If successfully added, a success message is displayed at the top of the page and you can add additional admin accounts.
Cisco NAC Guest Server Installation and Configuration Guide 3-16 OL-28256-01 Chapter 3 System Setup Configuring Administrator Authentication
Edit Existing Admin Account
You can modify the settings of admin accounts that are already created.
Step 1 From the administration interface, select Authentication > Administrators from the left hand menu. Step 2 In the Local Database tab of the Administrators page as shown in Figure 3-16, click the username from the list.
Figure 3-16 Admin Users to Edit
Step 3 In the Edit Administrator page as shown in Figure 3-17, edit the user credentials.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 3-17 Chapter 3 System Setup Configuring Administrator Authentication
Figure 3-17 Edit Admin Account
• First Name—Edit the first name of the admin user • Surname—Edit the last name of the admin user. • Email Address—Edit the email address of the admin user • Password—Edit the password for the admin account. • Confirm—Edit the password for the admin account.
Note Cisco recommends using a strong password that is not based on a dictionary word, has a minimum of 6 characters, and contains at least 5 different characters.
Note Leaving the Password and Repeat Password fields empty keeps the existing password.
Step 4 Click the Save Settings button. • If there are any errors, the account is not changed and an error message is displayed at the top of the page. • If successfully changed, a success message is displayed at the top of the page and you can make additional changes to the same admin account.
Delete Existing Admin Account
You can remove existing admin accounts from the administration interface.
Step 1 From the administration interface, select Authentication > Administrators from the left hand menu.
Cisco NAC Guest Server Installation and Configuration Guide 3-18 OL-28256-01 Chapter 3 System Setup Configuring Administrator Authentication
Figure 3-18 Select Admin Account to Delete
Step 2 In the Admin Accounts page as shown in Figure 3-18, click the bin icon at the end of the user entry that you want to delete. Step 3 When prompted, click OK to delete the user or click Cancel to cancel the deletion. If successfully deleted, a success message is displayed at the top of the page.
Admin Session Timeout
The Session Timeout defined for the Sponsor interface also applies to the Administration interface. See Session Timeouts, page 4-20 for details.
Configuring RADIUS for Administrator Authentication
Note Cisco NAC Guest Server only allows access to admin users who are successfully authenticated. The RADIUS server must return the IETF Service-Type attribute set to 6 (administrative).
As an alternative to configuring local administrator accounts, you can configure admin users to be authenticated over RADIUS to a RADIUS server. To configure RADIUS authentication for Administrator Authentication, perform the following steps:
Step 1 From the administration interface, select Authentication > Administrators. Step 2 Click the RADIUS Authentication tab as shown in Figure 3-19.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 3-19 Chapter 3 System Setup Configuring Administrator Authentication
Figure 3-19 Administrator RADIUS Authentication
Step 3 Type the Server IP Address for the Primary RADIUS Server. Step 4 Type the Port that RADIUS authentication is running on for that server (default is 1645 or 1812). Step 5 In the RADIUS Secret field, type the shared secret to be used between the RADIUS Server and the NAC Guest Server. Step 6 Confirm the secret to make sure that it is set correctly. Step 7 Enter details for a Secondary RADIUS Server. These details are used when the NAC Guest Server does not receive response from the Primary RADIUS Server. These fields are optional. Step 8 Check the Authentication Mode checkbox so that Local Admin account is allowed if both the RADIUS Servers cannot be contacted. If this option is unchecked, Local Admin account is allowed if authentication is denied for any one of the RADIUS Servers. Step 9 Click the Save button to save the Administrator RADIUS settings.
Cisco NAC Guest Server Installation and Configuration Guide 3-20 OL-28256-01
CHAPTER4
Configuring Sponsor Authentication
Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five options available: • Local User Authentication—Create local sponsor accounts directly on the Cisco NAC Guest Server. See Configuring Local Sponsor Authentication, page 4-1. • Active Directory Authentication—Authenticate sponsors against an existing Active Directory (AD) implementation. See Configuring Active Directory (AD) Authentication, page 4-6. • LDAP Authentication—Authenticate sponsors against a Lightweight Directory Access Protocol (LDAP) server. See Configuring LDAP Authentication, page 4-10. • RADIUS Authentication—Authenticate sponsors against a RADIUS server. See Configuring RADIUS Authentication, page 4-16. • Active Directory Single Sign-On—This option uses Kerberos between the client’s web browser and the Cisco NAC Guest Server to automatically authenticate a sponsor against an Active Directory Domain Controller. See Configuring Active Directory Single Sign-On, page 4-20. You can configure multiple authentication servers in the Cisco NAC Guest Server as well as the order in which the authentication servers are used to authenticate sponsors. For details, see Configuring Sponsor Authentication Settings, page 4-19.
Configuring Local Sponsor Authentication
Local authentication allows you to set up sponsor user accounts directly on the Cisco NAC Guest Server. You can do the following with local authentication: • Add New Local User Account • Edit Existing User Account • Delete Existing User Account
Add New Local User Account
Step 1 From the administration interface, select Authentication > Sponsors > Local User Database from the menu as shown in Figure 4-1.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-1 Chapter 4 Configuring Sponsor Authentication Configuring Local Sponsor Authentication
Figure 4-1 Local Users
Step 2 Click the Add User button to bring up the local sponsor configuration page as shown in Figure 4-2.
Figure 4-2 Add Local User
Step 3 In the Add a Local User Account page, enter all the sponsor user credentials: • First Name—Type the first name of the sponsor. • Last Name—Type the last name of the sponsor. • Email —Type email address of the sponsor. • Group—Select the group for the sponsor account from the dropdown. Chapter 5, “Configuring Sponsor User Groups” provides further details on groups.
Cisco NAC Guest Server Installation and Configuration Guide 4-2 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring Local Sponsor Authentication
• Username—Type the user name for the sponsor account. • Password—Type the password for the sponsor account. • Confirm —Retype the password for the sponsor account Step 4 Click the Add User button. • If there are any errors, the account is not added and an error message is displayed at the top of the page. • If successfully added, a success message is displayed at the top of the page and you can add additional user accounts.
Edit Existing User Account
You can modify the settings of local sponsor accounts that are already created.
Step 1 From the administration interface, select Authentication > Sponsors and click the Local User Database tab as shown in Figure 4-3.
Figure 4-3 Local Users to Edit
Step 2 Select the user from the list and click the underlined username. Step 3 In the Edit a Local User Account page, edit the user credentials as shown in Figure 4-4.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-3 Chapter 4 Configuring Sponsor Authentication Configuring Local Sponsor Authentication
Figure 4-4 Edit Local User Account
• First Name—Edit the first name for the sponsor account. • Last Name—Edit the last name for the sponsor account. • Email —Edit the email address of the sponsor. • Group—Select the group for the sponsor account from the dropdown. Chapter 5, “Configuring Sponsor User Groups” provides further details on groups.
Note Leaving the Password and Repeat Password fields empty retains the existing password.
• Password—Change the password for the sponsor account. • Confirm —Retype the changed password for the sponsor account. Step 4 Click the Save Settings button. • If there are any errors, the account is not changed and an error message is displayed at the top of the page. • If successfully changed, a success message is displayed at the top of the page and you can make additional changes to the same user account.
Delete Existing User Account
You can delete existing sponsor user accounts from the administration interface.
Step 1 From the administration interface, select Authentication > Sponsors and then click the Local User Database tab as shown in Figure 4-5.
Cisco NAC Guest Server Installation and Configuration Guide 4-4 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring Local Sponsor Authentication
Figure 4-5 Select User to Delete
Step 2 A list of local users appears on the page. Choose the user you wish to delete by clicking the bin icon to the right of the Group Name field. Step 3 Confirm deletion of the user at the prompt. • If successfully deleted, a success message is displayed at the top of the page and you can perform additional local user account operations.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-5 Chapter 4 Configuring Sponsor Authentication Configuring Active Directory (AD) Authentication
Configuring Active Directory (AD) Authentication
Active Directory authentication authenticates sponsor users to the Guest Server using their existing AD user accounts. The sponsors need not have another set of user names and passwords to authenticate to the Guest Server. It also enables the administrator to quickly roll out Guest Access because there is no need to create and manage additional local sponsor accounts. Active Directory authentication allows you to do the following: • Add Active Directory Domain Controller • Edit Existing Domain Controller • Delete Existing Domain Controller Entry AD authentication supports authentication against multiple domain controllers. The domain controllers can be part of the same Active Directory to provide resilience, or they can be in different Active Directories. The Guest Server can authenticate sponsor users from separate domains, even where no trust relationship is configured. All Active Directory authentication is performed against individual domain controller entries. A domain controller entry consists of 6 items: • Server Name—A text description to identify the domain controller. As a best practice, Cisco recommends identifying the domain controller and the account suffix in this field (although it can be set to anything that you choose). • User Account Suffix—Every user in Active Directory has a full user logon name which appears as “username@domain”. Typing the @domain suffix (including the @ symbol) in this field allows sponsor users not to have to enter their full user logon name. • Domain Controller IP Address—The IP address of the domain controller authenticated by the sponsor user. • Base DN—The root of the Active Directory. This allows an LDAP search to be performed to find the user group of the sponsor. • AD Username— The user account that has permissions to search the AD. This allows an LDAP search for the user group of the sponsor. • AD Password—The password for the user account that has permissions to search the AD. To allow you to authenticate different user account suffixes against the same domain controller, you can create multiple domain controller entries with the same IP address and different user Account suffixes. The Server Name, User Account Suffix, and Base DN need to be different in each entry. To provide resilience in the event of a domain controller failure, you can enter multiple entries for the same User Account Suffix with different Domain Controller IP Addresses. The Server Name needs to be different in each entry. The Guest Server attempts to authenticate sponsors against each Domain Controller entry according to the Authentication Order specified in Configuring Sponsor Authentication Settings, page 4-19.
Cisco NAC Guest Server Installation and Configuration Guide 4-6 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring Active Directory (AD) Authentication
Add Active Directory Domain Controller
Step 1 From the administration interface, select Authentication > Sponsors > Active Directory Servers from the menu as shown in Figure 4-6.
Figure 4-6 Active Directory Authentication
Step 2 Click the Add Domain Controller button. Step 3 In the Add Active Directory Domain Controller page, enter all the details for authenticating against a specific AD Domain Controller as shown in Figure 4-7.
Figure 4-7 Add Active Directory Domain Controller
• Server Name—Type a text description of the AD Server Name and account suffix for the domain controller. For example: CCA.CISCO.COM. • User Account Suffix—Type the User Account Suffix and include the leading @. For example: @cca.cisco.com. Every AD user has a full user logon name that appears as “username@domain”. To allow sponsors to type their user logon name alone, type the @domain part (including the @ symbol) in this field. • Domain Controller —Type the IP address or DNS name for the domain controller. This is the IP address of the DC authenticated by the sponsor.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-7 Chapter 4 Configuring Sponsor Authentication Configuring Active Directory (AD) Authentication
• Base DN—Type the Base Distinguished Name (DN) of the domain controller. This is the name of the root of the directory tree. It is used so that when group searches are performed, the Guest Server knows from where to start. An example of the base DN for the domain cca. cisco.com is DC=cca,DC=cisco,DC=com. • Username—Type a username that has permissions to search the Active Directory using LDAP. This allows the Guest Server to find out details about users such as the list of groups to which they belong. • Password—In addition to the AD Username, type the password for that account. • Confirm— Retype the password for confirmation. • Enabled—Check the checkbox to enable the Guest Server to use this AD server to authenticate sponsors. If not checked, the AD server will not be used. Step 4 Click the Test Connection button to verify that the settings are correct for the domain controller. Test Connection authenticates with the specified AD Username and Password to verify the settings. Success or failure status is returned by “Active Directory Connection Successful” or “Active Directory Connection Failed” messages. Step 5 Click the Add Domain Controller button to add the Domain Controller button. If successfully added, a confirmation message is displayed at the top of the page.
Edit Existing Domain Controller
Step 1 From the administration interface, select Authentication > Sponsor > Active Directory Servers from the menu as shown in Figure 4-6. Step 2 Select the Active Directory Domain Controller from the list and click the underlined domain name to select and edit the domain controller as shown in Figure 4-8.
Figure 4-8 Select Domain Controller to Edit
Step 3 In the Edit Active Directory Domain Controller page as shown in Figure 4-9, edit the details for authenticating against this AD domain controller.
Cisco NAC Guest Server Installation and Configuration Guide 4-8 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring Active Directory (AD) Authentication
Figure 4-9 Edit Active Directory Domain Controller
Step 4 Modify settings as needed: • User Account Suffix—Edit the User Account Suffix and include the leading @, for example: @cca.cisco.com. Every AD user has a full user logon name that appears as “username@domain.” To allow sponsors not to have to type their full user logon name, type the @domain part (including the @ symbol) in this field. • Domain Controller—Edit the IP address for the domain controller. This is the IP address of the DC against which the sponsor authenticates. • Base DN—Edit the Base Distinguished Name (DN) of the domain controller. This is the name of the root of the directory tree. It is used so that when group searches are performed, the Guest Server knows from where to start. An example of the base DN for the domain cca. cisco.com is DC=cca,DC=cisco,DC=com. • AD Username—Edit the username that has permissions to search the Active Directory using LDAP. This allows the Guest Server find out details about users such as the list of groups to which they belong.
Note If you do not want to change the password, leave the Password and Confirm fields empty to retain the existing password.
• Password—Edit the password for that AD user account that has search permissions. • Confirm —Retype the password to make sure it is correct. • Enabled—Check this checkbox to enable the Guest Server to use this AD server to authenticate sponsors. If not checked, the AD server will not be used. Step 5 Click the Test Connection button to verify that the settings are correct for the domain controller. Test Connection authenticates with the specified AD Username and Password to verify the settings. Success or failure status is returned by “Active Directory Connection Successful” or “Active Directory Connection Failed” messages.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-9 Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication
Step 6 Click the Save Settings button.
Delete Existing Domain Controller Entry
Step 1 From the administration interface, select Authentication > Sponsor > Active Directory Servers from the menu. Step 2 Click the underlined name of the domain controller from the list as shown in Figure 4-10.
Figure 4-10 Delete Domain Controller entries
Step 3 Delete the domain controller by clicking the bin icon to the right of the Status field. Step 4 Confirm deletion of the Domain Controller at the prompt. If there are any errors, the DC is not changed and an error message is displayed at the top of the page. If successfully deleted, a success message is displayed at the top of the page and you can perform additional Domain Controller operations.
Configuring LDAP Authentication
LDAP authentication authenticates sponsor users to the Guest Server using their existing LDAP user accounts. The sponsors need not have another set of user names and passwords to authenticate to the Guest Server. It also enables the administrator to quickly roll out Guest Access because there is no need to create and manage additional local sponsor accounts. LDAP authentication allows you to do the following: • Add an LDAP Server • Edit an Existing LDAP Server • Delete an Existing LDAP Server Entry LDAP authentication supports authentication against multiple LDAP Servers. An LDAP server entry consists of multiple items: • LDAP Server Name—A text description to identify the LDAP Server. • LDAP Server URL—This is the URL to access the LDAP server such as ldap://ldap.cisco.com. • Version—The LDAP version to use (version 1, 2 or 3). • Base DN—This is the Distinguished Name of the container object where an LDAP search to find the user begins, such as OU=Engineering,O=Cisco.
