Cisco NAC Guest Server Installation and Configuration Guide Release 1.1.0 March 2008 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
C O N T E N T S About This Guide CHAPTER 1 ix Welcome to Cisco NAC Guest Server Introduction 1-1 Guest Access Concepts 1-1 1-1 Before You Start 1-2 Package Contents 1-2 Rack Mounting 1-3 Cisco NAC Guest Server Licensing Upgrading Firmware 1-3 Additional Information 1-4 CHAPTER 2 Installing Cisco NAC Guest Server 1-3 2-1 Connecting the Cisco NAC Guest Server 2-1 Command Line Configuration 2-3 Configure IP Address and Default Gateway Change Root Password 2-5 Re-Imaging the Appliance CHAPTER 3
Contents Edit Existing Admin Account 3-11 Delete Existing Admin Account 3-13 CHAPTER 4 Configuring Sponsor Authentication 4-1 Configuring Local Sponsor Authentication Add New Local User Account 4-1 Edit Existing User Account 4-3 Delete Existing User Account 4-4 4-1 Configuring Active Directory (AD) Authentication 4-5 Add Active Directory Domain Controller 4-6 Edit Existing Domain Controller 4-7 Delete Existing Domain Controller Entry 4-9 Configuring LDAP Authentication 4-9 Add an LDAP Server 4-11 Ed
Contents CHAPTER 7 Integrating with Cisco NAC Appliance 7-1 Adding Clean Access Manager Entries 7-1 Editing Clean Access Manager Entries 7-3 Deleting Clean Access Manager Entries 7-4 Configuring the CAM for Reporting 7-4 Adding a RADIUS Accounting Server 7-5 Configure the CAM to Format RADIUS Accounting Data CHAPTER 8 Configuring RADIUS Clients Overview CHAPTER 9 10 8-1 8-1 Adding RADIUS Clients 8-2 Editing RADIUS Clients 8-3 Deleting RADIUS Clients CHAPTER 7-6 Guest Account Notif
Contents CHAPTER 12 Replication and High Availability Setting up replication 12-1 Configuring Provisioning Replication Status 12-1 12-3 12-4 Recovering from Failures 12-4 Network Connectivity 12-4 Device Failure 12-5 Deployment Considerations 12-5 Connectivity 12-5 Load Balancing 12-6 Web Interface 12-6 RADIUS Interface 12-6 12-7 CHAPTER 13 Logging and Troubleshooting System Logging 13-1 13-1 Log Files 13-2 Downloading the log files 13-2 Application Logging 13-2 Email Logging 13-2 RADIUS Logg
Contents Printing/Email/SMS Multiple Accounts 15-9 Viewing Multiple Account Groups 15-10 Viewing Multiple Account Groups 15-10 Finding Multiple Account Groups by username 15-11 Finding Multiple Account Groups on the Active Accounts Report.
Contents Cisco NAC Guest Server Installation and Configuration Guide viii OL-15986-01
About This Guide March 5, 2008, OL-15986-01 This preface includes the following sections: • Audience • Purpose • Document Conventions • Product Documentation • Obtaining Documentation and Submitting a Service Request Audience This guide is for network administrators who are implementing Cisco NAC Guest Server to provision guest access on their networks.
About This Guide Item Convention Indicates web admin console modules, menus, tabs, links and submenu links. Boldface font Indicates a menu item to be selected. Administration > User Pages Product Documentation Table 1 lists documents are available for Cisco NAC Guest Server on Cisco.com at the following URL: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.
CH A P T E R 1 Welcome to Cisco NAC Guest Server Introduction The Cisco NAC Guest Server is a complete provisioning and reporting system that provides temporary network access for guests, visitors, contractors, consultants or customers. The Guest Server works alongside Cisco NAC Appliance or Cisco Wireless LAN Controller which provide the captive portal and enforcement point for guest access.
Chapter 1 Welcome to Cisco NAC Guest Server Before You Start Sponsor The Sponsor is the person who creates the guest user account. This person is often an employee of the organization that provides the network access. Sponsors can be specific individuals with certain job roles, or can be any employee who can authenticate against a corporate directory such as Microsoft Active Directory (AD).
Chapter 1 Welcome to Cisco NAC Guest Server Before You Start Figure 1-1 Shipping Box Contents DB-9 serial null modem cable RJ-45 cable (straight-through) AC power cord Documentation Info Cis Pa rma co ck tio et n C Ge Ap isco ttin pli N Gu g S anceAC ide tarte d Im Info Sa porta rm fety nt ati on Rack mounting kit Note 185434 Cisco NAC Guest Server Because product software is preloaded onto the Cisco NAC Guest Server appliance, the shipping contents do not include a separate software installat
Chapter 1 Welcome to Cisco NAC Guest Server Before You Start Additional Information For late-breaking or additional details for this release, refer to the Release Notes for Cisco NAC Guest Server, Release 1.0.0. For the latest online updates to this guide, visit http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.ht ml See Product Documentation for a list of related documentation for Cisco NAC Guest Server.
CH A P T E R 2 Installing Cisco NAC Guest Server This chapter contains the following sections: • Connecting the Cisco NAC Guest Server • Command Line Configuration • Re-Imaging the Appliance Connecting the Cisco NAC Guest Server The Cisco NAC Guest Server is based on the Cisco NAC Appliance 3310 (NAC-3310) hardware platform and comes preloaded with a default system image. When you receive the Guest Server, perform the initial configuration described in Command Line Configuration, page 2-3.
