Home
Cisco Systems OL-15986-01 User's Manual
Contents
1. Item Convention Indicates command line output Screen font Indicates information you enter Boldface screen font Indicates variables for which you supply values Italic screen font I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide gy About This Guide Item Convention submenu links Indicates web admin console modules menus tabs links and Boldface font Indicates a menu item to be selected Administration gt User Pages Product Documentation Table 1 lists documents are available for Cisco NAC Guest Server on Cisco com at the following URL pP http www cisco com en US products ps6128 tsd_products_support_series_home html Tip To access external URLs referenced in this document right click the link in Adobe Acrobat and select Open in Weblink in Browser Table 1 Document Title Cisco NAC Appliance Document Set Refer to This Document For Information On Release Notes for Cisco NAC Guest Server Release 1 1 0 Details on the latest Cisco NAC Guest Server release Cisco NAC Guest Server Installation and Configuration Guide this document Hardware information initial installation setup and configuration instructions for Cisco NAC Guest Server Cisco NAC Appliance Service Contract Licensing Support Information on service contract support licensing support and RMA support for Cisco NAC Applianc
2. Rack Mounting The Cisco NAC Guest Server occupies one rack unit 1U A rack mounting kit is included in the shipment For rack mounting information and instructions refer to the JU Rack Hardware Installation Instructions for HP Products document also included in the shipment Cisco NAC Guest Server Licensing You need to obtain and install a FlexLM product license for your Cisco NAC Guest Server via its web interface for your system to work See Accessing the Administration Interface page 3 1 for instructions on how to obtain and install license s for your system For additional details refer to Cisco NAC Appliance Service Contract Licensing Support Upgrading Firmware The Cisco NAC Guest Server is based on the Cisco NAC Appliance 3310 NAC 3310 hardware platform The Cisco NAC Guest Server appliance is subject to any system BIOS Firmware upgrades required for the server model on which it is based NAC 3310 is based on the HP ProLiant DL140 G3 and may require periodic firmware upgrades Note For further details refer to Supported Hardware and System Requirements for Cisco NAC Appliance Cisco Clean Access Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EN Chapter1 Welcome to Cisco NAC Guest Server HZ Before You Start Additional Information For late breaking or additional details for this release refer to the Release Notes for Cisco NAC Guest Server Release 1 0 0 Fo
3. Default Login Page Home EJ 186782 mi Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Chapter 15 Sponsor Documentation Step 4 Step 5 Connecting to the Guest Server Ml In the default settings you can customize the settings for the following Language Template If your administrator has added additional templates you can select the one that you want to use This may include the application or guest printout email sms in a different language Default Timezone You can specify the default setting for the time zone where guests user accounts are created You can override this at creation of the guest if you like Default Telephone Country Code Specify the default for the telephone country code This is used when sending the guest details by SMS or for recording the guests phone number Default Location The only option currently available is the Default Location Email Address Enter your email address here This is needed if you want to receive a copy of the guests account details by email Receive Email Confirmation Check this box if you would like the Cisco NAC Guest Server to send a copy of the guests account details by email when you create a guest account Default Login Page Select the page that you would like the Cisco NAC Guest Server to take you to immediately after you login Click the Submit button when you are happy with your default settings
4. Cisco NAC Guest Server Installation and Configuration Guide u cee Chapter4 Configuring Sponsor Authentication Configuring Sponsor Authentication Settings i Figure 4 21 Authentication Order Authentication Order Local Database CCA CISCO COM Cisco LDAP Server Cisco ACS Server TTT Change Order 186737 The first server to be authenticated against is at the top of the list and the last at the bottom Step2 Select the server that you want to re order from the list and click either the move up or move down button Perform this action with all the servers until they are in the correct order Step3 To save the authentication order click the Change Order button Sponsor Timeouts When a sponsor is logged in to the Cisco NAC Guest Server they should be logged out after a period of inactivity You can set the inactivity period through the sponsor settings page Step1 From the administration interface select Authentication gt Sponsor gt Settings from the menu Figure 4 22 Figure 4 22 Session Timeouts Settings Session Timeout 10 Minutes eem Save Settings J 186769 Step2 Enter the session timeout value in minutes When a sponsor has been inactive for this amount of time their session expire and the next action they perform takes them to the login page Step3 Click the Save Settings button to save the session timeout Cisco NAC Guest Server Installation and Configuration Gui
5. THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS AND ANY EXPRESSED OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com Original SSLeay License Copyright 1995 1998 Eric Young eay cryptsoft com All rights reserved This package is an SSL implementation written by Eric Young eay cryptsoft com The implementation was written so as to conform with Netscapes SSL This library is free for commercial and non commercial use as long as the following conditions are adhered to The following conditions apply to all code found in this distribution be it the RC4 RSA lhash DES etc code not just the SSL code The SSL documentation included with this distribution is
6. Password The password for the user account that has permissions to search the LDAP server Confirm Password Repeat the password to make sure it matches amp Note If you do not want to change the password leaving both password entries empty preserves the existing password Status Select the status of the LDAP Server If it is set to Active the Guest Server will use it for authenticating sponsors If it is set to Disabled it will not be used Optionally click the Test Connection button to verify the settings are correct for the LDAP server The Test Connection will bind with the username and password specified to the LDAP server to verify that it can bind successfully Click the Save Settings button Delete an Existing LDAP Server Entry Step 1 Step 2 From the administration interface select Authentication gt Sponsor gt LDAP Servers from the menu Select the LDAP Server from the list Figure 4 15 Cisco NAC Guest Server Installation and Configuration Guide ana OL 15986 01 Chapter4 Configuring Sponsor Authentication Step 3 Step 4 Configuring RADIUS Authentication W Figure 4 15 Delete LDAP Server entries LDAP Servers Cisco LDAP Server Add LDAP Edit LDAP Delete LDAP 186754 Click the Delete LDAP button Confirm deletion of the LDAP Server at the prompt If there are any errors the LDAP Server is not changed and an error message displays at the top of the page
7. Ventilation holes 9 UID button with LED indicator blue 2 Thumbscrew for the top cover 10 Rear USB ports black Thumbscrews for the PCI riser board Video port blue 3 assembly 11 4 NIC 3 eth2 and NIC 4 eth3 PCI Express 12 Serial port 5 GbE LAN RJ 45 ports Intel 13 PS 2 keyboard port purple Standard height full length PCI Express 6 x16 PCI X riser board slot cover 14 PS 2 mouse port green Power supply cable socket 10 100 Mbps iLO LAN port for IPMI management RJ 45 NIC 1 eth0 and NIC 2 eth1 integrated GbE 8 ILAN RJ 45 ports Broadcom mi Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Chapter 2 Installing Cisco NAC Guest Server Command Line Configuration W Note The three LAN ports each have their own LED indicators for activity link status and network speed Command Line Configuration A very minimal amount of command line configuration is needed on the Cisco NAC Guest Server appliance This is to perform two tasks Configure IP Address and Default Gateway page 2 3 so that the appliance can be accessed on the network Change Root Password page 2 5 on the appliance from the default Configure IP Address and Default Gatew ay To allow the appliance to be accessed on the network you need to configure the IP address and default gateway for the first interface on the appliance eth0 or NIC1 To configure these deta
8. If successfully deleted a success message displays at the top of the page and you can perform additional LDAP Server operations Configuring RADIUS Authentication RADIUS Authentication authenticates sponsor users to the Guest Server using their existing RADIUS user accounts This keeps sponsors from having to remember another set of user names and passwords just to authenticate to the Guest Server It also enables the administrator to quickly roll out Guest Access because there is no need to create and manage additional sponsor accounts RADIUS authentication allows you to do the following Adda RADIUS Server Edit an Existing RADIUS Server Delete an Existing RADIUS Server Entry RADIUS authentication supports authentication against multiple RADIUS servers you can A RADIUS server entry consists of multiple items RADIUS Server Name A text description to identify the LDAP Server Server IP Address This is the IP Address of the RADIUS Server Port The UDP port to contact the ldap server commonly either 1645 or 1812 Secret The shared secret used to secure communications between the RADIUS server and the Cisco NAC Guest Server OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter4 Configuring Sponsor Authentication WE Configuring RADIUS Authentication Adda RADIUS Server Step1 From the administration interface select Authentication gt Sponsors gt RADIUS Servers f