Cisco NAC Guest Server Installation and Configuration Guide 4-10 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication
• User Search Filter—The User Search Filter defines how user entries are named in the LDAP server. For example, you can define them as uid (uid=%USERNAME%) or cn (cn=%USERNAME%). • Group Mapping—There are two main methods that LDAP servers use for assigning users to groups: 1. Storing the group membership in an attribute of the user object. With this method, the user object has one or more attributes that list the groups to which the user belongs. If your LDAP server uses this method of storing group membership, you need to enter the name of the attribute which holds the groups of which the user is a member. 2. Storing the user membership in an attribute of the group object. With this method, there is a group object that contains a list of the users who are members of the group. If your LDAP server uses this method, you need to specify the group to check under the LDAP mapping section of a User Group for which you want to match the user. To determine the method to be used, Cisco recommends checking the LDAP documentation for your server or using an LDAP browser available at http://www.ldapbrowser.com/ to check the attributes of the server. • Username—The user account that has permissions to search the LDAP server. This is needed so that the Cisco NAC Guest Server can search for the user account and group mapping information. • Password—The password for the user account that has permissions to search the LDAP server. To provide resilience in the event of an LDAP server failure, you can enter multiple entries for high availability LDAP servers pointing to the same database. The Server name and URL need to be different in each entry. The Guest Server attempts to authenticate sponsors against each LDAP server entry in the order specified by Authentication Order, as detailed in Configuring Sponsor Authentication Settings, page 4-19. To verify that you have the correct LDAP credentials for connecting to your LDAP server, Cisco recommends testing an LDAP browser available at http://www.ldapbrowser.com/.
Add an LDAP Server
Step 1 From the administration interface, select Authentication > Sponsors > LDAP Servers from the menu as shown in Figure 4-11.
Figure 4-11 LDAP Authentication
Step 2 Click the Add LDAP Server button. Step 3 In the Add LDAP Server page, enter all the details for authenticating against a specific LDAP server as shown in Figure 4-12.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-11 Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication
Figure 4-12 Add LDAP Server
• LDAP Server Name—Type a text description of the LDAP Server Name. For example: Cisco LDAP - ldap.cisco.com. • LDAP Server URL—Enter the URL for accessing the LDAP server, such as ldap://ldap.cisco.com or ldaps://ldap.cisco.com. • Version—The version of LDAP supported by the server (version 1, 2 or 3). • Base DN—This is the Distinguished Name of the container object from which an LDAP search to find the user is started, such as OU=Users,O=Cisco.com or OU=Engineering,O=Cisco. • User Search Filter—The User Search Filter defines how user entries are named in the LDAP server. For example you can define them to be uid (uid=%USERNAME%) or cn (cn=%USERNAME%). The %USERNAME% should be placed where the username will be inserted in a search. • Group Mapping—There are two main methods that LDAP servers use for assigning users to groups: 1. Storing the group membership in an attribute of the user object. With this method the user object has one or more attributes that list the groups of which the user is a member. If your LDAP server uses this method of storing group membership, you need to enter the name of the attribute which holds the groups of which the user is a member. This attribute may be called something like groupMembership, memberOf, or group. 2. Storing the user membership in an attribute of the group object. With this method there is a group object that contains a list of the users who are members of the group. If your LDAP server uses this method, you need to specify the group to check under the LDAP mapping section of a User Group to which you want to match the user. To determine the method to be used, Cisco recommends checking the LDAP documentation for your server or using an LDAP browser like the one available at http://www.ldapbrowser.com/ to check the attributes of the server.
Cisco NAC Guest Server Installation and Configuration Guide 4-12 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication
• Username—The user account that has permissions to search the LDAP server. This is needed so that the Cisco NAC Guest Server can search for the user account and group mapping information. • Password—The password for the user account that has permissions to search the LDAP server. • Confirm —Repeat the password for confirmation. • Enabled—Check the checkbox to enable the Guest Server to use this LDAP server to authenticate sponsors. If not checked, the LDAP server will not be used. Step 4 Click the Add LDAP Server button to successfully save the settings.
Edit an Existing LDAP Server
Step 1 From the administration interface, select Authentication > Sponsor > LDAP Servers from the menu. Step 2 Select the LDAP Server you wish to edit from the list and click the underlined domain of that server as shown in Figure 4-13.
Figure 4-13 Select LDAP Server to Edit
Step 3 In the LDAP Server page as shown in Figure 4-14, edit the details for authenticating against this LDAP server.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-13 Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication
Figure 4-14 Edit LDAP Server Settings
Step 4 Modify settings as needed: • LDAP Server URL—Enter the URL for accessing the LDAP server, such as ldap://ldap.cisco.com or ldaps://ldap.cisco.com. • Version—The version of LDAP supported by the server (version 1, 2 or 3). • Base DN—This is the Distinguished Name of the container object where an LDAP search to find the user will be started from, such as OU=Users,O=Cisco.com or OU=Engineering,O=Cisco. • User Search Filter—The User Search Filter defines how user entries are named in the LDAP server. For example you can define them to be uid (uid=%USERNAME%) or cn (cn=%USERNAME%). The %USERNAME% should be placed where the username will be inserted in a search. • Group Mapping—There are two main methods that LDAP servers use for assigning users to groups: 1. Storing the group membership in an attribute of the user object. With this method the user object has one or more attributes that list the groups of which the user is a member. If your LDAP server uses this method of storing group membership, you need to enter the name of the attribute which holds the groups of which the user is a member. This attribute may be called something like groupMembership, memberOf, or group. 2. Storing the user membership in an attribute of the group object. With this method there is a group object that contains a list of the users who are members of the group. If your LDAP server uses this method, you need to specify the group to check under the LDAP mapping section of a User Group to which you want to match the user.
Cisco NAC Guest Server Installation and Configuration Guide 4-14 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication
To determine the method to be used, Cisco recommends checking the LDAP documentation for your server or using an LDAP browser like the one available at http://www.ldapbrowser.com/ to check the attributes of the server. • Username—The user account that has permissions to search the LDAP server. This is needed so that the Cisco NAC Guest Server can search for the user account and group mapping information. • Password—The password for the user account that has permissions to search the LDAP server. • Confirm —Repeat the password for confirmation.
Note If you do not want to change the password, leave the Password and Confirm fields empty to retain the existing password.
• Enabled—Check the checkbox to enable the Guest Server to use this LDAP server to authenticate sponsors. If not checked, the LDAP server will not be used. Step 5 Click the Test Connection button to verify that the settings are correct for the LDAP server. The Test Connection will bind with the username and password specified to the LDAP server to verify that it can bind successfully. Success or failure status is returned by “LDAP Connection Successful” or “LDAP Connection Failed” messages. Step 6 Click the Save Settings button.
Delete an Existing LDAP Server Entry
Step 1 From the administration interface, select Authentication > Sponsor > LDAP Servers from the menu. Step 2 Select the LDAP Server from the list as shown in Figure 4-15.
Figure 4-15 Delete LDAP Server entries
Step 3 A list of LDAP Servers appears on the choose the server you wish to delete by clicking the bin icon to the right of the Status field. Step 4 Confirm deletion of the LDAP Server at the prompt. If there are any errors, the LDAP Server is not changed and an error message is displayed at the top of the page. If successfully deleted, a success message is displayed at the top of the page and you can perform additional LDAP Server operations.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-15 Chapter 4 Configuring Sponsor Authentication Configuring RADIUS Authentication
Configuring RADIUS Authentication
RADIUS authentication authenticates sponsor users to the Cisco NAC Guest Server using their existing RADIUS user accounts. The sponsors need not have another set of user names and passwords to authenticate to the Guest Server. It also enables the administrator to quickly roll out Guest Access because there is no need to create and manage additional local sponsor accounts. RADIUS authentication allows you to do the following: • Add a RADIUS Server • Edit an Existing RADIUS Server • Delete an Existing RADIUS Server Entry
Add a RADIUS Server
Step 1 From the administration interface, select Authentication > Sponsors > RADIUS Servers from the menu as shown in Figure 4-16.
Figure 4-16 RADIUS Authentication
Step 2 Click the Add RADIUS Server button. Step 3 In the Add RADIUS Server page, enter all the details for authenticating against a specific RADIUS server as shown in Figure 4-17.
Figure 4-17 Add RADIUS Server
• Server Name—Type a text description of the RADIUS Server Name. For example: Cisco RADIUS - radius.cisco.com.
Cisco NAC Guest Server Installation and Configuration Guide 4-16 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring RADIUS Authentication
• Server IP Address—Enter the IP address or domain name of the RADIUS server. • Port—Enter the UDP port used to connect to the RADIUS server. The common ports for RADIUS authentication are ports 1645 or 1812. • RADIUS Secret—The shared secret used to secure the communications between the Cisco NAC Guest Server and the RADIUS server. • Confirm—Repeat the shared secret for confirmation. • Enabled—Check the checkbox to enable the Guest Server to use this RADIUS server to authenticate sponsors. If not checked, the RADIUS server will not be used. Step 4 Click the Save button.
Edit an Existing RADIUS Server
Step 1 From the administration interface, select Authentication > Sponsor > RADIUS Servers from the menu. Step 2 Select the RADIUS server from the list and click the underlined name of the server you wish to edit as shown in Figure 4-18.
Figure 4-18 Select RADIUS Server to Edit
Step 3 In the Edit RADIUS Server Details page as shown in Figure 4-19, edit the details for authenticating against this RADIUS server.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-17 Chapter 4 Configuring Sponsor Authentication Configuring RADIUS Authentication
Figure 4-19 Edit RADIUS Server Settings
Step 4 Modify settings as needed: • Server IP Address—Enter the IP address or domain name of the RADIUS server. • Port—Enter the UDP port used to connect to the RADIUS server. The common ports for RADIUS authentication are ports 1645 or 1812. • RADIUS Secret—The shared secret used to secure the communications between the Cisco NAC Guest Server and the RADIUS server.
Note If you do not want to change the shared secret, leave the Secret and Confirm fields to retain the existing shared secret.
• Enabled—Check the checkbox to enable the Guest Server to use this RADIUS server to authenticate sponsors. If not checked, the RADIUS server will not be used. Step 5 Click the Save Settings button.
Delete an Existing RADIUS Server Entry
Step 1 From the administration interface, select Authentication > Sponsor > RADIUS Servers from the menu. Step 2 Select the RADIUS server from the list as shown in Figure 4-20.
Cisco NAC Guest Server Installation and Configuration Guide 4-18 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring Sponsor Authentication Settings
Figure 4-20 Delete RADIUS Server Entries
Step 3 A list of RADIUS Servers appears on the page. Click the bin icon to the right of the Status field to delete the server. Step 4 Confirm deletion of the RADIUS server at the prompt. If there are any errors, the RADIUS server is not changed and an error message is displayed at the top of the page. If successfully deleted, a success message is displayed at the top of the page and you can perform additional RADIUS operations.
Configuring Sponsor Authentication Settings
Changing the Order of Authentication Servers
When a sponsor authenticates against the Cisco NAC Guest Server, the Guest Server tries each authentication server that has been defined, in order, until it successfully authenticates a sponsor. If none of the authentication servers can authenticate the sponsor, an error message is returned. As you can define many different authentication servers of different kinds, you can order them in any way you want on a server-by-server basis.
Step 1 From the administration interface, select Authentication > Sponsor > Authentication Order from the menu as shown in Figure 4-21.
Figure 4-21 Authentication Order
The first server to be authenticated against is at the top of the list and the last one at the bottom.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-19 Chapter 4 Configuring Sponsor Authentication Configuring Active Directory Single Sign-On
Step 2 Select the server that you want to re-order from the list and click either the move up or move down button. Perform this action with all the servers until they are in the correct order. Step 3 To save the authentication order click the Change Order button.
Session Timeouts
A sponsor that logs in to the Cisco NAC Guest Server is logged out after a period of inactivity. You can set the inactivity period through the Session Timeout Settings page.
Note The Session Timeout defined here applies to both the Sponsor and Administration interfaces. See Admin Session Timeout, page 3-19.
Step 1 From the administration interface, select Authentication > Sponsor > Settings from the menu as shown in Figure 4-22.
Figure 4-22 Session Timeout
Step 2 Enter the Session Timeout value in minutes (default is 10 minutes). When sponsors are inactive for this amount of time, their sessions expire and the next action they perform takes them to the login page. Step 3 Click the Save Settings button to save the session timeout.
Configuring Active Directory Single Sign-On
The Active Directory Single Sign-On (AD SSO) feature uses Kerberos between the client’s web browser and the Cisco NAC Guest Server to automatically authenticate a sponsor against an Active Directory Domain Controller. An Active Directory Domain Controller in the same domain as the single sign on configuration must have been previously configured as described in Configuring Active Directory (AD) Authentication, page 4-6. Starting from NAC Guest Server 2.0.4, the following environments are supported: • Windows 2003 Server • Windows 2008 R2 Server • Microsoft Windows 2003 client with Internet Explorer 6, 7, 8, and 9
Cisco NAC Guest Server Installation and Configuration Guide 4-20 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring Active Directory Single Sign-On
Note The AD SSO requires DES encryption, which is disabled by default on Windows 2008 R2 Server. If you are using Windows 2008 R2 Server, you should enable the DES encryption manually to use AD SSO.
Starting from NAC Guest Server 2.1.0, the following environments are supported: • Functional level Windows 2012 in Windows 2012 server • Functional level Windows 2008 R2 in Windows 2012 server • Functional level Windows 2008 in Windows 2012 server • Functional level Windows 2003 in Windows 2012 server • Functional level Windows 2008 in Windows 2008R2 server • Functional level Windows 2003 in Windows 2008R2 server • Functional level Windows 2000 in Windows 2008R2 server
Requirements for Active Directory Single Sign-On
The following requirements must be met for Active Directory Single Sign-On to be configured successfully: • DNS must be configured and working on the Cisco NAC Guest Server • DNS must be configured and working on the Domain Controller. • Both of the following DNS entries for the Cisco NAC Guest Server must be defined: – “A” record – “PTR” record • Both of the following DNS entries for the Domain Controller must be defined: – “A” record – “PTR” record • Cisco NAC Guest Server time settings must be synchronized with the Active Directory Domain. If any of these setting are not met, then AD SSO configuration will fail.
Note Cisco strongly recommends to configure NTP so that time is synchronized with the Active Directory Domain. Single Sign-On will fail if the time on the Cisco NAC Guest Server time differs by more than 5 minutes from the client or the domain.