Chapter 2 Installing Cisco NAC Guest Server Connecting the Cisco NAC Guest Server Figure 2-1 Cisco NAC Guest Server Front Panel 4 6 2 3 5 7 180955 1 8 1 9 Hard disk drive (HDD) bay 6 HDD activity LED indicator (green) 7 Power button with LED indicator (bicolor: green/amber) CD-ROM/DVD drive 2 3 UID (Unit identification) button with LED indicator (blue) 8 4 System health LED indicator (amber) 9 5 Activity/link status LED indicators for NIC 1 (eth0) and NIC2 (eth1) (green) Figure 2-2
Chapter 2 Installing Cisco NAC Guest Server Command Line Configuration Note The three LAN ports each have their own LED indicators for activity/link status and network speed. Command Line Configuration A very minimal amount of command line configuration is needed on the Cisco NAC Guest Server appliance. This is to perform two tasks.
Chapter 2 Installing Cisco NAC Guest Server Command Line Configuration Figure 2-4 Choose eth0 Interface Step 3 Select the eth0 interface from the list using the up and down arrow keys and press . Step 4 You can now enter all the correct network settings for the appliance (Figure 2-5).
Chapter 2 Installing Cisco NAC Guest Server Command Line Configuration Figure 2-6 Step 6 Quit the Utility At the command line either reboot the appliance by typing reboot and pressing or follow the instructions to Change Root Password, page 2-5 before entering reboot. Change Root Password Note You should change the root password from the default of cisco, it is advised to use a complex password for enhanced security. Step 1 From the command line enter the command passwd and press .
Chapter 2 Installing Cisco NAC Guest Server Re-Imaging the Appliance Re-Imaging the Appliance When the Cisco NAC Guest Server is shipped, the system image already preloaded on the unit, so imaging is unnecessary. If you need to re-image the appliance to factory defaults, you can download the system image ISO from Cisco Secure Software Downloads on Cisco.Com and burn this ISO file to a blank CD-ROM.
Chapter 2 Installing Cisco NAC Guest Server Re-Imaging the Appliance Note Step 6 If you press by mistake on a serial connection, the imaging process will still run, but there is no display until the appliance reboots at the end of the process. The system image automatically installs on the hard disk (Figure 2-8). Figure 2-8 Step 7 When the install image is successfully, transferred the system reboots automatically (Figure 2-9).
Chapter 2 Installing Cisco NAC Guest Server Re-Imaging the Appliance Step 9 The appliance boots and runs the final setup of the image automatically. The imaging process is complete when the login screen displays (Figure 2-10). Figure 2-10 Step 10 Imaging Complete Login as user root, and continue to the instructions in Command Line Configuration, page 2-3 to complete the installation.
CH A P T E R 3 System Setup The system can be configured through the web interface to provide the networking configuration for the appliance and other system settings that are important such as time and SSL certificate. The Cisco NAC Guest Server is administered entirely using a web interface over either HTTP or HTTPS.
Chapter 3 System Setup Accessing the Administration Interface Obtain and Install Cisco NAC Guest Server License Use the following steps to obtain and install your FlexLM product license files for Cisco NAC Guest Server. Step 1 With FlexLM licensing, you will receive a Product Authorization Key (PAK) for each Guest Server that you purchase. The PAK is affixed as a sticky label on the Software License Claim Certificate card that is included in your package.
Chapter 3 System Setup Accessing the Administration Interface Figure 3-1 Step 7 Guest Server License Form (example) Click Submit to install the license. Access Cisco NAC Guest Server Administration Interface Step 8 The Cisco NAC Guest Server Administration interface (Figure 3-2) displays. This is the administrator interface to the appliance. Step 9 Login as the admin user. The default user name/password is admin/admin.
Chapter 3 System Setup Configuring Network Settings Step 10 Note After the license is installed, the administrator interface is brought up in web browser as follows: • For HTTP access, open http:///admin • For HTTPS access, open https:///admin Entering the Guest Server IP address without the” /admin” as the URL brings up the sponsor interface. See Chapter 4, “Configuring Sponsor Authentication” for details.
Chapter 3 System Setup Date and Time Settings Figure 3-4 Network Settings You can change the following Network Settings: • Domain Name—Enter the domain name for your organization (e.g. cisco.
Chapter 3 System Setup Date and Time Settings Figure 3-5 Date/Time Settings Step 2 Select the correct Date and Time for the location of the Guest Server. Step 3 Click the Set System Date and Time button to apply the time and date. Step 4 Select the correct Timezone for the location of the Guest Server. Step 5 Apply the settings by clicking the Set System Timezone button. Note If you change the time zone, this action automatically adjusts the date and time on the server.
Chapter 3 System Setup SSL Certificate SSL Certificate Both sponsors and administrators can access the Cisco NAC Guest Server using either HTTP or HTTPS. For more secure access Cisco recommends using HTTPS access.
Chapter 3 System Setup SSL Certificate Note The Main SSL Settings page also provides the Restart Web Server button. You need to restart the Web Server component of the appliance when new certificates are generated or uploaded to the appliance. Clicking the Restart button makes the Guest Server use the new certificates. Generating Temporary Certificates/ CSRs/ Private Key Cisco NAC Guest Server ships with a default certificate installed.
Chapter 3 System Setup SSL Certificate Step 4 Note To use the new temporary certificate you must restart the web server process. Click the Main tab from the top of the screen, then click the Restart Web Server button (Figure 3-6). If you want the CSR, you can download it from the download page as described in Downloading Certificate Files, page 3-9.
Chapter 3 System Setup Configuring Administrator Authentication Upload Certificate Files The Cisco NAC Guest Server provides a method of importing/uploading certificate files to the appliance. The Upload SSL Certificate pages is used to install a CA-signed certificate or to restore files previously backed up. Note The certificate files are not backed up as part of any backup process. You must manually back them up as described in Downloading Certificate Files, page 3-9.