9. On successful login or after saving the default settings you will see the Welcome to the Cisco NAC Guest Server page Figure 15 3 Figure 15 3 Main Screen ulli Welcome to the Cisco NAC Guest Server cisco _ me What would you like to do Logout Create a Guest User Account User Accounts Create Multiple Accounts Edit Create Multiple Guest User Accounts Suspend e Edit Guest User Account end time Reporting e Suspend Guest User Accounts Active Accounts Full Reportin n A EEN View Active Guest User Accounts My Settings Preferences Password Report on Guest User accounts 186776 I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide gy Chapter 15 Sponsor Documentation HI Creating Guest User Accounts Creating Guest User Accounts Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 If you are assigned the appropriate permissions you can create temporary guest user accounts From the Main page either click Create a Guest User Account or select User Accounts gt Create from the left hand menu The Create a Guest User Account page appears Figure 15 4 Figure 15 4 Create a Guest User Account Enter the guest users details below and then click Add User First Name Last Name Company Email Address Mobile Phone Number 1 US PA Account Start Time 00 B 00 B Date 14 FP Sep F 2
10. covered by the same copyright terms except that the holder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the library used This can be in the form of a textual message at program startup or in documentation online or textual provided with the package Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgement This product includes cryptographic software written by Eric Young eay cryptsoft com The word cryptographic can be left out if the routines from the library being used are not cryptography related 4 If you include any Windows specific code or a derivative thereof from the apps directory application code you must include an acknowledgement This product includes software written by Tim Hudson t
11. NAC Guest Server Installation and Configuration Guide cee Chapter7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting W AS Note For detailed instructions on how to access and configure settings on the CAM refer to the applicable Cisco NAC Appliance Clean Access Manager Installation and Configuration Guide Adding a RADIUS Accounting Server Step1 Log into the CAM web console as an admin user with an appropriate password default username password is admin cisco123 amp Note Any CAM admin user with Edit privileges can perform this configuration Step2 Navigate to User Management gt Auth Servers gt Accounting gt Server Config Figure 7 6 Configure RADIUS Accounting Server User Management gt Auth Servers Auth Servers Lookup Servers Mapping Rules Auth Test Accounting Login Event Logout Event Shared Events Enable RADIUS Accounting M Server Name 192 168 137 40 Server Port 1813 Timeout sec 10 Shared Seget _ Sseesenseses NAS Identifier NAS IP Address 192 168 137 4 Either a NAS Identifier or NAS IP Address must be specified NAS Port NAS Port Type Unspecified sy Enable Failover B Failover Peer IP Asterisks indicate required fields Update Reset Events to Factory Default 185318 Step3 Click the checkbox for Enable RADIUS Accounting and configure the following fields Server Name Type the IP address of the Cisco NA
12. add DC EditDC Delete DC Step3 Click the Delete DC button Step4 Confirm deletion of the Domain Controller at the prompt If there are any errors the DC is not changed and an error message displays at the top of the page If successfully deleted a success message displays at the top of the page and you can perform additional Domain Controller operations Configuring LDAP Authentication LDAP Authentication authenticates sponsor users to the Guest Server using their existing LDAP user accounts This keeps sponsors from having to remember another set of user names and passwords just to authenticate to the Guest Server It also enables the administrator to quickly roll out Guest Access because there is no need to create and manage additional sponsor accounts LDAP authentication allows you to do the following Add an LDAP Server Edit an Existing LDAP Server Delete an Existing LDAP Server Entry LDAP authentication supports authentication against multiple LDAP Servers An LDAP server entry consists of multiple items LDAP Server Name A text description to identify the LDAP Server LDAP Server URL This is the URL to access the LDAP server such as Idap Idap cisco com Port The TCP port used to contact the LDAP server such as port 389 Version The LDAP version to use version 1 2 or 3 Cisco NAC Guest Server Installation and Configuration Guide E E Chapter4 Configuring Sponsor Authentication WE C
13. appliances in the event of a failure e Publishing multiple URLs This allows each user to choose which server they would like to use The RADIUS interface on either Cisco NAC Guest Server can take requests at the same time Cisco recommends configuring one Cisco NAC Guest Server to be the primary for some RADIUS clients and the other Cisco NAC Guest Server to be the primary for the other RADIUS clients For failover the RADIUS clients can have secondary RADIUS servers defined as the other Cisco NAC Guest Server if they support configuration of two servers Cisco NAC Guest Server Installation and Configuration Guide Ea OL 15986 01 Chapter12 Replication and High Availability Deployment Considerations W Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EEN Chapter 12 Replication and High Availability HI Deployment Considerations Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 CHAPTER Logging and Troubleshooting This chapter describes the following System Logging Log Files System Logging All actions within the Cisco NAC Guest Server are logged into the database This enables you to see any action that occurred as part of the normal operating process of the application To access the system log from the administration interface select Server gt System Log from the left hand menu Figure 13 1 Figure 13 1 System Log Actio
14. by username 15 11 Finding Multiple Account Groups on the Active Accounts Report Editing Guest Accounts 15 12 Suspending Guest Accounts 15 12 Viewing Active Accounts and Resending Details 15 13 Reporting on Guest Users 15 13 Open Source License Acknowledgements A 1 Notices A 1 OpenSSL Open SSL Project A 1 License Issues A 1 15 11 Contents OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide gy E Contents Cisco NAC Guest Server Installation and Configuration Guide xin OL 15986 01 Audience Purpose About This Guide March 5 2008 OL 15986 01 This preface includes the following sections Audience Purpose Document Conventions Product Documentation Obtaining Documentation and Submitting a Service Request This guide is for network administrators who are implementing Cisco NAC Guest Server to provision guest access on their networks Cisco NAC Guest Server works alongside Cisco NAC Appliance Cisco Unified Wireless Networks and other Cisco Network Enforcement devices to provide the captive portal and enforcement point for guest access The Cisco NAC Guest Server Installation and Configuration Guide describes how to install and configure the Cisco NAC Guest Server appliance It describes the simple initial installation of the appliance via CLI and the configuration and administration of the Guest Access Portal through the web based interface Document Conventions
15. cca DC cisco DC com AD Username Edit the username that has permissions to search the Active Directory using LDAP This allows the Guest Server find out details about users such as the list of groups to which they belong amp Note If you do not want to change the password leaving both password entries empty preserves the existing password AD Password Edit the password for that AD user account that has search permissions Confirm AD Password Retype the password to make sure it is correct Status Select the status of the Domain Controller If it is set to Active the Guest Server will use it for authenticating sponsors If it is set to Disabled it will not be used Step5 Optionally click the Test Connection button to verify the settings are correct for the domain controller The Test Connection will authenticate with the specified AD Username and Password to verify the settings Step6 Click the Save Settings button Cisco NAC Guest Server Installation and Configuration Guide Pas W OL 15986 01 Chapter4 Configuring Sponsor Authentication Configuring LDAP Authentication Hi Delete Existing Domain Controller Entry Step1 From the administration interface select Authentication gt Sponsor gt Active Directory Servers from the menu Step 2 Select the domain controller from the list Figure 4 10 Figure 4 10 Delete Domain Controller entries Active Directory Domain Controllers
16. click the Restart Radius button to buona apply them Step2 Inthe Radius Clients page Figure 8 3 select the RADIUS client from the list and click the Edit Radius button 185306 Cisco NAC Guest Server Installation and Configuration Guide EE EN Chapter8 Configuring RADIUS Clients HI Deleting RADIUS Clients Figure 8 4 Edit RADIUS Client Edit Radius Client Name Wireless LAN Controller IP Address 10 20 20 3 Secret Confirm Secret Description Wireless LAN Controller If you don t wish to change the Secret please keep the entry empty Attribute Add Value Move up Remove Move down Save Settings Reset Form 186745 Step3 In the Edit Radius Client page Figure 8 4 edit the IP Address of the RADIUS client Step4 Edit the shared secret used between the client and the Cisco NAC Guest Server in the Secret and Confirm Secret fields Step5 Make any desired changes to the Description Step6 Ifyou want the RADIUS client to send any additional attributes upon successful authentication enter the attribute name and value and click the Add button You can enter as many attributes as you need If you want to remove an attribute select the attribute from the table and click the Delete button Step7 Click Save Settings Step8 From the administration interface select Devices gt Radius Clients Figure 8 1 from the left hand menu Ste
17. controller Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 47 Chapter4 Configuring Sponsor Authentication HI Configuring Active Directory AD Authentication Figure 4 9 Edit DC Settings Edit Active Directory Domain Controller Server Name Cisco com User Account Suffix cisco com Domain Controller IP Address 1 1 1 1 Base DN DN cisco DN com AD Username administrator AD Password Confirm Password If you don t wish to change the password please keep the entry empty Save Settings Reset Form 185136 The User Account Suffix should start with such as yourdomain com Step4 Modify settings as needed User Account Suffix Edit the User Account Suffix and include the leading for example cca cisco com Every AD user has a full user logon name that appears as username domain To allow sponsors not to have to type their full user logon name type the domain part including the symbol in this field Domain Controller IP Address Edit the IP address for the domain controller This is the IP address of the DC against which the sponsor authenticates Base DN Edit the Base Distinguished Name DN of the domain controller This is the name of the root of the directory tree It is used so that when group searches are performed the Guest Server knows from where to start An example of the base DN for the domain cca cisco com is DC