Step 1 Configure an Active Directory Server as described in Configuring Active Directory (AD) Authentication, page 4-6. An Active Directory Server is needed so that users performing Single Sign-On can be correctly mapped against a sponsor group. The Active Directory Server must be in the same domain as the Single Sign-On configuration. Step 2 From the administration interface, select Authentication > AD Single Sign-On from the left menu as shown in Figure 4-23.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-21 Chapter 4 Configuring Sponsor Authentication Mapping User Group with AD SSO
Figure 4-23 Active Directory Single Sign-On
Step 3 Check the Enable AD Single Sign On checkbox to enable AD SSO. Step 4 Type the Active Directory Domain Name for the domain for which you want to enable SSO. Step 5 Type the Fully Qualified Domain Name of the Active Directory Domain Controller. The Cisco NAC Guest Server needs to be able to resolve both A and PTR records for the Domain Controller. Step 6 Type the Fully Qualified Domain Name of the NAC Guest Server. The NAC Guest Server needs to be able to resolve both A and PTR records for itself with DNS. Step 7 Type an AD Administrator Username for the Domain, this account is used for adding the NAC Guest Server to the domain and creating its computer account. Step 8 Type the Password for the AD Administrator and retype it in the Confirm field. Step 9 Click Save. The NAC Guest Server will join to the domain, create a computer account and turn on Active Directory Single Sign on.
Mapping User Group with AD SSO
To map a user group with AD SSO, you need to configure the Active Directory Server as Auth Server and then map the AD group with Sponsor User Group.
Step 1 Choose Authentications > Sponsors > Active Directory Servers. Step 2 Add a new domain controller. Step 3 Click Test Connection to ensure that have configured the domain controller. Step 4 Add a new user group as described in Adding Sponsor User Groups, page 5-2. Step 5 Select No in the Create Bulk Accounts dropdown.
Cisco NAC Guest Server Installation and Configuration Guide 4-22 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring AD SSO on Multiple Domains
Step 6 In the Active Directory Mapping, ensure that you are selecting the right user group as described in Mapping to Active Directory Groups, page 5-10. Step 7 You can verify that the user is placed in the Sponser group by checking the Audit Logs as described in Audit Logs, page 15-5.
Configuring AD SSO on Multiple Domains
Starting from NAC Guest Server Release 2.0.4, you can configure AD SSO on multiple domains. In the following example, the NAC Guest Server is already present in the domain cca.cisco.com. This section explains how to enable AD SSO for a different domain child.cca.cisco.com present in the same forest, cca.cisco.com. Before configuring the SSO section, ensure that the "A" and "PTR" records exist for the domain controller and NAC Guest Server.
Step 1 From the administration interface, select Authentication > AD Single Sign-On from the left menu as shown in Figure 4-24.
Figure 4-24 Server Settings for Multiple Domain
Step 2 Check the Enable AD Single Sign On checkbox to enable AD SSO. Step 3 Type the Active Directory Domain Name as CHILD.CCA.CISCO.COM. Step 4 Type the Fully Qualified Domain Name of the Active Directory Domain Controller. Step 5 Type the Fully Qualified Domain Name of the NAC Guest Server as ngs.cca.cisco.com.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-23 Chapter 4 Configuring Sponsor Authentication Configuring AD SSO on Multiple Forests
Step 6 Type an AD Administrator Username for the Domain. Step 7 Type the Password for the AD Administrator and retype it in the Confirm field. Step 8 Click Save. Step 9 Once the domain is configured, you get a success message as shown in Figure 4-25.
Figure 4-25 Configuration Successful for Multi-Domain Setup
Verifying the Configuration for Multiple Domain
From the user machine, log into the domain. In this example, this machine is part of the child.cca.cisco.com domain. Ensure that the NAC Guest Server is part of local intranet and auto-login is turned on. In the web browser, enter the domain name. You should be automatically logged in to the domain with the credentials.
Note Use the FQDN for the NAC Guest Server to test SSO from the browser. The IP address does not work.
Configuring AD SSO on Multiple Forests
Starting from NAC Guest Server Release 2.0.4, you can configure AD SSO on multiple forests. In the following example, the NAC Guest Server is already present in the forest cca.cisco.com. This section explains how to enable AD SSO for a different domain chn-acsdev.com present in a different forest. Before configuring the SSO section, ensure that the "A" and "PTR" records exist for the domain controller and NAC Guest Server.
Note AD SSO is supported in cross-forest configurations with two-way trust established between the forests.
Cisco NAC Guest Server Installation and Configuration Guide 4-24 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Configuring AD SSO on Multiple Forests
Step 1 From the administration interface, select Authentication > AD Single Sign-On from the left menu as shown in Figure 4-26.
Figure 4-26 Server Settings for Multiple Forest
Step 2 Check the Enable AD Single Sign On checkbox to enable AD SSO. Step 3 Type the Active Directory Domain Name as CHN-ACSDEV.COM. Step 4 Type the Fully Qualified Domain Name of the Active Directory Domain Controller. Step 5 Type the Fully Qualified Domain Name of the NAC Guest Server as ngs.cca.cisco.com. Step 6 Type an AD Administrator Username for the Domain. Step 7 Type the Password for the AD Administrator and retype it in the Confirm field. Step 8 Click Save. Step 9 Once the domain is configured, you get a success message as shown in Figure 4-27.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-25 Chapter 4 Configuring Sponsor Authentication Troubleshooting the AD SSO Configuration
Figure 4-27 Configuration Successful for Multi-Forest Setup
Verifying the Configuration for Multiple Forest
From the user machine, log into the domain. In this example, the machine is part of the chn-acsdev.com domain. Ensure that the NAC Guest Server is part of local intranet and auto-login is turned on. In the web browser, enter the domain name. You should be automatically logged in to the domain with the credentials.
Note Use the FQDN for the NAC Guest Server to test SSO from the browser. The IP address does not work.
Troubleshooting the AD SSO Configuration
This section describes the error messages in the logs and tips to troubleshoot the issues that may occur during the configuration.
Error: Domain format incorrect / Domain Controller must be a FQDN, not an IP address The domain has not been entered in a correct format, for example: CCA.CISCO.COM.
Error: Hostname must be a FQDN, not an IP address The hostname of the NAC Guest server cannot be an IP address it must be a Fully Qualified Domain Name, example: nac.cca.cisco.com.
Cisco NAC Guest Server Installation and Configuration Guide 4-26 OL-28256-01 Chapter 4 Configuring Sponsor Authentication Troubleshooting the AD SSO Configuration
Error: Cannot determine IP address for Domain Controller
Error: Cannot get DNS A record for Domain Controller
Error: Cannot get DNS A record for hostname
Error: Cannot get DNS PTR record for Domain Controller IP address
Error: Cannot get DNS PTR record for hostname IP address The above errors occur when there is an issue with DNS configuration.
Error: Failed to create computer account for this server on the Domain Controller. See application log for details
Error: Invalid username/password The administrator username or password is not correct. View the application log for full details of the error.
Error: Invalid Domain or cannot resolve network address for DC There is a DNS problem on the AD server.
Error: Domain Controller time does not match this server's time Ensure that the server times match. It is recommended to use NTP to synchronize server times.
Error: The DC cannot determine the hostname for the Guest server by reverse lookup. There may be an issue with your DNS configuration. The above error may be due to DNS configuration issue on the AD server.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 4-27 Chapter 4 Configuring Sponsor Authentication Troubleshooting the AD SSO Configuration
Cisco NAC Guest Server Installation and Configuration Guide 4-28 OL-28256-01
CHAPTER5
Configuring Sponsor User Groups
Sponsor user groups are the method by which you assign permissions to the sponsors. You can set role-based permissions for sponsors to allow or restrict access to different functions, such as creating accounts, modifying accounts, generating reports, and sending account details to guests by email or SMS. Once you have created a user group, create mapping rules to map the sponsor to a group based upon information returned from the authentication server such as Active Directory Group, LDAP Group membership, or RADIUS Class attribute.
Tip By default, all users are assigned to the DEFAULT group. If you only want to have a single classification of sponsors, you can edit the DEFAULT group.
This chapter describes the following: • Adding Sponsor User Groups • Editing Sponsor User Groups • Deleting User Groups • Specifying the Order of Sponsor User Groups • Mapping to Active Directory Groups • Mapping to LDAP Groups • Mapping to RADIUS Groups • Assigning Guest Roles • Assigning Time Profiles
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 5-1 Chapter 5 Configuring Sponsor User Groups Adding Sponsor User Groups
Adding Sponsor User Groups
You can create a new sponsor user group using the following steps.
Step 1 From the administration interface, select Authentication > Sponsor User Groups as shown in Figure 5-1.
Figure 5-1 Sponsor User Groups
Step 2 Click the Add Sponsor Group button to add a new user group. Step 3 From the Add a New Sponsor Group page as shown in Figure 5-2, type the name for a new user group in the Sponsor Group Name field.
Figure 5-2 Add New Sponsor Group
Step 4 Click the Add Sponsor Group button to add a user group. You can now edit the settings for the new user group by clicking the Edit Group button as shown in Figure 5-3.
Cisco NAC Guest Server Installation and Configuration Guide 5-2 OL-28256-01 Chapter 5 Configuring Sponsor User Groups Adding Sponsor User Groups
Figure 5-3 Edit New Sponsor Group
Step 5 Edit and set the permissions for the new User Group as follows: • Allow Login—Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server. • Create Account—Select Yes to allow sponsors to create guest accounts. • Create Bulk Accounts—Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details. • Create Random Accounts—Select Yes to allow sponsors to be able to create multiple random accounts without initially capturing the guest’s details. • Import CSV— Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file. • Send Email—Select Yes to allow sponsors to send account details via email from the Guest Server to the guest user. • Send SMS—Select Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user. • View Guest Password—Select Yes to allow sponsors to view the password that has been created for the guest. • Allow Printing Guest Details—Select Yes to allow sponsors to print out the guest’s details.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 5-3 Chapter 5 Configuring Sponsor User Groups Adding Sponsor User Groups
Note Select No, if you want to disable any of the above permissions.
• Edit Account—Choose one of the following permissions for editing the end date/time on guest accounts: – No—Sponsors are not allowed to edit any guest accounts. – Own Account—Sponsors are allowed to edit only the guest accounts they created. – Group Accounts—Sponsors are allowed to edit guest accounts created by anyone in the same sponsor user group. – All Accounts—Sponsors are allowed to edit any guest accounts. • Suspend Account—Choose one of the following options for suspending accounts: – No—Sponsors are not allowed to suspend any guest accounts. – Own Account—Sponsors are allowed to suspend only the guest accounts they created. – Group Accounts—Sponsors are allowed to suspend guest accounts created by anyone in the same sponsor user group. – All Accounts—Sponsors are allowed to suspend any guest accounts. • Full Reporting—Choose one of the following permissions for viewing reporting details for full reporting. See Reporting on Guest Users, page 17-19 for additional details. – No—Sponsors are not allowed to view reporting details on any guest accounts. – Own Account—Sponsors are allowed to view reporting details for only the guest accounts they created. – Group Accounts—Sponsors are allowed to view active guest accounts created by anyone in the same sponsor user group. – All Accounts—Sponsors are allowed to view reporting details on any active guest accounts. • Detailed Reports-Accounting Log —Choose one of the following permissions for running a full report on accounting logs: – No—Sponsors are not allowed to run accounting log reporting on any guest accounts. – Own Account—Sponsors are allowed to run full accounting log reporting for only the guest accounts they created. – Group Accounts—Sponsors are allowed to run full reporting on guest accounts created by anyone in the same sponsor user group. – All Accounts—Sponsors are allowed to run full accounting log reporting on any active guest accounts. • Detailed Reports - Audit Log—Choose one of the following permissions for running a full report on audit logs: – No—Sponsors are not allowed to run an audit log report on logs on any accounts. – Own Account—Sponsors are allowed to run an audit log report on logs for only the guest accounts they created. – Group Accounts—Sponsors are allowed to run an audit log report on logs for guest accounts created by anyone in the same sponsor user group. – All Accounts—Sponsors are allowed to a run an audit log report on logs on any active guest accounts.
Cisco NAC Guest Server Installation and Configuration Guide 5-4 OL-28256-01 Chapter 5 Configuring Sponsor User Groups Editing Sponsor User Groups
• Detailed Reports - Activity Log—Choose one of the following permissions for running a full report on activity logs. – No—Sponsors are not allowed to run detailed reports on activity logs on any guest accounts. – Own Account—Sponsors are allowed to run detailed reports on activity logs for only the guest accounts they created. – Group Accounts—Sponsors are allowed to run a detailed report on activity logs for guest accounts created by anyone in the same sponsor user group. – All Accounts—Sponsors are allowed to run detailed reports on activity logs on any active guest accounts. • Management Reports—Select Yes to allow the sponsors to run the management reports. If you select No, the sponsors are not allowed to run the reports. • Number of days in the future the account can be created—This specifies the period in the future for which the guests can create accounts. Specify the maximum number of days, hours, or minutes that they are allowed to create accounts in the future. • Maximum duration of account—This specifies the maximum duration for which the sponsor can configure an account. Specify the duration in days, hours, or minutes. Step 6 Click the Save button to add the group with the permissions specified.
Note Until you click the Save button, the group is not created.
Step 7 Execute one of the following set of instructions to correctly map sponsor users to your group based upon group information from the authentication server: • Mapping to Active Directory Groups, page 5-10 • Mapping to LDAP Groups, page 5-11 • Mapping to RADIUS Groups, page 5-12
Editing Sponsor User Groups
The following steps describe how to edit sponsor user groups.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu. Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 5-5 Chapter 5 Configuring Sponsor User Groups Editing Sponsor User Groups
Figure 5-4 Select the Sponsor User Group to Edit
Step 3 In the Edit Permissions page as shown in Figure 5-5, change the settings for the group.
Figure 5-5 Edit User Group
Step 4 Edit Permissions for the User Group as follows: • Allow Login—Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server. • Create Account—Select Yes to allow sponsors to create guest accounts. • Create Bulk Accounts—Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details. • Create Random Accounts—Select Yes to allow sponsors to be able to create multiple random accounts without initially capturing the guest’s details.
Cisco NAC Guest Server Installation and Configuration Guide 5-6 OL-28256-01 Chapter 5 Configuring Sponsor User Groups Editing Sponsor User Groups
• Import CSV— Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file. • Send Email—Select Yes to allow sponsors to send account details via email from the Guest Server to the guest user. • Send SMS—Select Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user. • View Guest Password—Select Yes to allow sponsors to view the password that has been created for the guest. • Allow Printing Guest Details—Select Yes to allow sponsors to print out the guest’s details. Otherwise, select No.
Note Select No, if you want to disable any of the above permissions.