Chapter 3 System Setup Configuring Administrator Authentication Figure 3-10 Step 2 In the Admin Accounts page (Figure 3-10), click the Add User button. Figure 3-11 Step 3 Step 4 Admin Accounts Add Admin User In the Add Administrator page (Figure 3-11), enter all the admin user credentials. • First Name—Type the first name of the admin user • Surname—Type the last name of the admin user.
Chapter 3 System Setup Configuring Administrator Authentication Step 1 From the administration interface select Authentication > Administrators from the left hand menu. Figure 3-12 Admin Users to Edit Step 2 In the Admin Accounts page(Figure 3-12), select the user from the list and click the Edit User button. Step 3 In the Edit Administrator page (Figure 3-13), edit the user credentials.
Chapter 3 System Setup Configuring Administrator Authentication • If successfully changed, a success message displays at the top of the page and you can make additional changes to the same admin account. Delete Existing Admin Account You can remove existing admin accounts from the administration interface. Step 1 From the administration interface select Authentication > Administrators from the left hand menu.
Chapter 3 System Setup Configuring Administrator Authentication Cisco NAC Guest Server Installation and Configuration Guide 3-14 OL-15986-01
CH A P T E R 4 Configuring Sponsor Authentication Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication is the method used to authenticate sponsor users on the Guest Server. There are four options available: • Local User Authentication—Create sponsor accounts directly on the Cisco NAC Guest Server.
Chapter 4 Configuring Sponsor Authentication Configuring Local Sponsor Authentication Figure 4-1 Step 2 Click the Add User button to bring up the local sponsor configuration page (Figure 4-2). Figure 4-2 Step 3 Step 4 Local Users Add Local User In the Add a Local User Account page, enter all the sponsor user credentials: • First Name—Type the first name of the sponsor. • Last Name—Type the last name of the sponsor. • Username—Type the user name for the sponsor account.
Chapter 4 Configuring Sponsor Authentication Configuring Local Sponsor Authentication • If successfully added, a success message displays at the top of the page and you can add additional user accounts. Edit Existing User Account You can modify the settings of local user accounts that are already created. Step 1 From the administration interface select Authentication > Sponsors > Local User Database from the menu (Figure 4-3).
Chapter 4 Configuring Sponsor Authentication Configuring Local Sponsor Authentication Note Step 4 Leaving the Password and Repeat Password fields empty keeps the existing password. • Password—Change the password for the sponsor account. • Repeat Password—Retype the changed password for the sponsor account. • Groups—Select the group for the sponsor account from the dropdown. Chapter 5, “Configuring User Group Permissions” provides further details on groups.
Chapter 4 Configuring Sponsor Authentication Configuring Active Directory (AD) Authentication Configuring Active Directory (AD) Authentication Active Directory Authentication authenticates sponsor users to the Guest Server using their existing AD user accounts. This keeps sponsors from having to remember another set of user names and passwords just to authenticate to the Guest Server.
Chapter 4 Configuring Sponsor Authentication Configuring Active Directory (AD) Authentication Add Active Directory Domain Controller Step 1 From the administration interface select Authentication > Sponsors > Active Directory Servers from the menu. (Figure 4-6). Figure 4-6 Active Directory Authentication Step 2 Click the Add DC button. Step 3 In the Add Active Directory Domain Controller page, enter all the details for authenticating against a specific AD Domain Controller (Figure 4-7).
Chapter 4 Configuring Sponsor Authentication Configuring Active Directory (AD) Authentication • Base DN—Type the Base Distinguished Name (DN) of the domain controller. This is the name of the root of the directory tree. It is used so that when group searches are performed, the Guest Server knows from where to start. An example of the base DN for the domain cca. cisco.com is DC=cca,DC=cisco,DC=com. • AD Username—Type a username that has permissions to search the Active Directory using LDAP.
Chapter 4 Configuring Sponsor Authentication Configuring Active Directory (AD) Authentication Figure 4-9 Step 4 Edit DC Settings Modify settings as needed: • User Account Suffix—Edit the User Account Suffix and include the leading @, for example: @cca.cisco.com. Every AD user has a full user logon name that appears as “username@domain.” To allow sponsors not to have to type their full user logon name, type the @domain part (including the @ symbol) in this field.
Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication Delete Existing Domain Controller Entry Step 1 From the administration interface, select Authentication > Sponsor > Active Directory Servers from the menu. Step 2 Select the domain controller from the list (Figure 4-10). Figure 4-10 Delete Domain Controller entries Step 3 Click the Delete DC button. Step 4 Confirm deletion of the Domain Controller at the prompt.
Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication • Base DN—This is the Distinguished Name of the container object where an LDAP search to find the user begins, such as OU=Engineering,O=Cisco. • User Search Filter—The User Search Filter defines how user entries are named in the LDAP server. For example, you can define them as uid (uid=%USERNAME%) or cn (cn=%USERNAME%). • Group Mapping—There are two main methods that LDAP servers use for assigning users to groups: 1.
Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication Add an LDAP Server Step 1 From the administration interface select Authentication > Sponsors > LDAP Servers from the menu (Figure 4-11). Figure 4-11 LDAP Authentication Step 2 Click the Add LDAP button. Step 3 In the Add LDAP Server page, enter all the details for authenticating against a specific LDAP server (Figure 4-12).
Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication • LDAP Server Name—Type a text description of the LDAP Server Name. For example: Cisco LDAP - ldap.cisco.com. • LDAP Server URL—Enter the URL for accessing the LDAP server, such as ldap://ldap.cisco.com or ldaps://ldap.cisco.com. • Port—Enter the TCP port used to connect to the LDAP server. The common port for LDAP is 389. • Version—The version of LDAP that the server supports (version 1, 2 or 3).
Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication Figure 4-13 Step 3 In the LDAP Server page (Figure 4-14), edit the details for authenticating against this LDAP server. Figure 4-14 Step 4 Select LDAP Server to Edit Edit LDAP Server Settings Modify settings as needed: • LDAP Server URL—Enter the URL for accessing the LDAP server, such as ldap://ldap.cisco.com or ldaps://ldap.cisco.com. • Port—Enter the TCP port used to connect to the LDAP server.
Chapter 4 Configuring Sponsor Authentication Configuring LDAP Authentication • User Search Filter—The User Search Filter defines how user entries are named in the LDAP server. For example you can define them to be uid (uid=%USERNAME%) or cn (cn=%USERNAME%). The %USERNAME% should be placed where the username will be inserted in a search. • Group Mapping—There are two main methods that LDAP servers use for assigning users to groups: 1. Storing the group membership in an attribute of the user object.
Chapter 4 Configuring Sponsor Authentication Configuring RADIUS Authentication Figure 4-15 Delete LDAP Server entries Step 3 Click the Delete LDAP button. Step 4 Confirm deletion of the LDAP Server at the prompt. If there are any errors, the LDAP Server is not changed and an error message displays at the top of the page. If successfully deleted, a success message displays at the top of the page and you can perform additional LDAP Server operations.
Chapter 4 Configuring Sponsor Authentication Configuring RADIUS Authentication Add a RADIUS Server Step 1 From the administration interface select Authentication > Sponsors > RADIUS Servers from the menu (Figure 4-16). Figure 4-16 RADIUS Authentication Step 2 Click the Add Radius button. Step 3 In the Add RADIUS Server page, enter all the details for authenticating against a specific RADIUS server (Figure 4-17).
Chapter 4 Configuring Sponsor Authentication Configuring RADIUS Authentication Edit an Existing RADIUS Server Step 1 From the administration interface select Authentication > Sponsor > Radius Servers from the menu. Step 2 Select the RADIUS server from the list and click the Edit Radius button (Figure 4-18). Figure 4-18 Step 3 In the RADIUS Server Details page (Figure 4-19), edit the details for authenticating against this RADIUS server.
Chapter 4 Configuring Sponsor Authentication Configuring Sponsor Authentication Settings Step 5 Click the Save Settings button. Delete an Existing RADIUS Server Entry Step 1 From the administration interface select Authentication > Sponsor > Radius Servers from the menu. Step 2 Select the RADIUS server from the list (Figure 4-20). Figure 4-20 Delete RADIUS Server Entries Step 3 Click the Delete Radius button. Step 4 Confirm deletion of the RADIUS server at the prompt.
Chapter 4 Configuring Sponsor Authentication Configuring Sponsor Authentication Settings Figure 4-21 Authentication Order. The first server to be authenticated against is at the top of the list and the last at the bottom. Step 2 Select the server that you want to re-order from the list and click either the move up or move down button. Perform this action with all the servers until they are in the correct order. Step 3 To save the authentication order click the Change Order button.
Chapter 4 Configuring Sponsor Authentication Configuring Sponsor Authentication Settings Cisco NAC Guest Server Installation and Configuration Guide 4-20 OL-15986-01
CH A P T E R 5 Configuring User Group Permissions User groups are the method by which to assign permissions to the sponsors. You can set role-based permissions for sponsors to allow or restrict access to different functions, such as creating accounts, modifying accounts, generating reports, and sending account details to guests by email or SMS.
Chapter 5 Configuring User Group Permissions Adding User Groups Figure 5-1 User Groups Step 2 Click the Add Group button to add a new user group. Step 3 From the Add a New User Group page (Figure 5-2), enter the name for a new user group. Figure 5-2 Step 4 Click the Add Group button to add a user group. You can now edit the settings for the new user group. (Figure 5-3).
Chapter 5 Configuring User Group Permissions Adding User Groups • Allow Login—Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server. Otherwise, select No. • Create Account—Select Yes to allow sponsors to create guest accounts. Select No otherwise. • Create Bulk Accounts—Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details. Otherwise, select No.
Chapter 5 Configuring User Group Permissions Editing User Groups – Template Options—You can specify a list of preset durations that the sponsor can use when creating accounts, such as 1 hour, 1 day, or 3 days. If this is selected the template options are shown on the Create Guest page. The maximum template option cannot be greater than the value specified in the maximum duration. Step 6 Note Step 7 Click the Save Group button to add the group with the permissions specified.
Chapter 5 Configuring User Group Permissions Editing User Groups Figure 5-5 Step 4 Edit User Group Edit Permissions for the User Group as follows: • Allow Login—Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server. Otherwise, select No. • Create Account—Select Yes to allow sponsors to create guest accounts. Otherwise, select No. • Create Bulk Accounts—Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details.
Chapter 5 Configuring User Group Permissions Deleting User Groups • Active Accounts—Choose one of the following permissions for viewing reporting details for active accounts – No—Sponsors are not allowed to view reporting details on any accounts. – Own Account—Sponsors are allowed to view reporting details for only the accounts they created. – All Accounts—Sponsors are allowed to view reporting details on any active guest accounts.
Chapter 5 Configuring User Group Permissions Specifying the Order of User Groups Figure 5-6 List Groups to Delete Step 2 Select the group you wish to delete and click the Delete Group button (Figure 5-6). Step 3 Confirm deletion at the prompt. Note If any Local Users are part of this group, you must delete the user before deleting the user group. Alternatively, you can move Local Users to another group to “empty” it before deleting the user group.