18. entered into them These are described on the screen as Option through Option 5 If you want to use these fields Cisco recommends customizing the text that is shown to the sponsor by editing the templates as described in User Interface Templates page 10 1 Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 CHAPTER Integrating with Cisco NAC Appliance This chapter describes the following Adding Clean Access Manager Entries Editing Clean Access Manager Entries Deleting Clean Access Manager Entries Configuring the CAM for Reporting Guest users commonly authenticate to networks via a captive portal through which they provide their authentication details using a web browser Cisco NAC Appliance provides a secure guest user access portal which administrators can customize The Cisco NAC Guest Server integrates with the Clean Access Manager through the use of the Cisco NAC Appliance API This is an HTTPS based API that requires the Guest Server to communicate with the Clean Access Manager also known as the Clean Access Manager CAM Note Refer to the API Support section of the applicable Cisco NAC Appliance Clean Access Manager Installation and Configuration Guide for details on the Cisco NAC Appliance API The Cisco NAC Guest Server creates the guest user accounts on the CAM as Local User accounts assigned to a specific role that you define for guest users The Guest Server cr
19. gt Restart Sendmail After saving settings please click Restart to restart the mail component to apply eae the changes seme Step2 In the Email Settings page Figure 9 1 click Yes for the Enable Email option to enable email functionality globally for the Cisco NAC Guest Server 185297 Step3 For SMTP Server type the IP address of the outbound SMTP server to which you need to deliver email If you enter localhost or leave this field empty the Cisco NAC Guest Server attempts to deliver the email directly to the guest s SMTP server Step4 Inthe Sent From Email Address field type the email address from which you want guest notification emails to be sent for example host company com Step5 Click the Save Settings button Step6 Click the Restart button After any change to email settings you need to Restart the Sendmail service by clicking the Restart button so that the settings take effect Cisco NAC Guest Server Installation and Configuration Guide P32 Bs OL 15986 01 _ Chapter 9 Guest Account Notification Configuring SMS Notification W Configuring SMS Notification Short Message Service SMS is delivered through an SMS gateway service that supports SMTP Simple Mail Transport Protocol delivery You need to have an internal SMS gateway service or subscribe to an external service to be able to deliver guest details via SMS Step1 From the administration interface select Devices gt
20. the pieces of guest access The Guest Server links the sponsor creating the guest account the account details passed to the guest the guest authentication against the network enforcement device and the network enforcement device s verification of the guest with the Guest Server Additionally the Cisco NAC Guest Server consolidates accounting information from network enforcement devices to provide a single point of guest access reporting Before You Start This section describes the following Package Contents e Rack Mounting Cisco NAC Guest Server Licensing Upgrading Firmware Additional Information Package Contents Verify the contents of the packing box Figure 1 1 to ensure that you have received all items necessary to install your Cisco NAC Guest Server Save the packing material in case you need to repack the unit If any item is missing or damaged contact your Cisco representative or reseller for instructions Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Chapter1 Welcome to Cisco NAC Guest Server Before You Start W Figure 1 1 Shipping Box Contents DB 9 serial null modem cable RJ 45 cable straight through Ce Documentation AC power cord Cisco NAC Guest Server 185434 Rack mounting kit amp Note Because product software is preloaded onto the Cisco NAC Guest Server appliance the shipping contents do not include a separate software installation CD
21. to System Setup page 3 1 to access and configure the admin console Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 25 Chapter 2 Installing Cisco NAC Guest Server W sRe Imaging the Appliance Re Imaging the Appliance A When the Cisco NAC Guest Server is shipped the system image already preloaded on the unit so imaging is unnecessary If you need to re image the appliance to factory defaults you can download the system image ISO from Cisco Secure Software Downloads on Cisco Com and burn this ISO file to a blank CD ROM Once you have the system image on a bootable CD you can perform the following steps to install the system image onto the appliance Refer to the Release Notes for Cisco NAC Guest Server Release 1 1 0 for additional details Caution Step 1 Step 2 Step 3 Step 4 Step 5 Imaging the appliance will delete all data on the appliance there will be no method of recovery of data from the Guest Server after imaging has been started Make sure to backup any data that you need before starting this process Insert the bootable CD into the CD ROM drive of the Cisco NAC Guest Server appliance Decide whether to perform the installation using a connected keyboard and monitor or over a serial console Connect either a keyboard and monitor to the back of the unit or attach a null modem cable to the serial port on the back of the appliance From the computer the serial cable is attac
22. type a Template Name This can be any descriptive text to identify the template later from the Current Templates list Figure 10 1 Step4 Click the Add Template button The Edit User Interface Template page for the new template displays initially with all details copied from the default template If you only need to make small changes this allows you not to have to retype all the entries Step5 Modify these settings as desired as described in Editing a User Interface Template page 10 2 next Editing a User Interface Template pP Tip When customizing it is a good idea to open the sponsor interface in a second browser for reference This allows you to view how the configuration tabs map to the actual sponsor interface pages You can bring up the sponsor interface by entering the Guest Server IP address without the admin as the URL for example http lt guest_server_ip_address gt or https lt guest_server_ip_address gt Cisco NAC Guest Server Installation and Configuration Guide P02 E OL 15986 01 Chapter 10 Customizing the Application Step 1 Step 2 Step 3 Step 4 Step 5 Editing a User Interface Template W From the administration interface select User Interface gt Templates from the left hand menu Figure 10 3 User Interface Templates User Interface Templates are used to customise the text of the sponsor interface You can add additional templates for additional languages Current Templat
23. 0 groups in response to a Cisco NAC Guest Server search If you have more than 1000 groups and have not increased the LDAP search size it is possible that the group you want to match will not appear In this situation you can manually enter the group name in the Active Directory Group combo box Mapping to LDAP Groups If a sponsor authenticates to the Cisco NAC Guest Server using LDAP authentication then the Cisco NAC Guest Server can map them into a user group by their membership of LDAP groups Based on the settings of the LDAP server that you authenticate against the Cisco NAC Guest Server will use one of two methods for mapping the sponsor using group information There are two main methods that LDAP servers use for assigning users to groups Cisco NAC Guest Server Installation and Configuration Guide a OL 15986 01 Chapter5 Configuring User Group Permissions Mapping to LDAP Groups W 1 Storing the group membership in an attribute of the user object With this method the user object has one or more attributes that list the groups that the user is a member of If your LDAP server uses this method of storing group membership then you need to enter the name of the attribute which holds the groups the user is a member of 2 Storing the user membership in an attribute of the group object With this method there is a group object that contains a list of the users who are members of the group If your LDAP
24. 007 je Account End Time 23 B t59 i Date 14 F Sep iy 2007 FA EH Timezone America Los_Angeles i Add User Reset Form 186324 Enter the First Name of your guest Enter the Last Name of your guest Enter the Company or organization of your guest Enter the Email Address of your guest From the Account Start Time and Account Start Date dropdown lists choose the time and date from which you want the account to be valid From the Account End Time and Account End Date dropdown lists choose the time and date you want the account to end Choose the Timezone relevant to the time and date If the Guest Server administrator as configured any additional required account attributes specify the appropriate information for those settings in this form For example the administrator may require the guest user s contact Mobile Phone Number Click the Add User button The account is created and the details are displayed at the top of the page Figure 15 5 Cisco NAC Guest Server Installation and Configuration Guide EI OL 15986 01 Chapter15 Sponsor Documentation Creating Guest User Accounts W Figure 15 5 Guest User Created Username email company com1 Password S9bZFAM6 Print Account Account Start 2008 02 18 00 00 00 Email Account Account End 2008 02 18 23 59 00 Send SMS Message CE Timezone America Los_Angeles Enter the guest users details below