• Edit Account—Choose one of the following permissions for editing the end date/time on guest accounts: – No—Sponsors are not allowed to edit any guest accounts. – Own Account—Sponsors are allowed to edit only the guest accounts they created. – Group Accounts—Sponsors are allowed to edit guest accounts created by anyone in the same sponsor user group. – All Accounts—Sponsors are allowed to edit any guest accounts. • Suspend Account—Choose one of the following options for suspending accounts: – No—Sponsors are not allowed to suspend any guest accounts. – Own Account—Sponsors are allowed to suspend only the guest accounts they created. – Group Accounts—Sponsors are allowed to suspend guest accounts created by anyone in the same sponsor user group. – All Accounts—Sponsors are allowed to suspend any guest accounts. • Full Reporting—Choose one of the following permissions for viewing reporting details for full reporting. See Reporting on Guest Users, page 17-19 for additional details. – No—Sponsors are not allowed to view reporting details on any guest accounts. – Own Account—Sponsors are allowed to view reporting details for only the guest accounts they created. – Group Accounts—Sponsors are allowed to view active guest accounts created by anyone in the same sponsor user group. – All Accounts—Sponsors are allowed to view reporting details on any active guest accounts. • Detailed Reports-Accounting Log —Choose one of the following permissions for running a full report on accounting logs: – No—Sponsors are not allowed to run accounting log reporting on any guest accounts. – Own Account—Sponsors are allowed to run full accounting log reporting for only the guest accounts they created. – Group Accounts—Sponsors are allowed to run full reporting on guest accounts created by anyone in the same sponsor user group.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 5-7 Chapter 5 Configuring Sponsor User Groups Deleting User Groups
– All Accounts—Sponsors are allowed to run full accounting log reporting on any active guest accounts. • Detailed Reports - Audit Log—Choose one of the following permissions for running a full report on audit logs: – No—Sponsors are not allowed to run an audit log report on logs on any accounts. – Own Account—Sponsors are allowed to run an audit log report on logs for only the guest accounts they created. – Group Accounts—Sponsors are allowed to run an audit log report on logs for guest accounts created by anyone in the same sponsor user group. – All Accounts—Sponsors are allowed to a run an audit log report on logs on any active guest accounts. • Detailed Reports - Activity Log—Choose one of the following permissions for running a full report on activity logs. – No—Sponsors are not allowed to run detailed reports on activity logs on any guest accounts. – Own Account—Sponsors are allowed to run detailed reports on activity logs for only the guest accounts they created. – Group Accounts—Sponsors are allowed to run a detailed report on activity logs for guest accounts created by anyone in the same sponsor user group. – All Accounts—Sponsors are allowed to run detailed reports on activity logs on any active guest accounts. • Management Reports—Select Yes to allow the sponsors to run the management reports. If you select No, the sponsors are not allowed to run the reports. • Number of days in the future the account can be created—This specifies the period in the future for which the guests can create accounts. Specify the maximum number of days, hours, or minutes that they are allowed to create accounts in the future. • Maximum duration of account—This specifies the maximum duration for which the sponsor can configure an account. Specify the duration in days, hours, or minutes. Step 5 Click the Save button to add the group with the permissions specified.
Note Until you click the Save button, the changes are not saved.
Step 6 Execute one of the following set of instructions to correctly map sponsor users to your group based upon group information from the authentication server: • Mapping to Active Directory Groups, page 5-10 • Mapping to LDAP Groups, page 5-11 • Mapping to RADIUS Groups, page 5-12
Deleting User Groups
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu.
Cisco NAC Guest Server Installation and Configuration Guide 5-8 OL-28256-01 Chapter 5 Configuring Sponsor User Groups Specifying the Order of Sponsor User Groups
Figure 5-6 List Groups to Delete
Step 2 Select and highlight the group you wish to delete and click the Delete Group button as shown in Figure 5-6. Step 3 Confirm deletion at the prompt.
Note If any Local Users are part of this group, you must delete the user before deleting the user group. Alternatively, you can move Local Users to another group to “empty” the user group before deleting it.
Specifying the Order of Sponsor User Groups
When a sponsor logs in to the Cisco NAC Guest Server, the system checks each group in turn to see if the sponsor should be given the privileges of that group. The groups are processed in the order in which they appear in the Sponsor User Groups list box as shown in Figure 5-7. If a user does not match a user group, they are given the privileges of the DEFAULT group.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu.
Figure 5-7 Order User Groups
Step 2 Select the group you wish to order. Each group can be ordered by clicking the move up or move down arrow icon button until the group is in position as shown in Figure 5-7. Step 3 Repeat for all groups until they appear in the required order.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 5-9 Chapter 5 Configuring Sponsor User Groups Mapping to Active Directory Groups
Step 4 Click the Change Order button to save the order.
Mapping to Active Directory Groups
If a sponsor authenticates to the Cisco NAC Guest Server using Active Directory authentication, the Cisco NAC Guest Server can map the sponsors into a user group using their membership in Active Directory groups.
Note Cisco NAC Guest Server does not support recursive group lookups. You must specify a group that the user is directly a member.
If you have configured AD authentication (as described in Configuring Active Directory (AD) Authentication, page 4-6), then the Guest Server automatically retrieves a list of all the groups configured within all the AD servers. Selecting an Active Directory Group from the dropdown provides all sponsor users in this AD group and the permissions of this group.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1. Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4. Step 3 Click the Active Directory Mapping tab to bring up the Edit Active Directory Mapping tab as shown in Figure 5-8.
Figure 5-8 Active Directory Group Mapping
Step 4 Select the group you wish to match from the dropdown menu and then click the Save button.
Note By default, Active Directory only returns a maximum of 1000 groups in response to a Cisco NAC Guest Server search. If you have more than 1000 groups and have not increased the LDAP search size, it is possible that the group you want to match does not appear. In this situation, you can manually enter the group name in the Active Directory Group combo box.
Cisco NAC Guest Server Installation and Configuration Guide 5-10 OL-28256-01 Chapter 5 Configuring Sponsor User Groups Mapping to LDAP Groups
Mapping to LDAP Groups
If a sponsor authenticates to the Cisco NAC Guest Server using LDAP authentication, the Cisco NAC Guest Server can map the sponsor into a user group by their membership of LDAP groups.
Note Cisco NAC Guest Server does not support recursive group lookups. You must specify a group that the user is directly a member of.
Based on the settings of the LDAP server that you authenticate against, the Cisco NAC Guest Server uses one of the following methods for mapping the sponsor using group information. There are two main methods that LDAP servers use for assigning users to groups: 1. Storing the group membership in an attribute of the user object. With this method, the user object has one or more attributes that list the groups to which the user belongs. If your LDAP server uses this method of storing group membership, you need to enter the name of the attribute which holds the groups for which the user is a member. 2. Storing the user membership in an attribute of the group object. With this method, there is a group object that contains a list of the users who are members of the group. If your LDAP server uses this method, you need to specify the group to check under the LDAP mapping section of a User Group for which you want to match the user. When you define the LDAP server, you will have specified one of these two options. If the LDAP server supports the first option, you need to specify to check the user attribute for a certain string. If the LDAP server supports the second option, you need to enter the full DN of the group you want to check membership. The Cisco NAC Guest Server will then check the attribute to make sure that it contains the name of the user who has logged in.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1. Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4. Step 3 Click the LDAP Mapping tab in the top menu of the page to bring up the Edit LDAP Mapping as shown in Figure 5-9.
Figure 5-9 LDAP Group Mapping
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 5-11 Chapter 5 Configuring Sponsor User Groups Mapping to RADIUS Groups
Step 4 If your LDAP server uses user attributes to store group membership, type the group name to check in the Check the user attribute field and specify either “contains the string” or “equals the string” from the dropdown menu.
Note If using contains the string then the LDAP server must have wildcard searches enabled.
Step 5 If your LDAP server stores group membership in the group object, then specify the full DN of the group you want to check in the Check the group object (group DN) field and type the name of the attribute to be checked for the sponsor’s username in the Membership Attribute field. Step 6 Click the Save button to save the LDAP group mapping.
Note You can specify both options for the same group. The option that you check depends on the setting on the LDAP server with which the sponsor successfully authenticates.
Mapping to RADIUS Groups
If a sponsor authenticates to the Cisco NAC Guest Server using RADIUS authentication, the Cisco NAC Guest Server can map the sponsor into a user group by using information returned to the Cisco NAC Guest Server in the authentication request. The information must be placed into the class attribute on the RADIUS server.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1. Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4. Step 3 Click the RADIUS Mapping tab to bring up the Edit RADIUS Mapping as shown in Figure 5-10.
Figure 5-10 RADIUS Group Mapping
Step 4 Enter the string you want to match against the Class Attribute that is returned in the RADIUS authentication reply. Use the dropdown to specify if you want to exactly match the string (equals the string) or match a substring (contains the string). Step 5 Click the Save button.
Cisco NAC Guest Server Installation and Configuration Guide 5-12 OL-28256-01 Chapter 5 Configuring Sponsor User Groups Assigning Guest Roles
Assigning Guest Roles
Guest Roles allow a sponsor to assign different levels of access to a guest account. You can choose which sponsor user groups are allowed to assign certain roles to guests. By default, a sponsor user group has the ability to assign guests to the default role. The administrator can choose the additional groups the sponsor can assign, or can remove the default role from the user group. Each sponsor user group must have the ability to assign guests to at least one role. If only one role is selected for the user group, the sponsor cannot have the option to select roles. If there are more than one role, sponsors get a dropdown menu to select the role to be assigned to the account during the account creation. Refer to Configuring Guest Roles, page 6-5 for additional details on roles.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1. Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4. Step 3 Click the Guest Roles tab to bring up the Edit Roles as shown in Figure 5-11.
Figure 5-11 Edit Roles
Step 4 The roles that the sponsor user group has permission to assign are displayed in the Selected Roles list. Move the roles between the Available Roles and Selected Roles lists using the arrow buttons. Step 5 Click the Save button to assign the permission to create guests in the specified roles to the sponsor user group.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 5-13 Chapter 5 Configuring Sponsor User Groups Assigning Time Profiles
Assigning Time Profiles
Time Profiles allow a sponsor to assign different levels of access time to a guest account. You can choose the sponsor user groups that are allowed to assign certain Time Profiles to guests. By default, a user group has the ability to assign guests to the default time profile. The administrator can choose which additional time profiles the sponsor can be assigned, or can remove the default time profile from the user group. Each user group must have the ability to assign guests in at least one time profile. If a user group has only one time profile selected, the sponsor does not view an option to select the time profile. If they have the ability to choose more than one time profile, they can view a dropdown menu from which they can choose the time profile to be assigned to the account during the account creation. Refer to Configuring Time Profiles, page 6-10 for additional details on time profiles.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1. Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4. Step 3 Click the Time Profiles tab to bring up the Edit Time Profiles as shown in Figure 5-12.
Figure 5-12 Time Profiles
Step 4 The time profiles that the sponsor user group has permission to assign are displayed in the Selected Time Profiles list. Move the roles between the Available Time Profiles and Selected Time Profiles lists using the arrow buttons. Step 5 Click the Save button to assign the permission to create guests in the time profiles to the sponsor user group.
Cisco NAC Guest Server Installation and Configuration Guide 5-14 OL-28256-01
CHAPTER6
Configuring Guest Policies
Organizations commonly have policies in place for creating accounts for their internal users and systems, such as the format or length of the username and/or complexity of password. The Cisco NAC Guest Server allows you to configure guest username and password creation policies to match your organization’s policy or to create a policy specific to guest accounts. You can also use the Guest Details policy to define specific guest user information on the Cisco NAC Guest Server. The Cisco NAC Guest Server allows you to configure different roles for your guests. Guest roles allow you to provide different levels of access to different guest accounts (for example, to map different guest roles to Clean Access Manager roles, to assign different RADIUS attributes, or to only allow access to guests from certain IP address ranges). This chapter describes the following: • Setting Username Policy • Setting Password Policy • Setting Guest Details Policy • Configuring Guest Roles • Configuring Time Profiles • External Guest Authentication
Setting Username Policy
The Username Policy determines how to create user names for all guest accounts.
Step 1 From the administration interface, select Guest Policy > Username Policy as shown in Figure 6-1.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 6-1 Chapter 6 Configuring Guest Policies Setting Username Policy
Figure 6-1 Guest Username Policy
Step 2 Choose one of the username policy options for creating the user name for the guest account: a. Username Policy 1 - Email address as username Use the guest’s email address as the username. If an overlapping account with the same email address exists, a random number is added to the end of the email address to make the username unique. Overlapping accounts are accounts that have the same email address and are valid for an overlapping period of time. With the Create Username With Case option, you can determine the case of the guest username created by the sponsor: – Case entered by sponsor—The username remains in the same case set by the sponsor. – UPPERCASE—The username is forced into uppercase after being set by the sponsor. – lowercase—The username is forced into lowercase after being set by the sponsor. b. Username Policy 2 - Create username based on first and last names Create a username based on combining the first name and last name of the guest. You can set a Minimum username length for this username from 1 to 20 characters (default is 10). User names shorter than the minimum length are padded up to the minimum specified length with a random number. With the Create Username With Case option, you can determine the case of the guest username created by the sponsor:
Cisco NAC Guest Server Installation and Configuration Guide 6-2 OL-28256-01 Chapter 6 Configuring Guest Policies Setting Password Policy
– Case entered by sponsor—The username remains in the same case set by the sponsor. – UPPERCASE—The username is forced into uppercase after being set by the sponsor. – lowercase—The username is forced into lowercase after being set by the sponsor. c. Username Policy 3 - Create random username Create a username based upon a random mixture of Alphabetic, Numeric or Other characters. Type the characters to include to generate the random characters and the number to use from each set of characters.
Note The total length of the username is determined by the total number of characters included.
Step 3 When done, click Save to have the username policy take effect.
Setting Password Policy
The Password Policy determines how to create the password for all guest accounts.
Step 1 From the administration interface, select Guest Policy > Password Policy as shown in Figure 6-2.
Figure 6-2 Password Policy
Step 2 In the Alphabetic Characters section, enter the characters to be used in the password and the number to be included. Step 3 In the Numeric Characters section, enter the numerals to be used in the password and the number to be included. Step 4 In the Other Characters section, enter the special characters to be used in the password and the number to be included.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 6-3 Chapter 6 Configuring Guest Policies Setting Guest Details Policy
Caution For passwords, use only the following characters for the “Other Characters” field: !$^&*()-_=+[]{};:@#~,>? Do not use the following characters in the “Other Characters” field, as they are not supported by the Clean Access Manager API: £ % < ¬ ` ' \ |.
Step 5 Click the Save button to save the settings.
Note The total length of the password is determined by the total number of characters included. You can choose between 0 and 20 characters per type (alphabetic, numeric, or other).
Setting Guest Details Policy
The Guest Details policy determines the data the sponsor needs to enter to create a guest account.
Step 1 From the administration interface, select Guest Policy > Guest Details as shown in Figure 6-3.
Figure 6-3 Guest Details Policy
Step 2 You can specify one of three settings for each requirement: • Required—If a field is set to required it is displayed on the Create Guest Account page and it is mandatory for the sponsor to complete. • Optional—If a field is set to optional it is displayed on the Create Guest Account page. However the sponsor can choose not to complete the field. • Unused—If a field is set to unused then it is not displayed on the Create Guest Account page and no value is required.
Cisco NAC Guest Server Installation and Configuration Guide 6-4 OL-28256-01 Chapter 6 Configuring Guest Policies Configuring Guest Roles
Step 3 Click the Save button to save the guest details policy.
Note There are five Additional Fields that you can use to add any additional information that you require sponsors to fill out when creating guest accounts. These are described on the Guest Details page as Option 1 through Option 5. If you want to use these fields, Cisco recommends customizing the text that is shown to the sponsor by editing the templates as described in User Interface Templates, page 11-1.