Chapter 5 Configuring User Group Permissions Mapping to Active Directory Groups Mapping to Active Directory Groups If a sponsor authenticates to the Cisco NAC Guest Server using Active Directory authentication then the Cisco NAC Guest Server can map them into a user group by their membership in Active Directory groups.
Chapter 5 Configuring User Group Permissions Mapping to LDAP Groups 1. Storing the group membership in an attribute of the user object. With this method the user object has one or more attributes that list the groups that the user is a member of. If your LDAP server uses this method of storing group membership then you need to enter the name of the attribute which holds the groups the user is a member of. 2. Storing the user membership in an attribute of the group object.
Chapter 5 Configuring User Group Permissions Mapping to RADIUS Groups Mapping to RADIUS Groups If a sponsor authenticates to the Cisco NAC Guest Server using RADIUS authentication then the Cisco NAC Guest Server can map them into a user group by using information returned to the Cisco NAC Guest Server in the authentication request. The information must be placed into the class attribute on the RADIUS server.
CH A P T E R 6 Configuring Guest Policies Organizations commonly have policies in place for creating accounts for their internal users and systems, such as the format or length of the username and/or complexity of password. The Cisco NAC Guest Server allows you to configure guest username and password creation policies to match your organization’s policy or to create a policy specific to guest accounts.
Chapter 6 Configuring Guest Policies Setting the Password Policy Step 2 Choose one of three options for creating the user name for the guest account. • Username Policy 1 (email) Use the guest’s email address as the username. If an overlapping account with the same email address exists, a random number is added to the end of the email address to make the username unique. Overlapping accounts are accounts that have the same email address and are valid for an overlapping period of time.
Chapter 6 Configuring Guest Policies Setting the Guest Details Policy Figure 6-2 Password Policy Step 2 In the Alphabetic Characters section, enter the characters to use in the password and the amount to include. Step 3 In the Numeric Characters section, enter the numerals to use in the password and the amount to include. Step 4 In the Other Characters section, enter the special characters to use in the password and the amount to include.
Chapter 6 Configuring Guest Policies Setting the Guest Details Policy Figure 6-3 Step 2 Step 3 Note Guest Details Policy You can specify one of three settings for each requirement: • Required—If a field is set to required it is displayed on the create guest page and it is mandatory for the sponsor to complete. • Optional—If a field is set to optional it is displayed on the create guest page however the sponsor can choose not to complete the field.
CH A P T E R 7 Integrating with Cisco NAC Appliance This chapter describes the following: • Adding Clean Access Manager Entries • Editing Clean Access Manager Entries • Deleting Clean Access Manager Entries • Configuring the CAM for Reporting Guest users commonly authenticate to networks via a captive portal through which they provide their authentication details using a web browser. Cisco NAC Appliance provides a secure guest user access portal which administrators can customize.
Chapter 7 Integrating with Cisco NAC Appliance Adding Clean Access Manager Entries Step 1 From the Guest Server administration interface, select Devices > NAC Appliance from the left hand menu (Figure 7-1). Figure 7-1 Step 2 Click the Add NAC button (Figure 7-2). Figure 7-2 Step 3 Cisco NAC Appliances Add Clean Access Manager Enter the following settings in the NAC Appliance Details page (Figure 7-2): • Name—Type a descriptive name for the Clean Access Manager.
Chapter 7 Integrating with Cisco NAC Appliance Editing Clean Access Manager Entries Step 6 In the Clean Access Manager admin console, navigate to Monitoring > Event Logs and verify that the account nacguest_test was successfully created and then deleted. Editing Clean Access Manager Entries The following steps describe how to edit an existing entry for a Clean Access Manager. Step 1 From the Guest Server administration interface, select Devices > NAC Appliance from the left hand menu (Figure 7-3).
Chapter 7 Integrating with Cisco NAC Appliance Deleting Clean Access Manager Entries • Hostname of Address—Type the DNS name or IP address for the CAM. • Admin Username—Enter an admin username which has API permission to the CAM. • Password—Type the password for the account. • Repeat Password—Retype the password to ensure it matches correctly. • Role—Type the name of the User Role on the CAM to which you will assign guest users.
Chapter 7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting Note For detailed instructions on how to access and configure settings on the CAM, refer to the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide. Adding a RADIUS Accounting Server Step 1 Log into the CAM web console as an admin user with an appropriate password (default username/password is admin/cisco123).
Chapter 7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting Configure the CAM to Format RADIUS Accounting Data The CAM can be configured to place many different attributes into the RADIUS accounting packets and the attributes themselves can be formatted in many different ways. You need to configure the CAM to send attribute information in a specific format so that the Cisco NAC Guest Server can understand it.
Chapter 7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting Figure 7-8 Edit User Name Attribute Step 3 In the Edit User_Name attribute page (Figure 7-8), click the Reset Element button to remove the existing sample data format. Step 4 Select User Name from the Add Data dropdown menu. Step 5 Click the Add Data button. Step 6 Click the Commit Changes button. Step 7 The main Shared Events lists page reappears (Figure 7-9). Verify that the Data column lists “[User_Name]”.
Chapter 7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting Figure 7-10 Add Calling Station Id Attribute Step 9 In the New Shared Events attribute form (Figure 7-10), select Calling_Station_Id from the Send RADIUS Attributes dropdown menu. Step 10 Click the Change Attribute button. Step 11 Select User IP from the Add Data dropdown menu. Step 12 Click the Add Data button. Step 13 Click Commit Changes.