25. 1 Editing User Groups 5 4 Deleting User Groups 5 6 Specifying the Order of User Groups 5 7 Mapping to Active Directory Groups 5 8 Mapping to LDAP Groups 5 8 Mapping to RADIUS Groups 5 10 CHAPTER 6 Configuring Guest Policies 6 1 Setting the Username Policy 6 1 Setting the Password Policy 6 2 Setting the Guest Details Policy 6 3 mi Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 CHAPTER 7 CHAPTER 8 CHAPTER 9 CHAPTER 10 CHAPTER 11 Integrating with Cisco NAC Appliance 7 1 Adding Clean Access Manager Entries 7 1 Editing Clean Access Manager Entries 7 3 Deleting Clean Access Manager Entries 7 4 Configuring the CAM for Reporting 7 4 Adding a RADIUS Accounting Server 7 5 Configure the CAM to Format RADIUS Accounting Data 7 6 Configuring RADIUS Clients 8 1 Overview 81 Adding RADIUS Clients 8 2 Editing RADIUS Clients 8 3 Deleting RADIUS Clients 8 4 GuestAccountNotification 9 1 Configuring Email Notification 9 2 Configuring SMS Notification 9 3 Customizing the Application 10 1 User Interface Templates 10 1 Adding a User Interface Template 10 2 Editing a User Interface Template 10 2 Editing the Print Template 10 4 Editing the Email Template 10 5 Editing the SMS Template 10 6 Using Account Durations 10 7 Deleting a Template 10 8 Setting the Default Interface Mapping 10 8 Setting User Default Redirection 10 9 Backup and Restore 11 1 Configuring Backup Settings 11 2
26. 1 Main F2 Options F3 General F4 Kernel F5 Rescue boot _ 186748 At the Initial Install Screen choose how to run the installation according to how you are connected to the appliance If directly connected using a keyboard and monitor type insta11 and press lt Enter gt If you using a serial connection type serial at the boot prompt then press lt Enter gt Cisco NAC Guest Server Installation and Configuration Guide cecal Chapter 2 Installing Cisco NAC Guest Server Re Imaging the Appliance i amp Note If you press lt Enter gt by mistake on a serial connection the imaging process will still run but there is no display until the appliance reboots at the end of the process Step6 The system image automatically installs on the hard disk Figure 2 8 Figure 2 8 Transfering Install Image Transferring install image to hard drive 185154 lt Tab gt lt Alt Tab gt between elements i lt Space gt selects li SPI2 next Screen Step7 When the install image is successfully transferred the system reboots automatically Figure 2 9 Figure 2 9 Appliance Reboots 185158 Croot localhost 1 reboot_ Step8 The CD ROM automatically ejects from the appliance amp Note Remove the CD and store it safely so that the appliance does not accidentally reboot from it at a later time Cisco NAC Guest Server Installation and Configuration Guide I OL 15986 01 E Chapte
27. 46 Note For additional details on evaluation licenses refer to Cisco NAC Appliance Service Contract Licensing Support This section describes the following Obtain and Install Cisco NAC Guest Server License e Access Cisco NAC Guest Server Administration Interface I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter3 System Setup HI Accessing the Administration Interface Obtain and Install Cisco NAC Guest Server License Step 1 A Use the following steps to obtain and install your FlexLM product license files for Cisco NAC Guest Server With FlexLM licensing you will receive a Product Authorization Key PAK for each Guest Server that you purchase The PAK is affixed as a sticky label on the Software License Claim Certificate card that is included in your package Warning Step 2 A The PAK is NOT the Cisco NAC Guest Server license The PAK is used to obtain the Cisco NAC Guest Server license as described below Log in as a registered CCO user and fill out the Customer Registration form found at the PAK Cisco Technical Support site http www cisco com go license During customer registration submit each PAK you receive and the ethO MAC address of your Cisco NAC Guest Server Warning Step 3 Step 4 Step 5 Step 6 The eth0 MAC address entered for the Guest Server must be in UPPER CASE i e hexadecimal letters must be capitalized Do not enter
28. 555 5555 then 7 MOBILENUMBER will contain 44555555555 amp Note The initial plus symbol is not inserted and the initial 0 any spaces or hyphens are removed from the phone number If you need to be inserted then enter MOBILENUMBER Cisco NAC Guest Server Installation and Configuration Guide Ea OL 15986 01 Chapter 10 Customizing the Application Step 5 Step 6 Editing a User Interface Template W The SMS Body contains be the SMS text to be sent to the guest In the SMS Body you can use the following special variables to replace them with the details from the created guest account USERNAME The Username created for the guest PASSWORD The Password created for the guest STARTTIME The time from which the guest account will be valid ENDTIME The time the guest account will expire FIRSTNAME The first name of the guest LASTNAME The last name of the guest MOBILENUMBER The mobile number of the guest Click the Save Template button to save your changes Using Account Durations Step 1 Step 2 Step 3 Account durations are another way the sponsor can specify how long they want the guest account to remain valid By default the sponsor must specify start and end dates and times from a drop down box and popup calendar By defining preset account durations you provide the sponsor with the ability to simply select the length of time starting f
29. 8 18th Feb 2008 Edit 07 34 13 00 00 00 23 59 00 America Los_Angeles America Los_Angeles username 18th Feb 2008 1 18th Feb 2008 18th Feb 2008 Edit 07 34 40 00 00 00 23 59 00 America Los_Angeles America Los_Angeles username 18th Feb 2008 2 18th Feb 2008 18th Feb 2008 Edit 07 49 05 00 00 00 23 59 00 America Los_Angeles America Los_Angeles username 18th Feb 2008 5 18th Feb 2008 18th Feb 2008 edie iz 07 51 19 00 00 00 23 59 00 to America Los_Angeles America Los_Angeles bad Click the Edit button to edit the bulk accounts Finding Multiple Account Groups by username Step 1 Step 2 This option allows you to find the batch of accounts by entering one username of the batch Select User Accounts gt Multiple Accounts from the left hand menu Figure 15 7 on page 15 7 Enter a username that belongs to a batch of accounts in the username field and click the Submit button The batch of accounts that were created in the same operation as the username submitted will be shown if found Finding Multiple Account Groups on the Active Accounts Report Step 1 Step 2 This option allows you to jump to the batch of accounts from the Active Accounts Report Select Reports gt Active Accounts from the left hand menu Any user account that is part of a multiple account creation operation will have a Bulk Account link next to the username Click this link to jump to the rest of the accounts for editing Figure 15 14 Bulk Accou
30. AC Guest Server Installation and Configuration Guide OL 15986 01 EN Chapter3 System Setup E Configuring Netw ork Settings Step10 After the license is installed the administrator interface is brought up in web browser as follows For HTTP access open http lt guest_server_ip_address gt admin For HTTPS access open https lt guest_server_ip_address gt admin Note Entering the Guest Server IP address without the admin as the URL brings up the sponsor interface See Chapter 4 Configuring Sponsor Authentication for details Configuring Netw ork Settings Configure remaining network settings before performing any other operation This minimizes the need to restart the appliance later on Step1 From the administration home page select Server gt Network Settings from the left hand menu Figure 3 3 Figure 3 3 Administration Home Page ahali Cisco NAC Guest Server Administration cisco Main s What would you like to do Home Summary iaiia Add Edit Local User Accounts Authentication P cu Sponsors Add Edit Administrator Accounts Administrators User Groups Configure Active Directory Authentication ennet Coll Configure NAC Appliance Settings Password Polic Guest Detsls Configure your Email Server Settings gy ae Select the User Interface Template to use aero Edit the User Interface Templates SMS Settings User Interface Templates Mapping User Defaults Server Network S
31. Ajai CISCO Cisco NAC Guest Server installation and Configuration Guide Release 110 March 2008 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San J ose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Text Part Number OL 15986 01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE ALL STATEMENTS INFORMATION AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIED USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California Berkeley UCB as part of UCB s public domain version of the UNIX operating system All rights reserved Copyright 1981 Regents of the University of California NOTWITHSTANDING ANY OTHER WARRANTY HEREIN ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS CISCO AND THE ABOVE NAMED SUPPLIERS DISCLAIM ALL WARRANTIES EXPRESSED OR IMPLIED
32. C Guest Server Server Port Type 1813 as the port Timeout sec Type a timeout value 10 seconds is typically sufficient Shared Secret Type the shared secret used with the Cisco NAC Guest Server This must match the shared secret configured on the Guest Server when adding the CAM as a RADIUS client to the Guest Server as described in Adding RADIUS Clients page 8 2 Make sure both shared secrets are the same NAS IP Address Type the address of the CAM itself as the NAS IP Address Step4 Click the Update button Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Eos Chapter7 Integrating with Cisco NAC Appliance E Configuring the CAM for Reporting Configure the CAM to Format RADIUS Accounting Data The CAM can be configured to place many different attributes into the RADIUS accounting packets and the attributes themselves can be formatted in many different ways You need to configure the CAM to send attribute information in a specific format so that the Cisco NAC Guest Server can understand it Note Refer to the RADIUS Accounting section of the applicable Cisco NAC Appliance Clean Access Manager Installation and Configuration Guide for additional details Step1 Log into the CAM admin console and navigate to User Management gt Auth Servers gt Accounting gt Shared Events Figure 7 7 Figure 7 7 Shared Events User Management gt Auth Servers Auth Servers Looku
33. Chapter4 Configuring Sponsor Authentication E Configuring Sponsor Authentication Settings Step5 Click the Save Settings button Delete an Existing RADIUS Server Entry Step1 From the administration interface select Authentication gt Sponsor gt Radius Servers from the menu Step 2 Select the RADIUS server from the list Figure 4 20 Figure 4 20 Delete RADIUS Server Entries Radius Servers Cisco ACS Server Add Radius Edit Radius Delete Radius Step3 Click the Delete Radius button Step4 Confirm deletion of the RADIUS server at the prompt If there are any errors the RADIUS server is not changed and an error message displays at the top of the page If successfully deleted a success message displays at the top of the page and you can perform additional RADIUS operations Configuring Sponsor Authentication Settings Changing the Order of Authentication Servers When a sponsor authenticates against the Cisco NAC Guest Server it tries each authentication server that has been defined in order until it successfully authenticates a sponsor If none of the authentication servers can authenticate the sponsor an error message is returned As you can define many different authentication servers of different kinds you can order them in any way that you want on a server by server basis Step1 From the administration interface select Authentication gt Sponsor gt Authentication Order from the menu Figure 4 21