Configuring Guest Roles
Guest roles provide a way to give different levels of access to different guest accounts. For example, to map different guest roles to Clean Access Manager roles, to assign different RADIUS attributes, or to only allow access to guests from certain IP address ranges. Once guest roles have been created, you must change the user group to allow sponsors in that group to be able to provision accounts in the appropriate role. See Assigning Guest Roles, page 5-13 for instructions on how to allow sponsors to assign different guest roles.
Adding Guest Roles
You can add a new guest role using the following steps.
Step 1 From the administration interface, select Guest Policy > Guest Roles as shown in Figure 6-4.
Figure 6-4 Guest Roles
Step 2 Click the Add Role button to add a new guest role. Step 3 From the Add Guest Role page as shown in Figure 6-5, enter the name for a new guest role.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 6-5 Chapter 6 Configuring Guest Policies Configuring Guest Roles
Figure 6-5 Add New Guest Role
Step 4 Enter a Role Name and its Description in the fields provided. Step 5 Click the Add Role button to add the guest role. You can now edit the settings for the new guest role as described in Editing Guest Roles, page 6-6.
Editing Guest Roles
The following steps describe how to edit guest roles.
Step 1 From the administration interface, select Guest Policy > Guest Roles from the left hand menu.
Figure 6-6 Edit Guest Roles
Step 2 Select the role you wish to edit and click the underlined name of that role as shown in Figure 6-6 to bring up the NAC Roles edit. You can edit the following attributes: • Edit NAC Roles • Edit RADIUS Attributes • Edit Locations • Edit Authentication Settings
Edit NAC Roles
For each role, you can specify the Clean Access Managers for which the guest account will be provisioned onto and the role name on which the Clean Access Manager will be used.
Cisco NAC Guest Server Installation and Configuration Guide 6-6 OL-28256-01 Chapter 6 Configuring Guest Policies Configuring Guest Roles
By default, no Clean Access Managers are selected and the role that is shown is copied from the relevant Cisco NAC Appliance setting. Refer to Chapter 7, “Integrating with Cisco NAC Appliance” for additional details.
Step 1 From the administration interface, select Guest Policy > Guest Roles and click the underlined name of the role you want to edit. Step 2 Select NAC Roles from the top of the page.
Figure 6-7 NAC Role
Step 3 For each Cisco NAC Appliance, check the Enabled box if you want accounts created with this guest role to be provisioned onto that Clean Access Manager. Step 4 For each Cisco NAC Appliance, enter the role in the Map to NAC Role field that corresponds to the role on the Cisco NAC Appliance in which you want to create the guest account. Step 5 Click the Save Role button.
Edit RADIUS Attributes
If a guest authenticates with a RADIUS client device such as a Cisco Wireless LAN controller, then for each role you can specify additional RADIUS attributes that are sent upon successful authentication.
Step 1 From the administration interface, select Guest Policy > Guest Roles and click the underlined name of that role you want to edit. Step 2 Select RADIUS Attributes from the top of the page as shown in Figure 6-8.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 6-7 Chapter 6 Configuring Guest Policies Configuring Guest Roles
Figure 6-8 RADIUS Attributes
Step 3 Enter each Attribute and Value pair and click the Add button. Step 4 If you need to re-order the attributes that are sent, use the Move up and Move down buttons. Step 5 Click the Save Role button to save the RADIUS Attributes.
Edit Locations
If a guest authenticates with a RADIUS client device such as a Cisco Wireless LAN Controller, you can specify from which IP address ranges the guest is allowed to authenticate for each role. This enables you to specify roles based upon location so that guests assigned to a specific role can only login from locations that you specify.
Step 1 From the administration interface, select Guest Policy > Guest Roles and click the underlined name of that role you want to edit. Step 2 Click the Locations tab as shown in Figure 6-9.
Figure 6-9 Locations
Cisco NAC Guest Server Installation and Configuration Guide 6-8 OL-28256-01 Chapter 6 Configuring Guest Policies Configuring Guest Roles
Step 3 Enter each Network Address and select the appropriate prefix length from the dropdown menu. Only valid Network Addresses will be accepted—host addresses must be specified using a /32 prefix length. Step 4 Click the Add Location button to add the Network Address.
Note When you add a role, the location 0.0.0.0/0 is automatically added. This means that the role is valid from any IP address. If you want to restrict to other IP address ranges you must remove this address.
Note Locations only apply to users authenticating through RADIUS clients such as the Cisco Wireless LAN Controller.
Edit Authentication Settings
Step 1 From the administration interface, select Guest Policy > Guest Roles and click the underlined name of the role you want to edit. Step 2 Click the Authentication Settings tab as shown in Figure 6-10.
Figure 6-10 Authentication Settings
Step 3 Enter a number for the Maximum Concurrent Connections for Guests in this Role. This sets the maximum number of concurrent connections to which a guest account is allowed to be associated. Leave the field blank for an unlimited number of connections and authentications. Step 4 Enter a number for the Maximum Failed Authentications for Guests in this Role. This sets the maximum number of failed authentication attempts a guest is allowed to have before the account is suspended. Leave the field blank for an unlimited number of connections and authentications. Step 5 Check the Allow Password Change checkbox to allow the Guest to change the password. Check this option to use the Password Change widget. Step 6 Check the Require Password Change checkbox to force the Guest to change the password during first login. This option applies to all widgets that allow guest login (Login, Self Service, Billing), and forces the guest to change the password before logging in to the Guest Server. To include the Password Change in a page, add the following script:
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 6-9 Chapter 6 Configuring Guest Policies Configuring Time Profiles
" Step 7 Click the Save button to save your changes. Refer Creating a Password Change Page (WLC and Switch), page 12-26 for further information.
Configuring Time Profiles
Time Profiles provide a way to give different levels of time access to different guest accounts. For example, you can assign a time profile that allows a guest access during a working week day and not on a weekend. Once time profiles are created, you must change the sponsor user group to allow sponsors in that group to be able to provision accounts to the appropriate time profiles created. See Assigning Time Profiles, page 5-14 for instructions on how to allow sponsors to assign different time profiles.
Note Cisco NAC Guest Server Version 2.0 and later supports only start/end and from creation profiles when used with Cisco NAC Appliances.
Adding Time Profiles
You can add a new time profile to a guest role using the following steps.
Step 1 From the administration interface, select Guest Policy > Time Profiles as shown in Figure 6-11.
Figure 6-11 Time Profiles
Step 2 Click the Add Time Profile button to add a new Time Profile. Step 3 From the Add Time Profile page as shown in Figure 6-12, type the Name and Description of the new time profile.
Cisco NAC Guest Server Installation and Configuration Guide 6-10 OL-28256-01 Chapter 6 Configuring Guest Policies Configuring Time Profiles
Figure 6-12 Add Time Profile Page
Step 4 From the Timezone dropdown menu, specify the timezone for which any Account Restrictions will apply.
Note The Timezone function is only available starting from version 2.0.1 and later. In version 2.0.0, the account restrictions are determined by the timezone set on the Date/Time settings in the Server configurations.
Step 5 From the Account Type dropdown menu, you can choose one of the predefined options: • Start End—Allows sponsors to define start and end times for account durations. • From First Login—Allows sponsors to define a length of time for guest access from their first login. • From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.
Note The From Creation option is only available starting from version 2.0.1 and later.
• Time Used—Allows sponsors to create a time period during which the guest can login. For example, account can be valid for 2 hours and usable for any time within 24 hours from first login. Step 6 Depending on the Account Type selected, enter the duration in the following fields: • Start End—Allows sponsors to define start and end times for account durations; therefore, no duration is necessary. • From First Login—Allows sponsors to define a length of time for guest access from their first login. Duration in days is required. • From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 6-11 Chapter 6 Configuring Guest Policies Configuring Time Profiles
Note The From Creation option is only available starting from version 2.0.1 and later.
• Time Used—Allows sponsors to create a time period during which the guest can login. For example account can be valid for 2 hours and usable for any time within 24 hours from first login. You need to specify how long the sponsor can allocate a guest account for, and the time frame in which it must end. • Click the Save button to save. Step 7 Once a Time Profile is created, you can implement Account Restrictions in the Restrictions section. Use the dropdown menus to select the days and time you wish to restrict guest access to and from. Once a time criteria is complete, click Add, then create the next restriction.
Editing Time Profiles
The following steps describe how to edit Time Profiles.
Step 1 From the administration interface, select Guest Policy > Time Profiles from the left hand menu.
Figure 6-13 Editing a Time Profile
Step 2 Select the time profile you wish to edit and click the underlined name of that role as shown in Figure 6-13. Step 3 From the Edit Time Profile page as shown in Figure 6-14, you can edit the Name and Description of that profile.
Cisco NAC Guest Server Installation and Configuration Guide 6-12 OL-28256-01 Chapter 6 Configuring Guest Policies Configuring Time Profiles
Figure 6-14 Edit Time Profile
Step 4 From the Timezone dropdown menu, specify the timezone for which any Account Restrictions will apply.
Note The Timezone function is only available starting from version 2.0.1 and later. In version 2.0.0, the account restrictions are determined by the timezone set on the Date/Time settings in the Server configurations.
Step 5 From the Account Type dropdown menu, you can choose one of three predefined options: • Start End—Allows sponsors to define start and end times for account durations. • From First Login—Allows sponsors to define a length of time for guest access from their first login. • From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.
Note The From Creation option is only available starting from version 2.0.1 and later.
• Time Used—Allows sponsors to create a time period during which the guest can login. For example account can be valid for 2 hours and usable for any time within 24 hours from first login. Step 6 Depending on the Account Type selected, enter the duration in the following fields: • Start End—Allows sponsors to define start and end times for account durations; therefore, no duration is necessary. • From First Login—Allows sponsors to define a length of time for guest access from their first login. Duration in days is required. • From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 6-13 Chapter 6 Configuring Guest Policies External Guest Authentication
Note The From Creation option is only available starting from version 2.0.1 and later.
• Time Used—Allows sponsors to create a time period during which the guest can login. For example, account can be valid for 2 hours and usable for any time within 24 hours from first login. You need to specify how long the sponsor can allocate a guest account for, and the time frame in which it must end. • Click the Save button to save. Step 7 Once a Time Profile is created, you can implement Account Restrictions in the Restrictions section. Use the dropdown menus to select the days and times you wish to restrict guest access to and from. Once a time criteria is complete, click Add, then create the next restriction.
Deleting Time Profiles
The following steps describe how to delete Time Profiles.
Step 1 From the administration interface, select Guest Policy > Time Profiles from the left hand menu.
Figure 6-15 Deleting a Time Profile
Step 2 From the Time Profiles page as shown in Figure 6-15, choose the profile you wish to delete and click the bin icon. Step 3 Confirm the deletion when prompted.
Note Only time profiles that have never been used to create guest accounts can be deleted. The used time profiles cannot be deleted as they are required for audit purposes.
External Guest Authentication
RADIUS authentication authenticates guest users to the Cisco NAC Guest Server using their existing RADIUS user accounts. The guests do not need to have another set of user names and passwords to authenticate to the Guest Server. RADIUS authentication also enables guests to quickly roll out and create their own Guest Access because there is no need to involve a sponsor to create the local guest accounts.
Step 1 From the administration interface, select Authentication > External Guests.
Cisco NAC Guest Server Installation and Configuration Guide 6-14 OL-28256-01 Chapter 6 Configuring Guest Policies External Guest Authentication
Step 2 Click the RADIUS Authentication tab as shown in Figure 6-16.
Figure 6-16 RADIUS Authentication
Step 3 Type the Server IP Address for the Primary RADIUS Server. Step 4 Type the Port that RADIUS authentication is running on for that server (default is 1645 or 1812). Step 5 Type the shared secret to be used between the RADIUS Server and the NAC Guest Server, in the RADIUS Secret field. Step 6 Confirm the secret to make sure that it is set correctly. Step 7 Enter details for a Secondary RADIUS Server. These details are used when the NAC Guest Server does not receive response from the Primary RADIUS Server. These fields are optional. Step 8 Click Save to save the Administrator RADIUS settings.
You can now enter RADIUS mappings required.
Step 1 From the administration interface, select Authentication > External Guests. Step 2 Click the RADIUS Mappings tab as shown in Figure 6-17.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 6-15 Chapter 6 Configuring Guest Policies External Guest Authentication
Figure 6-17 RADIUS Mapping
Step 3 You can enter RADIUS mapping in the blank field and by using the drop down menus that have pre-defined text in them. The text within the drop down menu relates to time profiles and guest roles that have been previously created by the Administrator on the NAC Guest Server.
Note External Guest Authentication supports only the From First Login time profile.
Step 4 Once a rule has been created, click the Add Rule button to apply. Step 5 You can change the order of the rules by selecting and highlighting rules and then clicking the move up and move down buttons. Click Change Order button to apply the changes.
Cisco NAC Guest Server Installation and Configuration Guide 6-16 OL-28256-01
CHAPTER7
Integrating with Cisco NAC Appliance
This chapter describes the following: • Adding Clean Access Manager Entries • Editing Clean Access Manager Entries • Deleting Clean Access Manager Entries • Configuring the CAM for Reporting Guest users commonly authenticate to networks via a captive portal through which they provide their authentication details using a web browser. Cisco NAC Appliance provides a secure guest user access portal which administrators can customize. The Cisco NAC Guest Server integrates with the Clean Access Manager through the use of the Cisco NAC Appliance API. This is an HTTPS-based API that requires the Guest Server to communicate with the Cisco NAC Appliance Manager, also known as the Clean Access Manager (CAM). The Cisco NAC Guest Server creates the guest user accounts on the CAM as Local User accounts assigned to a specific role that you define for guest users. The Guest Server creates new accounts that are valid every minute. Every minute it also removes accounts that have expired. When accounts are suspended, the Guest Server removes both the accounts from the CAM and the guest users from the network if they are logged in. The Clean Access Manager can also send accounting information to the Cisco NAC Guest Server via RADIUS accounting. This information is used for reporting and tracking of guests by access time and IP address. You can add multiple Clean Access Managers to the Cisco NAC Guest Server. When accounts are provisioned they are created on all active Clean Access Managers that are defined.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 7-1 Chapter 7 Integrating with Cisco NAC Appliance Adding Clean Access Manager Entries
Adding Clean Access Manager Entries
The following steps describe how to configure the Cisco NAC Guest Server and Cisco NAC Appliance Manager so that they can communicate with one another. You must add API information to the Cisco NAC Guest Server for each Clean Access Manager on which you want the Guest Server to create accounts.
Step 1 From the Guest Server administration interface, select Devices > NAC Appliances from the left hand menu as shown in Figure 7-1.