CH A P T E R 8 Configuring RADIUS Clients This chapter describes the following • Overview • Adding RADIUS Clients • Editing RADIUS Clients • Deleting RADIUS Clients Overview Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol. Cisco NAC Guest Server uses the RADIUS protocol to authenticate and audit guests who login through RADIUS-capable network enforcement devices, such as Cisco Wireless LAN Controllers.
Chapter 8 Configuring RADIUS Clients Adding RADIUS Clients Note Any time you make a change to a RADIUS component on the Cisco NAC Guest Server, you will need to Restart the RADIUS service for the changes to become active. Adding RADIUS Clients Step 1 From the administration interface select Devices > Radius Clients from the left hand menu. Figure 8-1 Step 2 RADIUS Clients In the Radius Clients page (Figure 8-1), click the Add Radius button to add a RADIUS client.
Chapter 8 Configuring RADIUS Clients Editing RADIUS Clients Step 5 Type a shared Secret for the RADIUS client. This must match the shared secret specified in the configuration of the RADIUS client. Step 6 Retype the shared secret in the Confirm Secret field. Step 7 Type a Description of the client and any other information needed. Step 8 If you want the RADIUS client to send any additional attributes upon successful authentication enter the attribute name and value and click the Add button.
Chapter 8 Configuring RADIUS Clients Deleting RADIUS Clients Figure 8-4 Edit RADIUS Client Step 3 In the Edit Radius Client page (Figure 8-4), edit the IP Address of the RADIUS client. Step 4 Edit the shared secret used between the client and the Cisco NAC Guest Server in the Secret and Confirm Secret fields. Step 5 Make any desired changes to the Description.
Chapter 8 Configuring RADIUS Clients Deleting RADIUS Clients Figure 8-5 List RADIUS Clients Step 2 In the Radius Clients page (Figure 8-5), select the RADIUS client from the list. Step 3 Click the Delete Radius button and confirm the action. Step 4 From the administration interface select Devices > Radius Clients (Figure 8-1)from the left hand menu. Step 5 Click the Restart button to restart the RADIUS service to make the changes take effect.
Chapter 8 Configuring RADIUS Clients Deleting RADIUS Clients Cisco NAC Guest Server Installation and Configuration Guide 8-6 OL-15986-01
CH A P T E R 9 Guest Account Notification When a guest account is created, the details of the account need to be passed from the sponsor to the guest. The Cisco NAC Guest Server provides a number of ways to do this: • Manually reading the details to the guest from the screen • Printing the details out on paper • Sending the details in an email • Sending the details as an SMS text message Sponsors always have the option of reading and printing out guest account details to guests.
Chapter 9 Guest Account Notification Configuring Email Notification Configuring Email Notification The following steps describe how to configure email settings for the Cisco NAC Guest Server to correctly deliver guest account details via email. Step 1 From the administration interface, select Devices > Email Settings from the left hand menu.
Chapter 9 Guest Account Notification Configuring SMS Notification Configuring SMS Notification Short Message Service (SMS) is delivered through an SMS gateway service that supports SMTP (Simple Mail Transport Protocol) delivery. You need to have an internal SMS gateway service or subscribe to an external service to be able to deliver guest details via SMS. Step 1 From the administration interface select Devices > SMS Settings from the left hand menu.
Chapter 9 Guest Account Notification Configuring SMS Notification Cisco NAC Guest Server Installation and Configuration Guide 9-4 OL-15986-01
CH A P T E R 10 Customizing the Application This chapter describes the following • User Interface Templates • Adding a User Interface Template • Editing a User Interface Template • Deleting a Template • Setting the Default Interface Mapping • Setting User Default Redirection User Interface Templates Cisco NAC Guest Server allows you to customize the sponsor user interface text and guest notification text using User Interface Templates.
Chapter 10 Customizing the Application Adding a User Interface Template Adding a User Interface Template When you add a new template, it is automatically based on the default template to facilitate editing. Step 1 From the administration interface select User Interface > Templates from the left hand menu.
Chapter 10 Customizing the Application Editing a User Interface Template Step 1 From the administration interface select User Interface > Templates from the left hand menu. Figure 10-3 User Interface Templates Step 2 From the Current Templates list (Figure 10-3), select the template that you want to edit. Step 3 Click the Edit Template button. The Edit User Interface page for the template displays (Figure 10-4).
Chapter 10 Customizing the Application Editing a User Interface Template Editing the Print Template The Print Template page contains the guest account details that the sponsor can bring up in a browser to print out for handing to the guest after the account is created. The page is configured in HTML and can be fully customized.
Chapter 10 Customizing the Application Editing a User Interface Template Step 6 Click the Save Template button to save your changes. Editing the Email Template The Email Template page contains the guest account details that the sponsor can email to the guest after creating the account. The page is configured in HTML and can be fully customized.
Chapter 10 Customizing the Application Editing a User Interface Template Step 7 Click the Save Template button to save your changes. Editing the SMS Template The SMS Template page contains the guest account details that the sponsor can text message to the guest after creating the account. The contents of the text message can be fully customized.
Chapter 10 Customizing the Application Editing a User Interface Template Step 5 Step 6 The SMS Body contains be the SMS text to be sent to the guest. In the SMS Body you can use the following special variables to replace them with the details from the created guest account.
Chapter 10 Customizing the Application Deleting a Template Figure 10-9 Add Account Duration Step 4 Enter a description that you want to appear in the sponsor interface, such as “1 Hour.” Step 5 Select the desired duration from the drop down menu. Step 6 Click the Add Duration Option button. You are taken back to the account durations list (Figure 10-8). Step 7 If you want to edit or delete an account option, select the entry from the list and click the appropriate button.