34. DAP Version 3 E Base DN OU users O cisco com User Search Filter uid USERNAME e g uid USERNAME or cn USERNAME r Use Username attribute for Group mapping e Use attribute groupMembership m Use Group object membership for Group mapping O Use group object specified under User Groups settings LDAP Username Idapadmin Full administrator DN LDAP Password Confirm Password If you don t wish to change the password please keep the entry empty Status Active E To test the Active Directory connection save the settings and then click the Test Connection button Save Settings Reset Form Test Connection 186742 Step4 Modify settings as needed LDAP Server URL Enter the URL for accessing the LDAP server such as Idap Idap cisco com or Idaps ldap cisco com Port Enter the TCP port used to connect to the LDAP server The common port for LDAP is 389 Version The version of LDAP that the server supports version 1 2 or 3 Base DN This is the Distinguished Name of the container object where an LDAP search to find the user will be started from such as OU Users O Cisco com or OU Engineering O Cisco Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EE Chapter4 Configuring Sponsor Authentication WE Configuring LDAP Authentication Step 5 Step 6 User Search Filter The User Search Filter def
35. Editing the Print Template The Print Template page contains the guest account details that the sponsor can bring up in a browser to print out for handing to the guest after the account is created The page is configured in HTML and can be fully customized Tip Step 1 Step 2 Step 3 Step 4 Step 5 Navigating to Reporting gt Active Accounts on the sponsor interface and clicking the Print button next to the guest account entry brings up the output of the Print Template for printing Go to User Interface gt Templates and click the Edit Template button for the template you want to edit in the Current Templates list In the Edit User Interface page click the Print Template tab at the top of the page to bring up the Print Template configuration page Figure 10 5 Figure 10 5 Print Template Page Template Name French Print Template Page Title Guest User Details Page Body lt h1 gt Everything within the htm Guest User Details lt h1 gt BODY tags lt P gt To access the network please use the following credentials lt P gt lt table width 508 border 1 gt lt tr gt lt th scope row gt Username lt ith gt lt td gt USERNAME lt td gt Save Template Reset Form 185313 Change the Page Title as desired default is Guest User Details In the Page Body text field edit the default HTML code for the web page The Page Body contains all the HTML that sits be
36. Figure 3 12 select the user from the list and click the Edit User button Step3 Inthe Edit Administrator page Figure 3 13 edit the user credentials Figure 3 13 Edit Admin Account Edit the administrator user account detalls Username admin First Name admin Surname admin Email Address admin localhost Password Repeat Password If you don t wish to change the password please keep the entry empty Save Settings Reset Form 185787 First Name Edit the first name of the admin user Surname Edit the last name of the admin user Email Address Edit the email address of the admin user Username Edit the user name for the admin account Note Leaving the Password and Repeat Password fields empty keeps the existing password Password Edit the password for the admin account Repeat Password Edit the password for the admin account Step4 Click the Save Settings button If there are any errors the account is not changed and an error message displays at the top of the page Cisco NAC Guest Server Installation and Configuration Guide 312 E OL 15986 01 Chapter3 System Setup Configuring Administrator Authentication W If successfully changed a success message displays at the top of the page and you can make additional changes to the same admin account Delete Existing Admin Account You can remove existing admin accounts from the administra
37. Guest User Details Gc Printer _ Home HP Laserjet 3050 Presets Standard agg mT Copies amp Pages Copies 1 M Collated Guest User Details To access the network please use the fi Pages AIl Username email OFrom 1 to 1 Password NVpMt Start Time 2007 9 tte Era O e Timezone 185331 By logging on to the network you are agreeing to the terms and conditions of the acceptable use policy below A new Printer window opens and you can print out the guest user details Email Account Details Step 1 Click the Email Account button The Cisco NAC Guest Server sends an email to the email address specified when you created the account Text Message Account Details SMS Step 1 Click the Send SMS Message button The Cisco NAC Guest Server sends a text message to the phone number specified in the account creation screen Cisco NAC Guest Server Installation and Configuration Guide lt aa Chapter15 Sponsor Documentation Multiple Guest Accounts W Multiple Guest Accounts The Cisco NAC Guest Server allows you to create multiple accounts at the same time You can create multiple accounts by pasting the details into the interface importing a Comma Separated Values CSV file or by creating random accounts to be assigned to guest users with the details recorded on paper for input at a later time The
38. INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES CCDE CCVP Cisco Eos Cisco StadiumVision the Cisco logo DCE and Welcome to the Human Network are trademarks Changing the Way We Work Live Play and Learn is a service mark and Access Registrar Aironet AsyncOS Bringing the Meeting To You Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Collaboration Without Limitation Enterprise Solver EtherChannel EtherFast EtherS witch Event Center Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study IronPort the IronPort logo LightStream Linksys MediaTone MeetingPlace MGX Networkers Networking Academy Network Registrar PCNow PIX PowerPanels ProConnect ScriptShare SenderBase SMARTnet Spectrum Expert StackWise The Fastest Way to In
39. Installation and Configuration Guide EEJ OL 15986 01 Licensing CHAPTER Licensing The Cisco NAC Guest is licensed via a file associated with the MAC address of the appliance The file can be obtained from cisco com and instructions are included in the licensing pack The Cisco NAC Guest Server only supports one license at a time so any additional licenses you import automatically overwrite the previous license on the Guest Server Note For detailed information on Cisco NAC Guest Server licenses refer to Cisco NAC Appliance Service Contract Licensing Support To view or upload a license from the administration interface Step1 Select Server gt User Groups from the left hand menu Figure 14 1 Figure 14 1 Licensing Guest Server License This product is licensed for installation on this MAC Address 00 0C 29 04 BF 98 License Expires permanent Replace License Choose File no file selected Submit Step2 Click the Choose File or Browse button depending on which browser you are using and select the license file Step3 Click the Submit button to upload a new license file Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EN Chapter 14 Licensing E Licensing Cisco NAC Guest Server Installation and Configuration Guide ma OL 15986 01 CHAPTER 1 Sponsor Documentation This chapter provides example user documentation for sponsor users who create gu
40. Remote Guest Server 10 1 60 44 Shared Secret s Confirm Shared Secret Replication Mode On i Save Settings Reset Form Provisioning Provisioning Primary Secondary O Save Settings Reset Form Replication Status This Server Remote Server Current outstanding entries to replicate 19ltem s to replicate Oltem s to replicate Replication Status Database Replication in progress Step2 Select the Provisioning to be Primary if you want this server to perform the provisioning under normal conditions Select Secondary if you want this server to only perform provisioning if the Primary cannot be contacted Step3 Click the Save Settings button Note Only one of the servers should be set to Primary otherwise you may get errors when creating or deleting accounts twice Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EEN Chapter 12 Replication and High Availability HI Replication Status Replication Status At any moment in time you can check the replication status of the Cisco NAC Guest Servers This is useful to make sure replication is happening as you want it to Step1 From the administration interface select Authentication gt Replication Settings from the left hand menu Figure 12 3 Figure 12 3 Replication Status Replication Settings Remote Guest Server 10 1 60 44 Shared Secret Confirm Sh
41. Reset Download CSV Email IP Address Created By Username Full Email Start Time End Time Status Name username email company com first email company com 18th Feb 2008 18th Feb 2008 Active Details last 00 00 00 23 59 00 S America Los_Angeles America Los_Angeles username email company com1 S9bZFAM6 first email company com 18th Feb 2008 18th Feb 2008 Active Details last 00 00 00 23 59 00 S Amenca Los_Angeles America Los_Angeles 186775 Step2 The Cisco NAC Guest Server Reporting page Figure 15 19 initially displays the complete report for your user permissions To shorten or filter the report modify the dropdown menus at the top of the screen then click the Submit button If you want to search for a specific First Name Last Name Company Email address or by IP Address of the guest then by typing the full or partial text in the corresponding text field and clicking the Submit button you will be able to get a more focuses report Step3 If you want to export the full report for the new query click the Download CSV button to download the report in CSV format Step4 Click the Submit button The report displays the bottom of the screen Figure 15 20 Figure 15 20 Example Details for Guest Account Cisco NAC Guest Server Detailed Report Detailed Login Report for d1 NAS IP Address Logged In Logged Out Duration 10 1 60 86 1st Oct 2007 1st Oct 2007 0 38 19 09 06 48 09 45 06 America Los_Angeles America Los_Angeles oO re