Figure 7-1 Cisco NAC Appliances
Step 2 Click the Add NAC Appliance button. Step 3 Enter the following settings in the NAC Appliance Details page as shown in Figure 7-2:
Figure 7-2 Add Clean Access Manager
Cisco NAC Guest Server Installation and Configuration Guide 7-2 OL-28256-01 Chapter 7 Integrating with Cisco NAC Appliance Editing Clean Access Manager Entries
• Name—Type a descriptive name for the Clean Access Manager. • Server—Type the DNS name or IP address for the CAM. • Admin Username—Enter an admin username which has Full-Control API permission to the CAM. • Password—Type the password for the account. • Confirm Password—Retype the password to ensure it matches correctly. • Default Role—Type the name of the User Role on the CAM to which you will assign guest users. This should match exactly with the User Role name configured on the CAM, including correct case. • Server Active—Check this checkbox to set the Cisco NAC Guest Server to Active status so that it provisions accounts on the CAM. Leaving this field unchecked disables the provisioning of Guest Server. Step 4 Click the Add NAC Appliance button. Step 5 Click the Test Connection button to ensure that the settings are working correctly. Step 6 In the Clean Access Manager admin console, navigate to Monitoring > Event Logs and verify that the account nacguest_test was successfully created and then deleted.
Note Clean Access Managers are automatically added to the Default guest role, and set to provision using the role name specified here. If you do not want the Clean Access Manager to be added to the role, you must manually remove the entry.
Editing Clean Access Manager Entries
The following steps describe how to edit an existing entry for a Clean Access Manager.
Step 1 From the Guest Server administration interface, select Devices > NAC Appliances from the left hand menu as shown in Figure 7-3.
Figure 7-3 List of Cisco NAC Appliances
Step 2 Click the underlined name of the NAC appliance from the list to edit it. Step 3 In the NAC Appliance Settings page as shown in Figure 7-4, enter the following settings:
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 7-3 Chapter 7 Integrating with Cisco NAC Appliance Deleting Clean Access Manager Entries
Figure 7-4 Edit Clean Access Manager
• Server—Type the DNS name or IP address for the CAM. • Admin Username—Enter an admin username which has API permission to the CAM. • Password—Type the password for the account. • Confirm Password—Retype the password to ensure it matches correctly. • Default Role—Type the name of the User Role on the CAM to which you will assign guest users. This should match exactly with the User Role name configured on the CAM, including correct case. • Server Active—Check this checkbox to set the Cisco NAC Guest Server to Active status so that it provisions accounts on the CAM. Leaving this field unchecked disables the provisioning of Guest Server. Step 4 Click the Save Settings button. Step 5 Click the Test Connection button to ensure that the settings are working correctly. Step 6 In the Clean Access Manager admin console, navigate to Monitoring > Event Logs and verify that the account nacguest_test was successfully created and then deleted.
Deleting Clean Access Manager Entries
The following steps describe how to delete NAC Appliance (Clean Access Manager) entries.
Step 1 From the Guest Server administration interface, select Devices > NAC Appliances from the left hand menu as shown in Figure 7-5.
Figure 7-5 List of Cisco NAC Appliances
Step 2 Select the Cisco NAC Appliance that you want to delete from the list and click the bin icon to the right of the active field. Confirm the deletion when prompted.
Cisco NAC Guest Server Installation and Configuration Guide 7-4 OL-28256-01 Chapter 7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting
Step 3 A further message appears prompting you whether to delete the records of accounts that were created on the NAC Appliance from the NAC Guest Server database. You may need the provisioning records if you are planning to add the NAC Appliance at a later date.
Warning When deleting a NAC Appliance you need to manually manage any guest accounts created on the Clean Access Manager.
Configuring the CAM for Reporting
In order for the Cisco NAC Guest Server to correctly display details for guest users when reporting is run, you need to configure the CAM to send RADIUS accounting information to the Guest Server. Additionally, the CAM needs to format the information correctly.
Note For detailed instructions on how to access and configure settings on the CAM, refer to the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide.
Adding RADIUS Accounting Server
Step 1 Log into the CAM web console as an admin user with an appropriate password (default username/password is admin/cisco123).
Note Any CAM admin user with Edit privileges can perform this configuration.
Step 2 Navigate to User Management > Auth Servers > Accounting > Server Config
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 7-5 Chapter 7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting
Figure 7-6 Configure RADIUS Accounting Server
Step 3 Click the checkbox for Enable RADIUS Accounting and configure the following fields: • Server Name— Type the IP address of the Cisco NAC Guest Server • Server Port —Type 1813 as the port • Timeout (sec)—Type a timeout value; 10 seconds is typically sufficient. • Shared Secret—Type the shared secret used with the Cisco NAC Guest Server. This must match the shared secret configured on the Guest Server when adding the CAM as a RADIUS client to the Guest Server, as described in Adding RADIUS Clients, page 8-2. Make sure both shared secrets are the same. • NAS-IP-Address—Type the address of the CAM itself as the NAS-IP-Address. Step 4 Click the Update button.
Configure CAM to Format RADIUS Accounting Data
The CAM can be configured to place many different attributes into the RADIUS accounting packets and the attributes themselves can be formatted in many different ways. You need to configure the CAM to send attribute information in a specific format so that the Cisco NAC Guest Server can recognize.
Note Refer to the “RADIUS Accounting” section of the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide for additional details.
Step 1 Log into the CAM admin console, and navigate to User Management > Auth Servers > Accounting > Shared Events as shown in Figure 7-7.
Cisco NAC Guest Server Installation and Configuration Guide 7-6 OL-28256-01 Chapter 7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting
Figure 7-7 Shared Events
Step 2 On the Shared Events page, click the Edit button to the right of the User_Name attributes entry. Step 3 In the Edit User_Name attribute page as shown in Figure 7-8, click the Reset Element button to remove the existing sample data format.
Figure 7-8 Edit User Name Attribute
Step 4 Select User Name from the Add Data dropdown menu. Step 5 Click the Add Data button. Step 6 Click the Commit Changes button. Step 7 The main Shared Events lists page reappears as shown in Figure 7-9. Verify that the Data column lists “[User_Name]”.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 7-7 Chapter 7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting
Figure 7-9 Shared Events with Username Changed
Step 8 Click the New Entry... link to the right of the page as shown in Figure 7-9 to add additional attributes.
Figure 7-10 Add Calling Station Id Attribute
Step 9 In the New Shared Events attribute form as shown in Figure 7-10, select Calling_Station_Id from the Send RADIUS Attributes dropdown menu. Step 10 Click the Change Attribute button. Step 11 Select User IP from the Add Data dropdown menu. Step 12 Click the Add Data button. Step 13 Click Commit Changes. Step 14 Click the New Entry link to the right of the page as shown in Figure 7-9 to add additional attributes as shown in Figure 7-11.
Cisco NAC Guest Server Installation and Configuration Guide 7-8 OL-28256-01 Chapter 7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting
Figure 7-11 Additional Attributes
Step 15 In the New Shared Events attribute form as shown in Figure 7-11, select Acct_Session_Id from the send RADIUS Attributes dropdown menu. Step 16 Click the Change Attribute button. Step 17 Select User Key from the Add Data dropdown menu. Step 18 Click the Add Data button. Step 19 Select Login Time from the Add Data dropdown menu. Step 20 Click the Add Data button. Step 21 Click Commit Changes.
Note Remember to add the CAM as a RADIUS client using the instructions in Chapter 8, “Configuring RADIUS Clients.”
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 7-9 Chapter 7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting
Cisco NAC Guest Server Installation and Configuration Guide 7-10 OL-28256-01
CHAPTER8
Configuring RADIUS Clients
This chapter describes the following: • Overview • Adding RADIUS Clients • Editing RADIUS Clients • Deleting RADIUS Clients
Overview
Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol. Cisco NAC Guest Server uses the RADIUS protocol to authenticate and audit guests who login through RADIUS-capable network enforcement devices, such as Cisco Wireless LAN Controllers. Although the Cisco NAC Appliance uses its own API and a different method for creating accounts and authenticating users, as described in Chapter 7, “Integrating with Cisco NAC Appliance,” it still uses RADIUS Accounting to record user activity and therefore still needs to be configured as a RADIUS client. When a guest authenticates against a RADIUS client, such as the Wireless LAN Controller, the RADIUS client uses RADIUS authentication to check with the Cisco NAC Guest Server whether the user authentication is valid. If the guest authentication is valid, the Cisco NAC Guest Server returns a message stating that the user is valid and the duration of time remaining before the user session expires. The RADIUS client must honor the session-timeout attribute to remove the guest when the guest account time expires.
Note The Cisco Wireless LAN Controller needs to be specifically configured to Allow AAA Override. This enables it to honor the session-timeout attribute returned to it by the Cisco NAC Guest Server.
In addition to authentication, the RADIUS client device reports details to the Cisco NAC Guest Server, such as the time the session started, time session ended, user IP address, and so on. This information is transported over the RADIUS Accounting protocol.
Tip If there is a Firewall between the Cisco NAC Guest Server and the RADIUS client, you need to allow traffic from UDP Port 1812 or 1645(RADIUS authentication) and UDP Port 1813 or 1646(RADIUS accounting) to pass.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 8-1 Chapter 8 Configuring RADIUS Clients Adding RADIUS Clients
Note Every time you make a change to a RADIUS component on the Cisco NAC Guest Server, you need to Restart the RADIUS service for the changes to become active.
Note The Debug button under Devices > RADIUS Clients turns the RADIUS server on in debugging mode. This enables detailed debug information to be viewed under Server > System Logs > Support Logs. See Support Logs, page 15-8 for additional details.
Adding RADIUS Clients
Step 1 From the administration interface, select Devices > RADIUS Clients from the left hand menu. Step 2 In the RADIUS Clients page as shown in Figure 8-1, click the Add RADIUS Client button to add a RADIUS client.
Figure 8-1 RADIUS Clients
Step 3 In the Add RADIUS Client page as shown in Figure 8-2, type a descriptive Name for the RADIUS client.
Cisco NAC Guest Server Installation and Configuration Guide 8-2 OL-28256-01 Chapter 8 Configuring RADIUS Clients Editing RADIUS Clients
Figure 8-2 Add RADIUS Client
Step 4 Type the IP Address of the RADIUS client. This needs to match the IP address from which the RADIUS request is originated. Step 5 Type a shared Secret for the RADIUS client. This must match the shared secret specified in the configuration of the RADIUS client. Step 6 Retype the shared secret in the Confirm field. Step 7 Type a Description of the client and any other information needed. Step 8 If you want the RADIUS client to send any additional attributes upon successful authentication, enter the attribute name and value in the Attribute and Value fields and click the Add button. You can enter as many attributes as you need. • If you want to remove an attribute, select the attribute from the table and click the Remove button. • Use the Move up and Move down buttons to change the order of the RADIUS attributes as they are sent in the RADIUS Accept Message. Step 9 Upon completion, click the Add RADIUS Client button. Step 10 From the administration interface, select Devices > RADIUS Clients as shown in Figure 8-1. Step 11 Click the Restart button to restart the RADIUS service to make the changes take effect.
Note NAC Guest Server supports only PAP in RADIUS Authentication.
Editing RADIUS Clients
Step 1 From the administration interface, select Devices > RADIUS Clients from the left hand menu. Step 2 In the RADIUS Clients page as shown in Figure 8-3, select the RADIUS client from the list you wish to edit and click the underlined name of that client.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 8-3 Chapter 8 Configuring RADIUS Clients Editing RADIUS Clients
Figure 8-3 RADIUS Clients List
Step 3 In the Edit RADIUS Client page as shown in Figure 8-4, edit the IP Address of the RADIUS client.
Figure 8-4 Edit RADIUS Client
Step 4 Edit the shared secret used between the client and the Cisco NAC Guest Server in the Secret and Confirm fields. Step 5 Make any desired changes to the Description. Step 6 If you want the NAC Guest Server to send any additional RADIUS attributes upon successful authentication to the RADIUS Client, enter the attribute name and value in the Attribute and Value fields and click the Add button. You can enter as many attributes as you need. If you want to remove an attribute, select the attribute from the table and click the Remove button.
Cisco NAC Guest Server Installation and Configuration Guide 8-4 OL-28256-01 Chapter 8 Configuring RADIUS Clients Deleting RADIUS Clients
Step 7 Click Save Settings. Step 8 From the administration interface, select Devices > RADIUS Clients as shown in Figure 8-1from the left hand menu. Step 9 Click the Restart button to restart the RADIUS service to make the changes take effect.
Deleting RADIUS Clients
Step 1 From the administration interface, select Devices > RADIUS Clients from the left hand menu.
Figure 8-5 List RADIUS Clients
Step 2 In the RADIUS Clients page as shown in Figure 8-5, click the underlined name of the RADIUS client in the list to edit it. Step 3 Click the bin icon to the right of the entry to delete it, and confirm the action. Step 4 From the administration interface, select Devices > RADIUS Clients as shown in Figure 8-1 from the left hand menu. Step 5 Click the Restart button to restart the RADIUS service to make the changes take effect.
Note Every time you make a change to a RADIUS component, you need to restart the RADIUS service for the changes to become active.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 8-5 Chapter 8 Configuring RADIUS Clients Deleting RADIUS Clients
Cisco NAC Guest Server Installation and Configuration Guide 8-6 OL-28256-01
CHAPTER9
Guest Activity Logging
Guest Activity Logging provides the ability for the Cisco NAC Guest Server to receive syslog information from network devices such as Firewalls, Proxy Servers and Routers. This information can provide details on all the connections that a guest has made and Layer 7 information such as URLs accessed, depending on the network device. Guest Activity Logging relies on knowing the IP address for each guest as they authenticate to the network. The Cisco NAC Guest Server receives this information from RADIUS accounting, so you need to configure the network device that the user authenticates through to send this information. Commonly, this is the Wireless LAN Controller or Cisco NAC Appliance. Refer to the information in Chapter 8, “Configuring RADIUS Clients” for details on adding these devices as a RADIUS client.
Note Guest Activity Logging relies on correlating the syslog information with the IP Address received from RADIUS accounting. This means that it will not work if you use a deployment method where the guest’s IP address changes after authentication and no additional RADIUS accounting messages are sent.
Once the Cisco NAC Guest Server has the IP Address of each of the guests, then it needs to receive syslog information from the network devices. You should configure each of your network devices to send syslog to UDP port 514 on the Guest Server. The Guest Server then processes the syslog information and correlates it against each guest. This correlation enables you to view the guest’s activity on the guest activity log details page for each guest as described in Reporting on Guest Users, page 17-19. Guest Activity is correlated into individual files that are stored on the disk of the appliance. The appliance can store log files until less than 30% disk space remains; it then either deletes the oldest log files or archives the log files to an external FTP server as described in Configuring Syslog Monitoring Settings, page 9-1.
Note For the report to show the list of URLs visited by guest users, you need to enable HTTP traffic inspection on the NAD. This is not applicable for WLCs.
Configuring Syslog Monitoring Settings
Archiving of logs to an FTP server provides the ability to store logs for long periods of time, and also provides the ability to back them up. When viewing the logs through the sponsor interface, the NAC Guest Server automatically searches for logs on the archive server and displays them in the report for you.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 9-1 Chapter 9 Guest Activity Logging
Step 1 From the administration interface, select Devices > Syslog Monitoring from the left hand menu as shown in Figure 9-1.
Figure 9-1 Syslog Monitoring
Step 2 If you want to configure the NAC Guest Server to archive guest logs, check the Archive to FTP Server checkbox. Step 3 In the Server field, enter the name or IP address of the FTP server. Step 4 Enter the Port of the FTP server Step 5 Specify the Directory on the FTP server where you want the archive files to be stored. Step 6 Enter the Username and Password for an account that has the ability to log in to the FTP server and has write permissions to the directory specified. Step 7 By default, the FTP mode used is Active FTP. If you want to use Passive mode, check the Passive Mode checkbox.