Chapter 10 Customizing the Application Setting User Default Redirection Figure 10-10 Default User Interface Mapping Step 2 Select the Template from the dropdown list. This will become the template used for the sponsor and guest user interface. Step 3 Click the Set Template button. Setting User Default Redirection There are a number of options that each sponsor may want to customize for their environment so that they don’t need to make changes every time they log in to the sponsor interface.
Chapter 10 Customizing the Application Setting User Default Redirection Cisco NAC Guest Server Installation and Configuration Guide 10-10 OL-15986-01
CH A P T E R 11 Backup and Restore You should backup the Cisco NAC Guest Server on a regular basis so that in the event of a hardware failure you do not loose critical data. The Cisco NAC Guest Server backup process backs up the system setup, account database, and all audit records enabling you to recover everything you need in the event of a failure.
Chapter 11 Backup and Restore Configuring Backup Settings Configuring Backup Settings Step 1 From the administration home page select Server > Backup from the left hand menu (Figure 11-1). Figure 11-1 Backup Settings Taking a snapshot You have the option of saving a point in time snapshot which will allow you to download a backup of the Cisco NAC Guest Server at this exact moment. Step 1 To save a snapshot backup, click the Snapshot button at the bottom of the form (Figure 11-1).
Chapter 11 Backup and Restore Restoring Backups Scheduling a Backup You can schedule backups to occur every day, week, or month at 1:00 AM. Scheduled backups are stored in either the /guest/backups directory of the Cisco NAC Guest Server or on a remote FTP server. Step 1 From the administration home page, select Server > Backup from the left hand menu (Figure 11-1). Step 2 To perform local backups: • Enter the Maximum number of backups that you want to keep.
Chapter 11 Backup and Restore Restoring Backups Note You can only restore a backup to the same version of Cisco NAC Guest Server software with which the backup was taken. If you want need to determine which version was used to perform the backup, open the backup archive file directory and view the version.html in the backup archive.
CH A P T E R 12 Replication and High Availability To provide high availability, the Cisco NAC Guest Server solution can be configured so that a pair of units synchronize their databases between one another. This provides the ability for the solution to carry on working in the event of loss of connectivity or failure to a single unit. High availability is provided in an active/active scenario, where both Cisco NAC Guest Servers can service requests from sponsors or network devices at the same time.
Chapter 12 Replication and High Availability Setting up replication Step 1 Create a backup of the Cisco NAC Guest Server before starting by following the Taking a snapshot instructions in Configuring Backup Settings, page 11-2. Step 2 From the administration interface select Authentication > Replication Settings from the left hand menu (Figure 12-1). Figure 12-1 Replication Settings Step 3 Enter the Remote Guest Server address.
Chapter 12 Replication and High Availability Configuring Provisioning Configuring Provisioning When the Cisco NAC Guest Server provisions accounts in other systems, such as the Clean Access Manager, only one of the Guest Servers should be performing the provisioning at any one time. One Cisco NAC Guest Server should be defined as the primary and the other as the secondary. The server set to primary will perform the provisioning by default.
Chapter 12 Replication and High Availability Replication Status Replication Status At any moment in time you can check the replication status of the Cisco NAC Guest Servers. This is useful to make sure replication is happening as you want it to. Step 1 From the administration interface select Authentication > Replication Settings from the left hand menu (Figure 12-3). Figure 12-3 Replication Status At the bottom of the page is the Replication Status.
Chapter 12 Replication and High Availability Deployment Considerations Device Failure If one of the Cisco NAC Guest Servers in a replication pair fails and needs to be replaced, you should set up replication with the working server and the data will be re-synchronized to the device. Warning Step 1 Do not restore the failed unit from a backup. Restoring from a backup onto one unit in a replication pair will result in not having an exact replica of the data on both servers.
Chapter 12 Replication and High Availability Deployment Considerations Depending on the amount of activity that your Cisco NAC Guest Server performs you need to make sure that there is enough bandwidth between the server to enable synchronization to occur as rapidly as possible. You can test connectivity by creating a large amount of accounts and watching how quickly the appliances synchronize by watching the status on the replication screen (Figure 12-3).
Chapter 12 Replication and High Availability Deployment Considerations Cisco NAC Guest Server Installation and Configuration Guide OL-15986-01 12-7
Chapter 12 Replication and High Availability Deployment Considerations Cisco NAC Guest Server Installation and Configuration Guide 12-8 OL-15986-01
CH A P T E R 13 Logging and Troubleshooting This chapter describes the following: • System Logging • Log Files System Logging All actions within the Cisco NAC Guest Server are logged into the database. This enables you to see any action that occurred as part of the normal operating process of the application. To access the system log from the administration interface select Server > System Log from the left hand menu (Figure 13-1).
Chapter 13 Logging and Troubleshooting Log Files Log Files The system records information in different log files depending on the application function: • Downloading the log files • Application Logging • Email Logging • RADIUS Logging • CAM Update Logging • Web Server Logging Downloading the log files Step 1 To download the files from the administration interface select Server > Support Logs from the left hand menu (Figure 13-2).
Chapter 13 Logging and Troubleshooting Log Files CAM Update Logging The accounts on the Cisco NAC Appliance Clean Access Manager are created by a process that runs every minute on the Cisco NAC Guest Server. To troubleshoot issues, you need to view the camlog file. Web Server Logging The httpd daemon on the appliance runs the application web server. To troubleshoot issues, you need to view the error_log file.