42. SMS Settings from the left hand menu Figure 9 2 SMS Settings Change the settings for sending SMS to guests Enable SMS Yes No SMTP Server Configure SMTP Server under Email settings Sent From guest localhost Save Settings Reset Form le Step2 Inthe SMS Settings page Figure 9 2 change the Enable SMS option to Yes to globally enable SMS on the Cisco NAC Guest Server Step3 SMS requires an SMTP server to deliver the email to the SMS gateway Click the Email Settings link to configure the SMTP Server as described Configuring Email Notification Step4 Inthe Sent From field type the sending email address for the email to be sent to the SMS gateway Step5 Click Save Settings amp Note Depending on how details are routed to the SMS provider you will need to customize the SMS portion of the User Interface template to include the guest s mobile phone number in the correct format for your SMS gateway See Editing the SMS Template page 10 6 for details OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter9 GuestAccountNotification WE Configuring SMS Notification Cisco NAC Guest Server Installation and Configuration Guide oa E OL 15986 01 CHAPTER 1 Customizing the Application This chapter describes the following User Interface Templates Adding a User Interface Template Editing a User Interface Template Deleting a Template Setting the Default Interface Mapp
43. Step4 Once changes are saved you need to restart the Guest Server to ensure all processes use the correct IP address Click the Restart button and the restart process will begin on the Guest Server within 60 seconds Date and Time Settings Correct date and time are critical to the Cisco NAC Guest Server The Guest Server authenticates guest users based upon the time their accounts are valid It is important for the time to be correct so guest accounts are created and removed at the correct time If possible Cisco recommends using a Network Time Protocol NTP server to synchronize the time and date Step1 From the administration interface select Server gt Date Time Settings from the left hand menu Figure 3 5 Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 a Chapter3 System Setup W Date and Time Settings Figure 3 5 Date Time Settings Date and Time Settings Date 12 9 Jan hq 2008 9 Time 00 faq 52 k Set System Date and Time Timezone settings Timezone America Los_Angeles Z i Set System Timezone Network Time Protocol settings NTP Server ntp cisco com Set NTP Server 186739 Step 2 Select the correct Date and Time for the location of the Guest Server Step3 Click the Set System Date and Time button to apply the time and date Step4 Select the correct Timezone for the location of the Guest Server Step5 Apply the setting
44. Step5 To see usage details for a particular account click the Details button next to the account The Detailed Login report opens in the same screen and lists the following details User IP Address for the guest Logged In time date time and timezone Logged Out time date time and timezone Duration of session in hh mm ss format Details of all modifications to the guest account and by which sponsor This information can be useful for auditing purposes Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 APPENDIX A Open Source License Acknow ledgements Notices The following notices pertain to this software license OpenSSL Open SSL Project This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org This product includes cryptographic software written by Eric Young eay cryptsoft com This product includes software written by Tim Hudson tjh cryptsoft com License Issues The OpenSSL toolkit stays under a dual license i e both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit See below for the actual license texts Actually both licenses are BSD style Open Source licenses In case of any license issues related to OpenSSL please contact openssl core openssl org OpenSSL License Copyright 1998 2007 The OpenSSL Project All rights reserved Redistribution and
45. Taking a snapshot 11 2 Scheduling a Backup 11 3 Restoring Backups 11 3 Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Contents E Contents cHapter 12 Replication and High Availability 12 1 Setting up replication 12 1 Configuring Provisioning 12 3 Replication Status 12 4 Recovering from Failures 12 4 Network Connectivity 12 4 Device Failure 12 5 Deployment Considerations 12 5 Connectivity 12 5 Load Balancing 12 6 Web Interface 12 6 RADIUS Interface 12 6 12 7 cHapter 13 Logging and Troubleshooting 13 1 System Logging 13 1 Log Files 13 2 Downloading the log files 13 2 Application Logging 13 2 Email Logging 13 2 RADIUS Logging 13 2 CAM Update Logging 13 3 Web Server Logging 13 3 CHAPTER 14 Licensing 14 1 Licensing 14 1 cHapter 15 Sponsor Documentation 15 1 Introduction to Cisco NAC Guest Server 15 1 Connecting to the Guest Server 15 1 Creating Guest User Accounts 15 4 Print Account Details 15 6 Email Account Details 15 6 Text Message Account Details SMS 15 6 Multiple Guest Accounts 15 7 Creating Multiple Accounts from Text Entry 15 7 Creating Multiple Accounts from CSV File 15 8 Creating Multiple Random Accounts 15 8 mi Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 APPENDIX A Printing Email SMS Multiple Accounts 15 9 Viewing Multiple Account Groups 15 10 Viewing Multiple Account Groups 15 10 Finding Multiple Account Groups
46. a replication pair will result in not having an exact replica of the data on both servers Step1 From the administration interface select Authentication gt Replication Settings from the left hand menu Figure 12 4 Figure 12 4 Resetting Replication Replication Settings Remote Guest Server Shared Secret Confirm Shared Secret Replication Mode Off Save Settings Reset Form Provisioning Provisioning Primary Secondary O Save Settings Reset Form 186767 Step2 Set Replication Mode to Off on both of the Guest Servers Step3 Follow the instructions in Setting up replication page 12 1 and ensure that you set the working server as the one with the data Deployment Considerations Connectivity The Cisco NAC Guest Servers need to be provided with IP connectivity between the units Cisco recommends making the network path between the devices resilient so that synchronization can always be performed However if the devices become disconnected they will continue to function and store changes until they are connected back together and can re establish communication At that point they will re synchronize databases Cisco NAC Guest Server Installation and Configuration Guide E EZE Chapter 12 Replication and High Availability E Deployment Considerations Depending on the amount of activity that your Cisco NAC Guest Server performs you need to make sur
47. and then click Add User First Name Last Name Company Email Address Mobile Phone Number 1 jay Account Start Time 00 00 Date 18 F Feb fe 2008 ie ES Account End Time 23 iS 59 Date 18 F Feb fed 2008 fe E Timezone America Los_Angeles Add User Reset Form 186771 Step 12 Depending on your permissions you can perform one or all of the following actions on the same page where the new account details are displayed Print Account Details Clicking the Print Account button lets you print the account details to your printer to hand to the guest These details commonly include guest access instructions and usage policies Email Account Details Clicking the Email Account button emails the account details to the email address you entered for the guest Text Message Account Details SMS Clicking the Send SMS Message button sends the account details to the guest s mobile phone via SMS text message Step 13 You can also continue directly to create another account by entering another guests details and clicking the Add User button at the bottom of the page Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EEN Chapter 15 Sponsor Documentation HI Creating Guest User Accounts Print Account Details Step 1 Click the Print Account button Figure 15 6 Print Account Details
48. apter6 Configuring Guest Policies W Setting the Password Policy Step2 Choose one of three options for creating the user name for the guest account e Username Policy 1 email Use the guest s email address as the username If an overlapping account with the same email address exists a random number is added to the end of the email address to make the username unique Overlapping accounts are accounts that have the same email address and are valid for an overlapping period of time Username Policy 2 FirstLast Create a username based on combining the first name and last name of the guest You can set a Minimum Username Length for this username from 1 to 20 characters default is 10 User names shorter than the minimum length are padded up to the minimum specified length with a random number Username Policy 3 Random Create a username based upon a random mixture of Alphabetic Numeric or Other characters Type the characters to include to generate the random characters and the number to use from each set of characters amp Note The total length of the username is determined by the total number of characters included Step3 When done click Set Policy to have the username policy take effect Setting the Password Policy The password policy determines how to create the password for all guest accounts Step1 From the administration interface select Guest Policy gt Password Policy from the left hand menu Fi
49. ared Secret Replication Mode On Save Settings Reset Form Provisioning Provisioning Primary Secondary O Save Settings Reset Form Replication Status This Server Remote Server Current outstanding entries to replicate 19ltem s to replicate Oltem s to replicate Replication Status Database Replication in progress At the bottom of the page is the Replication Status You can check the status of replication and how many changes need to be replicated between each device Recovering from Failures Netw ork Connectivity When the network connectivity between two Cisco NAC Guest Servers fails the Cisco NAC Guest Servers will store up to 1GB of changes When connectivity is restored if the amount of changes is less than 1GB they will synchronize with each other If more than 1GB of changes are stored the Cisco NAC Guest Server will stop the replication process and you will need to setup replication again Cisco NAC Guest Server Installation and Configuration Guide a OL 15986 01 Chapter12 Replication and High Availability Deployment Considerations i Device Failure If one of the Cisco NAC Guest Servers in a replication pair fails and needs to be replaced you should set up replication with the working server and the data will be re synchronized to the device A Warning Do not restore the failed unit from a backup Restoring from a backup onto one unitin