Guest Activity Logging with Replication Enabled
If you have a pair of NAC Guest Servers replicating database information for resilience, then the guest activity logs are not replicated between each box. However, if you view the report in the Sponsor interface, the NAC Guest Server contacts the replication box and retrieves the logs from there. It then displays all logs in a consolidated view. This enables you to have some network devices send syslog to one NAC Guest Server and some to another, but then view all the results through a single interface. Each NAC Guest Server retrieves the logs from the other Guest Server in the replication pair securely over HTTPS. Each NAC Guest Server must trust the certificate of the other NAC Guest Server so that the retrieval can occur properly. To enable this, ensure that the root CA certificate for the other NAC Guest Server is uploaded as described in Uploading Certificate Files, page 3-14.
Cisco NAC Guest Server Installation and Configuration Guide 9-2 OL-28256-01
CHAPTER10
Guest Account Notification
When a guest account is created, the details of the account need to be passed from the sponsor to the guest. The Cisco NAC Guest Server provides a number of ways to do this: • Manually reading the details to the guest from the screen. • Printing the details out on paper. • Sending the details in an email. • Sending the details as an SMS text message. Sponsors always have the option of reading and printing out guest account details to guests. Email and SMS text message notification require email servers to be configured, but can be configured based upon policy.
Note Email and SMS guest account notification policies need to be configured globally, then enabled per user group for individual sponsor permissions.
This chapter describes the following: • Configuring Email Notification • Configuring SMS Notification • Print Notification
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 10-1 Chapter 10 Guest Account Notification Configuring Email Notification
Configuring Email Notification
The following steps describe how to configure email settings for the Cisco NAC Guest Server to correctly deliver guest account details via email.
Note Emails sent from Cisco NAC Guest Server v2.0.2 and later are encoded with the quoted-printable mime type.
Step 1 From the administration interface, select Devices > Email Settings from the left hand menu.
Figure 10-1 Email Settings
Step 2 In the Email Settings page as shown in Figure 10-1, check the Enable Email option to enable email functionality globally for the Cisco NAC Guest Server. Step 3 For SMTP Server, type the IP address of the outbound SMTP server to which you need to deliver email. If you enter localhost, or leave this field empty, the Cisco NAC Guest Server attempts to deliver the email directly to the guest’s SMTP server. Step 4 In the Sent From field, type the email address from which you want guest notification emails to be sent (for example, [email protected]). Step 5 Click the Save Settings button.
Note Refer to Editing the Email Template, page 11-7 for additional details.
Cisco NAC Guest Server Installation and Configuration Guide 10-2 OL-28256-01 Chapter 10 Guest Account Notification Configuring SMS Notification
Configuring SMS Notification
Short Message Service (SMS) is delivered through an SMS gateway service that supports SMTP (Simple Mail Transport Protocol) delivery. You need to have an internal SMS gateway service or subscribe to an external service to be able to deliver guest details via SMS.
Step 1 From the administration interface, select Devices > SMS Settings from the left hand menu.
Figure 10-2 SMS Settings
Step 2 In the SMS Settings page as shown in Figure 10-2, check the Enable SMS checkbox to globally enable SMS on the Cisco NAC Guest Server. Step 3 SMS requires an SMTP server to deliver the email to the SMS gateway. Go to Devices > Email Settings to configure the SMTP Server as described Configuring Email Notification, page 10-2. Step 4 In the Sent From field, type the sending email address for the email to be sent to the SMS gateway. Step 5 Click Save.
Note Depending on how details are routed to the SMS provider, you need to customize the SMS portion of the User Interface template to include the guest’s mobile phone number in the correct format for your SMS gateway. See Editing the SMS Template, page 11-8 for details.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 10-3 Chapter 10 Guest Account Notification Print Notification
Print Notification
Print notification is configured as described in Editing the Print Template, page 11-5.
Cisco NAC Guest Server Installation and Configuration Guide 10-4 OL-28256-01
CHAPTER11
Customizing the Application
This chapter describes the following • User Interface Templates • Adding a User Interface Template • Editing a User Interface Template • Deleting a Template • Setting the Default Interface Mapping • Setting User Default Redirection
User Interface Templates
Cisco NAC Guest Server allows you to customize the sponsor user interface text and guest notification text using User Interface Templates. You can: • Change the labels for the sponsor interface. • Provide different instructions for guest users. • Change the default Acceptable Use Policy. • Create a translated template to provide the sponsor interface and guest instructions in another language altogether. Cisco NAC Guest Server provides a default template (in English) that can be used as is without any further modification. If you want to change the default presentation for sponsors and guests, you can add one or multiple templates that you can store separately on the Guest Server and modify as desired. Typically, you create a customized template when you need to modify the account details and instructions that are provided to the guest, such as the Acceptable Usage Policy. Cisco NAC Guest Server provides Print, Email, and SMS templates that allow you to customize the information that is printed, emailed, or text messaged to guests. If you are customizing the interface for another language, create a new template for the language and edit all pages with the translated text. Once your user interface template is configured, you need to set the default template mapping so that the Guest Server starts using the correct template. Once a sponsor has authenticated, the sponsor can choose a different template to use and save it under My Settings > Preferences > Language Template in the sponsor interface. This enables each sponsor to have the application displayed in a different template or language.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 11-1 Chapter 11 Customizing the Application Adding a User Interface Template
Note You can set the default user interface template globally for the Cisco NAC Guest Server sponsor and guest interfaces under User Interfaces > User Defaults.
Tip When customizing, it is a good idea to open the sponsor interface in a second browser for reference. This allows you to view how the configuration tabs map to the actual sponsor interface pages. You can bring up the sponsor interface by entering the Guest Server IP address without the “/admin” as the URL, for example, http://
Adding a User Interface Template
When you add a new template, it is automatically based on the default template to facilitate editing.
Step 1 From the administration interface, select User Interfaces > Templates from the left hand menu. Step 2 On the User Interface Templates page as shown in Figure 11-1, click the Add Template button
Figure 11-1 User Interface Templates
Step 3 In the Add New Template page as shown in Figure 11-2, type a Template Name. This can be any descriptive text to identify the template later from the User Interface Templates list as shown in Figure 11-1.
Cisco NAC Guest Server Installation and Configuration Guide 11-2 OL-28256-01 Chapter 11 Customizing the Application Editing a User Interface Template
Figure 11-2 Add Template Page
Step 4 Click the Add Template button. The Edit User Interface Template page for the new template is displayed, initially, with all details copied from the default template. If you only need to make small changes, this allows you not to have to retype all the entries. Step 5 Modify these settings as desired, as described in Editing a User Interface Template, page 11-3.
Editing a User Interface Template
Tip When customizing, it is a good idea to open the sponsor interface in a second browser for reference. This allows you to view how the configuration tabs map to the actual sponsor interface pages. You can bring up the sponsor interface by entering the Guest Server IP address without the “/admin” as the URL, for example, http://
Step 1 From the administration interface, select User Interfaces > Templates from the left hand menu.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 11-3 Chapter 11 Customizing the Application Editing a User Interface Template
Figure 11-3 User Interface Templates
Step 2 From the User Interface Templates list as shown in Figure 11-3, click the underlined name of the template you wish to edit. Step 3 The Edit Home Page for the template is displayed as shown in Figure 11-4.
Figure 11-4 Edit Template
Step 4 Click the menu tabs at the top of the page to select any of the sponsor page settings that you want to edit. Step 5 Make any changes to the fields and click the Save Template button. Some example edits are described in the following sections:
Cisco NAC Guest Server Installation and Configuration Guide 11-4 OL-28256-01 Chapter 11 Customizing the Application Editing a User Interface Template
• Editing the Print Template, page 11-5 • Editing the Email Template, page 11-7 • Editing the SMS Template, page 11-8 • Using Time Profiles, page 11-10
Note The Upload Logo feature allows upload an image with maximum height of 75 pixels and maximum width of 150 pixels. The image can be in .png, .jpg, or .gif format.
Editing the Print Template
The Print Template page contains the guest account details that the sponsor can bring up in a browser to print out for handing to the guest after the account is created. The page is configured in HTML and can be fully customized.
Tip Navigating to Account Management > Manage Accounts on the sponsor interface and clicking the Print button next to the guest account entry brings up the output of the Print Template for printing.
Step 1 Go to User Interfaces > Templates and click the underlined name of the template you wish to edit in the Templates list. Step 2 Under Edit Home Page, click the Notification tab to bring up the Edit Notification Page as shown in Figure 11-5. Step 3 From the Select Template for dropdown menu, choose Print Template and click the Show button.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 11-5 Chapter 11 Customizing the Application Editing a User Interface Template
Figure 11-5 Edit Notification Page—Print Template
Step 4 In the Page Body text field, edit the default HTML code for the web page. The Page Body contains all the HTML code that appears between the BODY tags on a HTML page. All HTML code outside these tags is used by the application. Step 5 In the HTML code you can use the following special variables to replace them with the details from the created guest account. • %USERNAME% = The Username created for the guest. • %PASSWORD% = The Password created for the guest. • %STARTTIME% = The time from which the guest account will be valid. • %ENDTIME% = The time at which the guest account will expire. • %FIRSTNAME% = The first name of the guest. • %LASTNAME% = The last name of the guest. • %TIMEZONE% = The timezone of the user. • %MOBILENUMBER% = The mobile number of the guest. • %OPTION1% = Optional field for editing. • %OPTION2% = Optional field for editing. • %OPTION3% = Optional field for editing. • %OPTION4% = Optional field for editing. • %OPTION5% = Optional field for editing. • %MOBILENUMBER_ONLY% = Mobile phone number of guest without country code pre-pended. • %COUNTRYCODE% = Country code of the mobile phone number. • %DURATION% = Duration of time for which the account will be valid.
Cisco NAC Guest Server Installation and Configuration Guide 11-6 OL-28256-01 Chapter 11 Customizing the Application Editing a User Interface Template
• %ALLOWEDWINDOW% = The time window during which the account can be used after first login. • %TIMEPROFILE% = The name of the time profile assigned. Step 6 Click the Save button to save your changes.
Editing the Email Template
The Email Template page contains the guest account details that the sponsor can email to the guest after creating the account.
Tip Navigating to Account Management > Manage Accounts on the sponsor interface and clicking the Email button next to the guest account entry brings up the output of the Email Template and also emails the guest.
Step 1 Go to User Interfaces > Templates and click the underlined name of the template you wish to edit in the Templates list. Step 2 Under Edit Home Page, click the Notification tab to bring up the Edit Notification Page as shown in Figure 11-6. Step 3 From the Select Template for dropdown menu, choose Email Template and click the Show button.
Figure 11-6 Edit Notification Page—Email Template
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 11-7 Chapter 11 Customizing the Application Editing a User Interface Template
Step 4 Change the Email Subject as desired. Step 5 In the Email Body text field, edit the default email text to be sent to the guest page. Step 6 In the Email Body you can use the following special variables to replace them with the details from the created guest account. • %USERNAME% = The Username created for the guest. • %PASSWORD% = The Password created for the guest. • %STARTTIME% = The time from which the guest account will be valid. • %ENDTIME% = The time at which the guest account will expire. • %FIRSTNAME% = The first name of the guest. • %LASTNAME% = The last name of the guest. • %TIMEZONE% = The timezone of the user. • %MOBILENUMBER% = The mobile number of the guest. • %OPTION1% = Optional field for editing. • %OPTION2% = Optional field for editing. • %OPTION3% = Optional field for editing. • %OPTION4% = Optional field for editing. • %OPTION5% = Optional field for editing. • %MOBILENUMBER_ONLY% = Mobile phone number of guest without country code pre-pended. • %COUNTRYCODE% = Country code of the mobile phone number. • %DURATION% = Duration of time for which the account will be valid. • %ALLOWEDWINDOW% = The time window during which the account can be used after first login. • %TIMEPROFILE% = The name of the time profile assigned. Step 7 Click the Save button to save your changes.
Editing the SMS Template
The SMS Template page contains the guest account details that the sponsor can text message to the guest after creating the account. The contents of the text message can be fully customized.
Tip Navigating to Account Management > Manage Accounts on the sponsor interface and clicking the SMS button next to the guest account entry brings up the output of the SMS Template and also text messages the guest.
Step 1 Go to User Interfaces > Templates and click the underlined name of the template you wish to edit in the Templates list. Step 2 Under Edit Home Page, click the Notification tab to bring up the Edit Notification Page as shown in Figure 11-7. Step 3 From the Select Template for dropdown menu, choose SMS Template and click the Show button.
Cisco NAC Guest Server Installation and Configuration Guide 11-8 OL-28256-01 Chapter 11 Customizing the Application Editing a User Interface Template
Figure 11-7 Edit Notification Page—SMS Template
Step 4 Change the SMS Subject as desired. Step 5 Change the SMS Destination to be the email address of the SMS gateway that you use. To send the text message to the mobile phone number of the guest, use the variable %MOBILENUMBER%. The %MOBILENUMBER% variable is replaced by the mobile phone number, including country code of the guest as entered by the sponsor. For example, if the country code selected is the UK (+44) and the guest’s phone number is 055 555-5555, then %MOBILENUMBER% will contain 44555555555.
Note The initial plus symbol (+) is not inserted and the initial 0, any spaces, or hyphens (-) are removed from the phone number. If you need (+) to be inserted, then enter +%MOBILENUMBER%.
Step 6 The SMS Body contains the SMS text to be sent to the guest. In the SMS Body you can use the following special variables to replace them with the details from the created guest account. • %USERNAME% = The Username created for the guest. • %PASSWORD% = The Password created for the guest. • %STARTTIME% = The time from which the guest account will be valid. • %ENDTIME% = The time at which the guest account will expire. • %FIRSTNAME% = The first name of the guest. • %LASTNAME% = The last name of the guest. • %TIMEZONE% = The timezone of the user.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 11-9 Chapter 11 Customizing the Application Editing a User Interface Template
• %MOBILENUMBER% = The mobile number of the guest. • %OPTION1% = Optional field for editing. • %OPTION2% = Optional field for editing. • %OPTION3% = Optional field for editing. • %OPTION4% = Optional field for editing. • %OPTION5% = Optional field for editing. • %MOBILENUMBER_ONLY% = Mobile phone number of guest without country code pre-pended. • %COUNTRYCODE% = Country code of the mobile phone number. • %DURATION% = Duration of time for which the account will be valid. • %ALLOWEDWINDOW% = The time window during which the account can be used after first login. • %TIMEPROFILE% = The name of the time profile assigned. Step 7 Click the Save Template button to save your changes.
Using Time Profiles
Account durations are another way the sponsor can specify how long they want the guest account to remain valid. By default, the sponsor must specify start dates, end dates and time from a dropdown menu and popup calendar. By defining preset account durations, you provide the sponsor with the ability to select the duration of time starting from when they click the button to create the account.