Chapter 13 Logging and Troubleshooting Log Files Cisco NAC Guest Server Installation and Configuration Guide 13-4 OL-15986-01
CH A P T E R 14 Licensing The Cisco NAC Guest is licensed via a file associated with the MAC address of the appliance. The file can be obtained from cisco.com and instructions are included in the licensing pack. The Cisco NAC Guest Server only supports one license at a time, so any “additional” licenses you import automatically overwrite the previous license on the Guest Server.
Chapter 14 Licensing Licensing Cisco NAC Guest Server Installation and Configuration Guide 14-2 OL-15986-01
CH A P T E R 15 Sponsor Documentation This chapter provides example user documentation for sponsor users who create guest accounts.
Chapter 15 Sponsor Documentation Connecting to the Guest Server Figure 15-1 Authentication Screen Step 2 In the Cisco Guest Server login page, enter your Username and Password and click the Login button (Figure 15-1). Use the login credentials specified by your network administrator.
Chapter 15 Sponsor Documentation Connecting to the Guest Server Step 4 Step 5 In the default settings you can customize the settings for the following: • Language Template—If your administrator has added additional templates, you can select the one that you want to use. This may include the application or guest printout/email/sms in a different language. • Default Timezone—You can specify the default setting for the time zone where guests user accounts are created.
Chapter 15 Sponsor Documentation Creating Guest User Accounts Creating Guest User Accounts If you are assigned the appropriate permissions, you can create temporary guest user accounts. Step 1 From the Main page, either click Create a Guest User Account or select User Accounts > Create from the left hand menu. Step 2 The Create a Guest User Account page appears (Figure 15-4).
Chapter 15 Sponsor Documentation Creating Guest User Accounts Figure 15-5 Step 12 Step 13 Guest User Created Depending on your permissions, you can perform one or all of the following actions on the same page where the new account details are displayed: • Print Account Details—Clicking the Print Account button lets you print the account details to your printer to hand to the guest. These details commonly include guest access instructions and usage policies.
Chapter 15 Sponsor Documentation Creating Guest User Accounts Print Account Details Step 1 Click the Print Account button. Figure 15-6 Print Account Details A new Printer window opens and you can print out the guest user details. Email Account Details Step 1 Click the Email Account button. The Cisco NAC Guest Server sends an email to the email address specified when you created the account. Text Message Account Details (SMS) Step 1 Click the Send SMS Message button.
Chapter 15 Sponsor Documentation Multiple Guest Accounts Multiple Guest Accounts The Cisco NAC Guest Server allows you to create multiple accounts at the same time. You can create multiple accounts by pasting the details into the interface, importing a Comma Separated Values (CSV) file, or by creating random accounts to be assigned to guest users (with the details recorded on paper) for input at a later time. The options that will be available to you are configured by your administrator.
Chapter 15 Sponsor Documentation Multiple Guest Accounts Step 3 Enter the details in the text field as requested with a comma separating the values. Step 4 Select the Account Start time, Account End time, and Timezone for the account. Step 5 Click the Create Bulk Accounts button. Creating Multiple Accounts from CSV File Step 1 Select User Accounts > Multiple Accounts from the left hand menu (Figure 15-7). Step 2 Select Import Accounts from File (Figure 15-9).
Chapter 15 Sponsor Documentation Multiple Guest Accounts Figure 15-10 Create Random Accounts Step 3 Enter the amount of accounts that you want to generate. Step 4 Specify the Account Start time, Account End time, and Timezone. Step 5 Click the Submit button. Printing/Email/SMS Multiple Accounts When you have created accounts using one of the multiple account creation methods the screen for the users details is slightly different to the single user.
Chapter 15 Sponsor Documentation Multiple Guest Accounts Figure 15-12 Print for random account creation When creating accounts with preset details (by either importing text or creating a CSV file), you can print, email, or transmit via SMS the guest account details (Figure 15-11). When you create random accounts, however, you can only use the print option (Figure 15-12).
Chapter 15 Sponsor Documentation Multiple Guest Accounts Figure 15-13 Step 3 Multiple Account Groups Click the Edit button to edit the bulk accounts. Finding Multiple Account Groups by username This option allows you to find the batch of accounts by entering one username of the batch. Step 1 Select User Accounts > Multiple Accounts from the left hand menu (Figure 15-7 on page 15-7). Step 2 Enter a username that belongs to a batch of accounts in the username field and click the Submit button.
Chapter 15 Sponsor Documentation Editing Guest Accounts Editing Guest Accounts If you create an account for a guest and you need to extend their account access, you can change the expiry date and time of the account. Step 1 From the Main page, either click the link for Edit Guest User Account end time or select User Accounts > Edit from the left hand menu.
Chapter 15 Sponsor Documentation Viewing Active Accounts and Resending Details Figure 15-17 Suspend Accounts Step 2 In the Suspend User Accounts page (Figure 15-17), you can view a list of the accounts that you are able to suspend. Step 3 Click the Suspend button for the account you want to terminate. The account is removed from the list and the guest will not be able to login anymore.
Chapter 15 Sponsor Documentation Reporting on Guest Users Figure 15-19 Full Reporting Step 2 The Cisco NAC Guest Server Reporting page (Figure 15-19) initially displays the complete report for your user permissions. To shorten or filter the report, modify the dropdown menus at the top of the screen then click the Submit button.
A P P E N D I X A Open Source License Acknowledgements Notices The following notices pertain to this software license. OpenSSL/Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). License Issues The OpenSSL toolkit stays under a dual license, i.e.
Appendix A Open Source License Acknowledgements Notices 5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)”.
Appendix A Open Source License Acknowledgements Notices THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Appendix A Open Source License Acknowledgements Notices Cisco NAC Guest Server Installation and Configuration Guide A-4 OL-15986-01