50. at Password Group DEFAULT Email Address Add User Reset Form Step3 In the Add a Local User Account page enter all the sponsor user credentials First Name Type the first name of the sponsor Last Name Type the last name of the sponsor Username Type the user name for the sponsor account Password Type the password for the sponsor account Repeat Password Retype the password for the sponsor account Groups Select the group for the sponsor account from the dropdown Chapter 5 Configuring User Group Permissions provides further details on groups Email Address Type email address of the sponsor Step4 Click the Add User button Ifthere are any errors the account is not added and an error message displays at the top of the page Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Chapter4 Configuring Sponsor Authentication Configuring Local Sponsor Authentication Ml If successfully added a success message displays at the top of the page and you can add additional user accounts Edit Existing User Account You can modify the settings of local user accounts that are already created Step1 From the administration interface select Authentication gt Sponsors gt Local User Database from the menu Figure 4 3 Figure 4 3 Local Users to Edit Local Users Add User Edit User Delete User 185145 Step 2 Select the use
51. bute User Management gt Auth Servers Auth Servers Lookup Servers Accounting Server Config Login Event Logout Event Data sent when User Logs in or Logs out Send RADIUS Attribute Calling_Station_Id I Change Attribute RADIUS Attribute type String Data to send thus far User IP Sample of data to be sent 192 168 151 200 Add Data y User IP Add Text Selecting dynamic data from the drop down list and clicking Add Data will cause that data to be sent with the associated RADIUS Attribute Static data can be entered via Add Text Dynamic and static data can be combined to create human readable strings by adding data and text Each added entry will be appended on to the end of the last Commit Changes Reset Element Undo Last Addition 185321 Step9 In the New Shared Events attribute form Figure 7 10 select Calling _Station_Id from the Send RADIUS Attributes dropdown menu Step 10 Click the Change Attribute button Step11 Select User IP from the Add Data dropdown menu Step12 Click the Add Data button Step 13 Click Commit Changes Note Remember to add the CAM as a RADIUS client using the instructions in Chapter 8 Configuring RADIUS Clients Cisco NAC Guest Server Installation and Configuration Guide ae Overview CHAPTER Configuring RADIUS Clients This chapter describes the following Overview Adding RADIUS Clien
52. ccount Choose one of the following permissions for editing the end date time on guest accounts No Sponsors are not allowed to edit any accounts Own Account Sponsors are allowed to edit only the accounts they created All Accounts Sponsors are allowed to edit any guest accounts Suspend Account Choose one of the following options for suspending accounts No Sponsors are not allowed to suspend any accounts Own Account Sponsors are allowed to suspend only the accounts they created All Accounts Sponsors are allowed to suspend any guest accounts Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EN Chapter5 Configuring User Group Permissions HI Deleting User Groups Active Accounts Choose one of the following permissions for viewing reporting details for active accounts No Sponsors are not allowed to view reporting details on any accounts Own Account Sponsors are allowed to view reporting details for only the accounts they created All Accounts Sponsors are allowed to view reporting details on any active guest accounts Full Reporting Choose one of the following permissions for running full reporting No Sponsors are not allowed to run full reporting on any accounts Own Account Sponsors are allowed to run full reporting for only the accounts they created All Accounts Sponsors are allowed to run full reporting on any active guest accounts Numb
53. ce select Authentication gt Sponsor gt Radius Servers from the menu Step 2 Select the RADIUS server from the list and click the Edit Radius button Figure 4 18 Figure 4 18 Select RADIUS Server to Edit Radius Servers Add Radius Edit Radius Delete Radius 186763 Step3 In the RADIUS Server Details page Figure 4 19 edit the details for authenticating against this RADIUS server Figure 4 19 Edit RADIUS Server Settings Radius Server Details Server Name Cisco ACS Server Server IP Address 192 168 1 1 Port Radius Secret see Confirm Secret s s Status Active iz Save Settings Reset Form 186762 Step4 Modify settings as needed e Server IP Address Enter the IP address or domain name of the RADIUS server Port Enter the UDP port used to connect to the RADIUS server The common ports for RADIUS authentication are ports 1645 or 1812 Radius Secret The shared secret used to secure the communications between the Cisco NAC Guest Server and the RADIUS server amp Note If you do not want to change the shared secret leaving both secret entries empty preserves the existing shared secret Status Select the status of the RADIUS Server If it is set to Active the Guest Server will use it for authenticating sponsors If it is set to Disabled it will not be used Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 E
54. colons in between characters Please follow the instructions on the license web pages carefully to ensure that the correct MAC addresses are entered For each PAK that you submit a license file is generated and sent to you via email Save each license file you receive to disk Open a web browser to the Cisco NAC Guest Server admin interface by entering the IP address that you configured through the command line as the URL For HTTP access open http lt guest_server_ip_address gt admin For HTTPS access open https lt guest_server_ip_address gt admin In the Guest Server License Form Figure 3 1 click the Browse button and locate the license file Cisco NAC Guest Server Installation and Configuration Guide 32 9 cower Chapter3 System Setup Accessing the Administration Interface i Figure 3 1 Guest Server License Form example A cisco Licensing Guest Server License Form The product license for this installation MAC Address 00 0C 29 AC 4E 63 is either invalid expired or not yet set Reason for failure The license appears to be corrupted Please install the correct license Lo Browse Submit Product Evaluation If you are evaluating the Guest Server product please visit the Cisco Technical Support site to register and obtain an evaluation product license Once this is complete you will receive a license key via email which must be saved to a text file Enter the license file name in t
55. crease Your Internet Quotient TransPath WebEx and the WebEx logo are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0801R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental Cisco NAC Guest Server Installation and Configuration Guide 2008 Cisco Systems Inc All rights reserved About This Guide ix CHAPTER 1 Welcome to Cisco NAC Guest Server 1 1 Introduction 1 1 Guest Access Concepts 1 1 Before You Start 1 2 Package Contents 1 2 Rack Mounting 1 3 Cisco NAC Guest Server Licensing 1 3 Upgrading Firmware 1 3 Additional Information 1 4 CHAPTER 2 Installing Cisco NAC GuestServer 2 1 Connecting the Cisco NAC Guest Server 2 1 Command Line Configuration 2 3 Configure IP Address and Default Gateway 2 3 Change Root Password 2 5 Re Imaging the Appliance 2 6 CHAPTER 3 System Setup 3 1 Accessing the Administration Interface 3 1 Obtain and Install Cisco NAC Guest Server License 3 2 Access Cisco NAC Gu
56. data can be combined to create human readable strings by adding data and text Each added entry will be appended on to the end of the last Commit Changes D Reset Element Undo Last Addition 185319 Step3 In the Edit User_Name attribute page Figure 7 8 click the Reset Element button to remove the existing sample data format Step4 Select User Name from the Add Data dropdown menu Step5 Click the Add Data button Step6 Click the Commit Changes button Step7 The main Shared Events lists page reappears Figure 7 9 Verify that the Data column lists TUser_Name Figure 7 9 Shared Events with Usemame Changed User Management gt Auth Servers O Auth Servers Lookup Servers Mapping Rules Auth Test Accounting Server Config Login Event Logout Event Data sent when User Logs in or Logs out New Entry AttributeName ata Sample Edit Delete User_Name User Name LocalUser x Login_IP_Host CA Server IP 192 168 151 1 X Framed_IP_Address User IP 192 168 151 200 x Event_Timestamp Current Time Unix Seconds 1107558172 x g Calling_Station_Id User 1P 192 168 151 200 pj X 8 Step8 Click the New Entry link to the right of the page Figure 7 9 to add additional attributes Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 E7 Chapter7 Integrating with Cisco NAC Appliance E Configuring the CAM for Reporting Figure 7 10 Add Calling Station Id Attri
57. dd Admin User Administrator Accounts can change the settings of the Guest Access Portal First Name Surname Email Address Username Password Repeat Password Add Administrator Reset Form 185786 Step3 In the Add Administrator page Figure 3 11 enter all the admin user credentials First Name Type the first name of the admin user Surname Type the last name of the admin user Email Address Type the email address of the admin user Username Type the user name for the admin account Password Type the password for the admin account Repeat Password Retype the password for the admin account Step4 Click the Add Administrator button Ifthere are any errors the account is not added and an error message displays at the top of the page If successfully added a success message displays at the top of the page and you can add additional admin accounts Edit Existing Admin Account You can modify the settings of admin accounts that are already created Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 n Chapter3 System Setup WE Configuring Administrator Authentication Step1 From the administration interface select Authentication gt Administrators from the left hand menu Figure 3 12 Admin Users to Edit Admin Accounts Add User Edit User Delete User 185788 Step2 In the Admin Accounts page