Step 1 Go to User Interfaces > Templates and click the underlined name of the template you wish to edit in the Templates list. Step 2 Under Edit Home Page, click the Accounts tab to bring up the Edit Accounts Page as shown in Figure 11-7. Step 3 From the Select Template for dropdown menu, choose Time Profiles and click the Show button as shown in Figure 11-8.
Figure 11-8 Edit Accounts Page—Time Profiles
Cisco NAC Guest Server Installation and Configuration Guide 11-10 OL-28256-01 Chapter 11 Customizing the Application Deleting a Template
Step 4 The Time Profiles you previously created are displayed. Enter the text for each template that you wish the sponsor to use.
Deleting a Template
Step 1 From the administration interface, select User Interface > Templates from the left hand menu. Step 2 Select the template you want to delete from the User Interface Templates list and click the bin icon to the right of the template name field. Step 3 Confirm deletion of the template.
Setting the Default Interface Mapping
Once you have created your template you need to make the template active. This is a global operation for the Cisco NAC Guest Server.
Step 1 From the administration interface, select User Interfaces > User Defaults to bring up the User Defaults page as shown in Figure 11-9.
Figure 11-9 Default User Interface Mapping
Step 2 Select the template from the Template dropdown menu under Default Interface Mapping. This becomes the template used for the sponsor and guest user interface. Step 3 Click the Save Settings button.
Setting User Default Redirection
There are a number of options that each sponsor may want to customize for their environment to avoid making changes every time they log in to the sponsor interface. The items sponsors can change are the template (for another language), the time zone, and the telephone country code.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 11-11 Chapter 11 Customizing the Application Setting User Default Redirection
Sponsors can change these settings from their User Settings page once they are logged in. However, to make it easy for first time users of the application, you can choose to direct sponsors to their preference page on their first login to the system.
Step 1 From the administration interface, select User Interfaces > User Defaults from the left hand menu to bring up the User Defaults page as shown in Figure 11-10.
Figure 11-10 User Settings Page Redirection
Step 2 Check the Go to User Settings Page on first login checkbox under Settings, if you want the sponsors to be redirected to the User Settings pages upon their first login to the system. If not, then make sure to leave this option unchecked. Step 3 Click the Save Settings button.
Cisco NAC Guest Server Installation and Configuration Guide 11-12 OL-28256-01
CHAPTER12
Configuring Hotspots
Hotspots on the Cisco NAC Guest Server are used to allow administrators to create their own portal pages and host them on the Cisco NAC Guest Server. Hotspots created by administrators can be fully customized and used as the captive portal to provide the following: • Customized authentication pages—Allow guest portal pages to be located on the Guest Server instead of on each captive portal device, providing a centralized location for configuration and display. • Guest Self Service—Allows guests to self register by entering their details to create their own guest accounts. • Credit Card Billing support—Enables administrators to allow guests to purchase guest accounts by linking into payment gateways to purchase accounts. This chapter explains the following: • Configuring Hotspot Sites • Configuring Payment Providers • Creating Hotspot Web Pages
Configuring Hotspot Sites
Administrators can add hotspots by uploading custom pages to the Cisco NAC Guest Server.
Adding Hotspot Sites
Step 1 From the administration interface, select Hotspot > Sites from the menu as shown in Figure 12-1.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 12-1 Chapter 12 Configuring Hotspots Configuring Hotspot Sites
Figure 12-1 Hotspot Sites
Step 2 Click the Add Site button and the Add New Site page is displayed as shown Figure 12-2.
Figure 12-2 Add New Site
Step 3 In the Add New Site Page, enter the Site Name and the Site Description into the fields provided and click the Create Site button. Step 4 You are directed to the Files tab as shown in Figure 12-3. You can upload/download your files into the site you have created.
Cisco NAC Guest Server Installation and Configuration Guide 12-2 OL-28256-01 Chapter 12 Configuring Hotspots Configuring Hotspot Sites
Figure 12-3 Sites Upload/Download Files
Step 5 You can find the location of the site on the Cisco NAC Guest Server in the Files tab. You must manually upload all your files to this directory on the Guest Server. To upload the files use an SCP or SFTP client and connect to the Guest Server with the root user account. Place all the web pages into the directory as specified.
Note If you have replication between two NAC Guest Servers, then the site files are not automatically replicated. You need to SFTP the files to both boxes.
Step 6 Once you have completed the above steps, click the Settings tab as shown in Figure 12-4.
Figure 12-4 Sites Settings
Step 7 From the Operation mode dropdown menu, you can select one of the following methods of operation: • Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers, page 12-6 for details.) Select the relevant payment provider and proceed to Step 8. • Self Service—This option allows guest self service. After selection proceed to Step 8. • Authentication—This option allows RADIUS authentication for guests. Proceed to Step 9. Step 8 In the General Settings section, check or uncheck the boxes to determine whether to allow the following: • Auto Login—Logs in to account after account is created. • Display account details—Displays the account details after the account is created.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 12-3 Chapter 12 Configuring Hotspots Configuring Hotspot Sites
• Send account details by SMS—Sends the account details by SMS. • Send account details by e-mail—Sends the account details by e-mail. Leaving the boxes unchecked does not allow any of the above options. Step 9 Click the Save Settings button once completed. Step 10 If you have selected Payment Provider or Self Service in Step 7 proceed to Step 11. Otherwise, you have completed the configuration of the site. Step 11 Once you have completed the above steps, click the Access Plans tab as shown in Figure 12-5.
Figure 12-5 Access Plans
Step 12 Click the Add Access Plan button to add an access plan as shown in Figure 12-6, for your site, if you are using the Self Service or Payment Provider operation mode.
Figure 12-6 Adding an Access Plan
Step 13 Enter the relevant information in the following fields for your Access Plan: • Name—Name of your access plan. • Description—Description of your access plan. • Time Profile—From the dropdown menu, select a predefined time profile, created as described in Configuring Time Profiles, page 6-10.
Note Start/End time profiles are not supported within hotspots.
• Price—Enter the Price of your access plan. This value is only used for Payment Provider Sites.
Cisco NAC Guest Server Installation and Configuration Guide 12-4 OL-28256-01 Chapter 12 Configuring Hotspots Configuring Hotspot Sites
Step 14 Upon completion of the above steps, click the Create Access Plan button to finish.
Edit Existing Hotspot Site
You can edit any of your existing hotspots if needed.
Step 1 From the administration interface, select Hotspot > Sites as shown in Figure 12-7.
Figure 12-7 Editing Hotspots
Step 2 Select the site you want to edit from the list and click the username. Step 3 You can find the location of the site on the Cisco NAC Guest Server in the Files tab. You must manually upload all of your files to this directory on the Guest Server. To upload the files use an SCP or SFTP client and connect to the Guest Server with the root user account. Place all the web pages into the directory as specified.
Note If you have replication between two NAC Guest Servers, then site files are not automatically replicated. You need to SFTP the files to both boxes.
Step 4 Once you have completed the above steps, click the Settings tab. Step 5 In the Operation Mode dropdown menu, you can select one of following methods of operation: • Payment Provider—This option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. Refer to Configuring Payment Providers, page 12-6 for more details. • Self Service—This option allows guest self service. • Authentication—This option allows RADIUS authentication for guests. Step 6 In the General Settings section, check or uncheck the boxes to determine whether to allow the following: • Auto Login—Logs in to the account automatically after account has been created. • Display account details—Displays the account details after the account has been created. • Send account details by SMS—Sends the account details by SMS. • Send account details by e-mail—Sends the account details by e-mail. Leaving the boxes unchecked does not allow any of the above options.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 12-5 Chapter 12 Configuring Hotspots Configuring Payment Providers
Step 7 Click the Save Settings button once completed. Step 8 If you have selected Payment Provider or Self Service in Step 5 proceed to Step 9. Otherwise you have completed the configuration of the site. Step 9 Once you have completed the above steps click the Access Plans tab. Step 10 Enter the relevant information in the following fields for your Access Plan: • Name—Name of your access plan. • Description—Description of your access plan. • Time Profile—From the dropdown menu, select a predefined time profile, created as described in Configuring Time Profiles, page 6-10.
Note Start/End time profiles are not supported within hotspots.
• Price—Enter the Price of your access plan. This value is only used for Payment Provider Sites. Step 11 Upon completion of the above steps, click the Create Access Plan button to finish editing the hotspot.
Delete Existing Hotspot Site
You can delete an existing hotspot Site from the administration interface.
Step 1 From the administration interface, select Hotspots > Sites as shown in Figure 12-8.
Figure 12-8 Select Hotspot to Delete
Step 2 Select the site you want to delete from the list and click the bin icon next to the Description field. Step 3 Confirm deletion of the user at the prompt.
Configuring Payment Providers
When using the Cisco NAC Guest Server to allow guests to purchase accounts using credit card billing, you need to add the details of the payment provider. The payment provider details are needed to allow your payment provider to perform credit card billing into your account.
Cisco NAC Guest Server Installation and Configuration Guide 12-6 OL-28256-01 Chapter 12 Configuring Hotspots Configuring Payment Providers
Adding a Payment Provider
The Test Account for payment provider is https://developer.authorize.net/testaccount/.
Step 1 From the administration interface, select Hotspot > Payment Providers as shown in Figure 12-9.
Figure 12-9 Adding Payment Provider
Step 2 Click the Add Account button and enter the relevant details in the fields as shown in Figure 12-10.
Figure 12-10 Adding New Payment Provider
Step 3 Enter the details as follows:
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 12-7 Chapter 12 Configuring Hotspots Configuring Payment Providers
• Account Name—Enter the name of the payment provider account. • Account Description—Enter the description of the payment provider account. • Payment Provider—Choose the relevant payment provider from the dropdown menu provided. • API Login—Enter the API login for the payment provider account. • Transaction Key—Enter the transaction key for the payment provider account. Step 4 Once completed, click the Save Payment Provider button.
Editing Payment Provider
Step 1 From the administration interface, select Hotspot > Payment Providers as shown in Figure 12-11.
Figure 12-11 Editing Payment Providers
Step 2 Click the name of the payment provider you want to edit. Step 3 Enter the details as follows: • Account Name—Enter the name of the payment provider account. • Account Description—Enter the description of the payment provider account. • Payment Provider—Choose the relevant payment provider from the dropdown menu provided. • API Login—Enter the API login for the payment provider account. • Transaction Key—Enter the transaction key for the payment provider account. Step 4 Once completed, click the Save Payment Provider button.
Cisco NAC Guest Server Installation and Configuration Guide 12-8 OL-28256-01 Chapter 12 Configuring Hotspots Creating Hotspot Web Pages
Creating Hotspot Web Pages
The Cisco NAC Guest Server allows you to create your hotspot using standard HTML. This allows you to customize the look and feel of the site. To integrate the HTML pages with the additional features for the website, you need to include some fixed code in your pages. This allows easy integration without any programming involved.
Note To view all variables that can be used in the following examples, see The ngsOptions Configuration Object, page 12-29.
Note You can use only a single component per web page. If you need multiple components such as Self Service component and Login component, they need to be used on individual pages.
Integrating with Wireless LAN Controller
To integrate the Hotspot feature with a Wireless LAN Controller (WLC) ensure that the WLAN is setup as follows: • Layer 3 Security — Web Authentication • Pre-Authentication ACL — This field must be configured for Cisco WLC 5500 series devices running firmware version 7.0 and later, in order to permit traffic from the clients to the Guest Server and traffic from the Guest Server back to the clients. For older WLC versions, this field can be left "None." • Over-ride Global Config — Enable (checked) • Web Auth type—External (re-direct to external server) • URL — https://
Integrating with Switch
To use the hotspot integrated with a switch, the switch should be configured to redirect to the hotspot HTML pages. Set the configuration parameters as follows:
Note Switch integration is supported only from NAC Guest Server version 2.0.2 and later.
Router(config)# ip admission proxy http login page file flash:login.html Router(config)# ip admission proxy http success page file flash:success.html Router(config)# ip admission proxy http fail page file flash:failed.html Router(config)# ip admission proxy http login expired page file flash:expired.html
Before you setup the configuration parameters, upload the files mentioned in the above commands to the switch. You can find samples of these files in the directory /guest/sites/samples/switch_includes/.
Note Samples are available only from NAC Guest Server version 2.0.2 and later.
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 12-9 Chapter 12 Configuring Hotspots Creating Hotspot Web Pages
You can edit the sample files to suit your needs. The ‘login.html’ is the file that triggers the initial redirect to the Cisco NAC Guest Server hotspot and needs to be changed essentially.
Redirecting ... continue here
There are several references to https://
Creating a Login Page (WLC)
You can create a Login page by using the following steps. In this example, a site named ‘hotspot’ is used.
Step 1 Start with a blank HTML page as follows:
Step 2 To add the Login widget to a page, add the following script:
Cisco NAC Guest Server Installation and Configuration Guide 12-10 OL-28256-01 Chapter 12 Configuring Hotspots Creating Hotspot Web Pages
Step 3 Save the file as ‘wlc_login.html’ and copy the file to the NAC Guest Server. You can find the right directory from the administration interface. Select the site name and click the Files tab as shown in Figure 12-12. The location to where the widget is rendered on the page depends on where the ngs_wlc_login.js script is included in the HTML.
Figure 12-12 Directory Location
Browse to https://
Figure 12-13 Simple Login Form
Creating a Login Page (Switch)
You can create a Login page by using the following steps. In this example, a site named ‘hotspot’ is used:
Step 1 Start with a blank HTML page as follows:
Step 2 To add the Login widget to a page, add the following script:
Cisco NAC Guest Server Installation and Configuration Guide OL-28256-01 12-11 Chapter 12 Configuring Hotspots Creating Hotspot Web Pages
Step 3 Save the file as ‘switch_login.html' and copy the file to the NAC Guest Server. You can find the right directory from the administration interface. Select the site name and click the Files tab as shown in Figure 12-12. The location to where the widget is rendered on the page depends on where the ngs_switch_login.js script is included in the HTML.
Note The parameter "ngsOptions.actionUrl" is mandatory. It defines whether the widget should use HTTP or HTTPS and where to submit the credentials. To avoid problems with clients using Internet Explorer this parameter should point to an address that is not used but is resolvable.
Browse to https://
Adding Realms Support (Switch)
The switch widgets support Realms. Set the following options to use the realms: • ngsOptions.realm — Set this option to the realm to be used by the hotspot. • ngsOptions.realmSeparator — This option defines the character to be used as a separator between realm and username. If you want to use the realm hotspot for guests authenticating through the hotspot, set the source code for the ‘switch_login.html' page as follows:
For example if a user enters "username", the widget sends "REALM\username" to the switch so that it is proxied by an upstream RADIUS server.
Cisco NAC Guest Server Installation and Configuration Guide 12-12 OL-28256-01 Chapter 12 Configuring Hotspots Creating Hotspot Web Pages
Note In the above example, ngsOptions.separator has been set as "\\". The slash (\) is a special character in javascript and hence you need to provide double slash (\\) to enable the slash (\) as separator. If you use the “@” character as separator, then the command should be given as ngsOptions.separator = "@".
Customizing the Login Page
You can customize the look of the Login widget by using the CSS. You can either add the CSS to the login.html page using the