Specifications
5-2
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 5 Configuring User Login Page and Guest Access
User Login Page
Caution A login page must be added and present in the system in order for both web login and Agent users to
authenticate. If a default login page is not present, Agent users will see an error dialog when attempting
login (“Clean Access Server is not properly configured, please report to your administrator.”). To quickly
add a default login page, see Add Default Login Page, page 5-3.
Cisco NAC Appliance detects a number of client operating system types, including Windows,
Mac OS X, Linux, Solaris, Unix, Palm, Windows CE, and others. Cisco NAC Appliance determines the
OS the client is running from the OS identification in the HTTP GET request, the most reliable and
scalable method. When a user makes a web request from a detected operating system, such as Windows
XP, the CAS can respond with the page specifically adapted for the target OS.
When customizing the login page, you can use several styles:
• Frame-based login page (in which the login fields appear in a left-hand frame). This allows logos,
files, or URLs to be referenced in the right frame of the page.
• Frameless login page (shown in Figure 5-6)
• Small screen frameless login page. The small page works well with Palm and Windows CE devices.
The dimensions of the page are about 300 by 430 pixels.
Additionally, you can customize images, text, colors, and most other properties of the page.
This section describes how to add and customize the login page for all Clean Access Servers using the
global forms of the Clean Access Manager. To override the global settings and customize a login page
for a particular Clean Access Server, use the local configuration pages found under Device Management
> CCA Servers > Manage [CAS_IP] > Authentication > Login Page. For further details, see the Cisco
NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x).
Unauthenticated Role Traffic Policies
If a login page is customized to reference an external URL or server resource, a traffic policy must be
created for the Unauthenticated role to allow users HTTP access to that URL or server. For details on
configuring traffic policies for user roles, see Chapter 8, “User Management: Traffic Control,
Bandwidth, Schedule.”
Note If Unauthenticated role policies are not configured to allow access to the elements referenced by the
login page, or if a referenced web page becomes unavailable for some reason, you may see errors such
as the login page continuing to redirect to itself after login credentials are submitted.
Proxy Settings
By default, the Clean Access Server redirects client traffic on ports 80 and 443 to the login page. If users
on your untrusted network are required to use a proxy server and/or different ports, you can configure
the CAS with corresponding proxy server information in order to appropriately redirect HTTP/HTTPS
client traffic to the login page (for unauthenticated users) or HTTP/HTTPS/FTP traffic to allowed hosts
(for quarantine or Temporary role users). You can specify:
• Proxy server ports only (for example, 8080, 8000)—this is useful in environments where users may
go through a proxy server but not know its IP address (e.g. university).