58. de OL 15986 01 EN Chapter4 Configuring Sponsor Authentication E Configuring Sponsor Authentication Settings Cisco NAC Guest Server Installation and Configuration Guide a20 i OL 15986 01 CHAPTER Configuring User Group Permissions User groups are the method by which to assign permissions to the sponsors You can set role based permissions for sponsors to allow or restrict access to different functions such as creating accounts modifying accounts generating reports and sending account details to guests by email or SMS Once you have created a user group you should then create mapping rules to map the sponsor to a group based upon information returned from the authentication server such as Active Directory Group LDAP Group membership or RADIUS Class attribute Tip By default all users are assigned to the DEFAULT group I f you only want to have a single classification of sponsors you can edit the DEFAULT group This chapter describes the following Adding User Groups Editing User Groups Deleting User Groups Specifying the Order of User Groups Mapping to Active Directory Groups Mapping to LDAP Groups Mapping to RADIUS Groups Adding User Groups You can create a new sponsor user group using the following steps Step1 From the administration interface select Authentication gt User Groups from the left hand menu Figure 5 1 Cisco NAC Guest Server Installation and Configuration Guid
59. e OL 15986 01 EN Chapter5 Configuring User Group Permissions W Adding User Groups Figure 5 1 User Groups User Groups DEFAULT Change Order Add Group Edit Group Delete Group 186788 Step2 Click the Add Group button to add a new user group Step3 From the Add a New User Group page Figure 5 2 enter the name for a new user group Figure 5 2 Add New User Group Create new User Group Group Name _Add Group Reset Form 186734 Step4 Click the Add Group button to add a user group You can now edit the settings for the new user group Figure 5 3 Figure 5 3 Edit New User Group Edit an existing User Group Group Name Helpdesk Users Permissions Allow Login Yes wy Create Account No H Create Bulk Accounts Create Random Accounts Import CSV Send Email Send SMS No Edit Account Suspend Account Active Accounts Full Reporting Number of days in the future the account 7 can be created Maximum duration of account 7 in days Create Account By Start Date End Date B Save Group Reset Form 186746 Step5 Set Permissions for the new User Group as follows Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Chapter 5 Configuring User Group Permissions Adding User Groups W Allow Login Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server Otherwise select No Create Accoun
60. e Cisco NAC Profiler and Cisco NAC Guest Server Cisco NAC Appliance Product Literature Online inks to Ordering Guide Bulletins Data Sheets Q amp A and Chalk Talk presentations Cisco NAC Appliance Clean Access Manager Installation and Configuration Guide Cisco NAC Appliance Clean Access Server Installation and Configuration Guide Configuration guides for NAC Appliance Manager and Server Cisco Wireless LAN Controller Configuration Guide Release 4 0 Configuration information for Cisco Wireless LAN Controllers Obtaining Documentation and Submitting a Service Request For information on obtaining documentation submitting a service request and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a reader application The RSS feeds are a free service and Cisco currently supports RSS version 2 0 mi Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 CHAPTER Welcome to Cisco NAC Guest Server Introduction The Cisco NAC Guest Server is a complete provisioning and reporting system that provides temporary network access for guests vis
61. e that there is enough bandwidth between the server to enable synchronization to occur as rapidly as possible You can test connectivity by creating a large amount of accounts and watching how quickly the appliances synchronize by watching the status on the replication screen Figure 12 3 Load Balancing Web Interface RADIUS Interface Sponsor and Administration sessions can be services by both Cisco NAC Guest Servers when configured for replication The Cisco NAC Guest Server however does not perform any redirection or automatic load balancing of requests To enable requests to both Cisco NAC Guest Servers concurrently you must implement an external load balancing mechanism Options include Network based Load Balancing such as the Cisco CSS GSS CSM or ACE platforms The only requirement for the load balancing is that clients are services by the same Cisco NAC Guest Server for their entire session Individual requests cannot be load balanced between servers as the Cisco NAC Guest Server doesn t replicate sponsor admin session information to reduce bandwidth requirements The most common method of achieving this is sticking connections to the same Cisco NAC Guest Server based upon source IP address DNS Round robin Using your DNS server configure the domain name of the Cisco NAC Guest Server to return both IP addresses for the Cisco NAC Guest Server in a round robin configuration This method does not provide failover between
62. e Main page either click Report on Guest User Accounts or select Reporting gt Active Accounts from the left hand menu Figure 15 18 Active Accounts CreatedBy Username FullName Company Email Start Time End Time username email company com first last company email company com 1st Sep 2007 30th Sep 2007 Print 00 00 00 23 59 00 Email SMS 185323 In the Cisco NAC Guest Server Reporting page Figure 15 18 click the Print Email or SMS button next to the account to bring up the details for that account Clicking the Email button will email the account details to the guest Clicking SMS will send a text message with the account details to the guest Reporting on Guest Users Step 1 If you have the appropriate permissions you can generate full reporting on guest user accounts You can run reports to view who created guest accounts when they were created and access details for the guests themselves such login time logout time and IP address used From the Main page select Reporting gt Full Reporting from the left hand menu OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter 15 Sponsor Documentation E Reporting on Guest Users Figure 15 19 Full Reporting Created By Start Time Between orf foa FA 2007 99 First Name End Time Between 18 fea Feb fied 2008 5 Last Name Locale Show All H Company Submit
63. e Name for the RADIUS client Step4 Type the IP Address of the RADIUS client This needs to match the IP address from which the RADIUS request originates Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Chapter8 Configuring RADIUS Clients Editing RADIUS Clients Hi Step5 Type a shared Secret for the RADIUS client This must match the shared secret specified in the configuration of the RADIUS client Step6 Retype the shared secret in the Confirm Secret field Step7 Type a Description of the client and any other information needed Step8 If you want the RADIUS client to send any additional attributes upon successful authentication enter the attribute name and value and click the Add button You can enter as many attributes as you need If you want to remove an attribute select the attribute from the table and click the Delete button Step9 Click the Add Radius Client button Step 10 From the administration interface select Devices gt Radius Clients Figure 8 1 from the left hand menu Step 11 Click the Restart button to restart the RADIUS service to make the changes take effect Editing RADIUS Clients Step1 From the administration interface select Devices gt Radius Clients from the left hand menu Figure 8 3 RADIUS Clients List Radius Clients Wireless Lan Controller Add Radius Edit Radius Delete Radius Restart Radius If any changes are made to the radius clients please
64. e administration home page select Server gt Backup gt Restore from the menu Figure 11 2 Figure 11 2 Restore Backup Restore Backup File d File Choose File no file selected Restore 186768 Step2 Click the Choose File or Browse button depending on your particular web browser and select the backup archive you want to restore Step3 Click the Restore button The backup is uploaded to the Cisco NAC Guest Server and the data is restored Cisco NAC Guest Server Installation and Configuration Guide Pais OL 15986 01 CHAPTER 1 Replication and High Availability To provide high availability the Cisco NAC Guest Server solution can be configured so that a pair of units synchronize their databases between one another This provides the ability for the solution to carry on working in the event of loss of connectivity or failure to a single unit High availability is provided in an active active scenario where both Cisco NAC Guest Servers can service requests from sponsors or network devices at the same time This capability also allows you to load balance the requests between the boxes Note For load balancing external load balancers must be used to load balance the web interface RADIUS requests can also be load balanced via external load balancers or by configuration This chapter includes the following sections Setting up replication Configuring Provisioning Replication Status Recovering f
65. e page to bring up the Email Template configuration page Figure 10 6 Figure 10 6 Email Template Page Template Name French Email Template Email Subject Guest User Account Details Email Body The following guest user account has been created a for you v Username USERNAME 0 Password PASSWORD Valid From STARTTIME Valid To ENDTIME Timezone TIMEZONE To access the network you must agree to the AUP below Save Template Reset Form Change the Page Title as desired default is Guest User Account Details Change the Email Subject as desired In the Email Body text field edit the default email text to be sent to the guest page In the Email Body you can use the following special variables to replace them with the details from the created guest account USERNAME The Username created for the guest PASSWORD The Password created for the guest STARTTIME The time from which the guest account will be valid ENDTIME The time the guest account will expire FIRSTNAME The first name of the guest LASTNAME The last name of the guest I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter 10 Customizing the Application W Editing a User Interface Template Step7 Click the Save Template button to save your changes Editing the SMS Template The SMS Template page contains the guest account details that the sponso
66. eates new accounts that are valid every minute Every minute it also removes accounts that have expired When accounts are suspended the Guest Server removes both the accounts from the CAM and the guest users from the network if they are logged in The Clean Access Manager can also send accounting information to the Cisco NAC Guest Server via RADIUS accounting This information is used for reporting and tracking of guests by access time and IP address You may add multiple Clean Access Managers to the Cisco NAC Guest Server When accounts are provisioned they are created on all active Clean Access Managers that are defined Adding Clean Access Manager Entries The following steps describe how to configure the Cisco NAC Guest Server and Cisco NAC Appliance Manager so that they can communicate with one another You must add API information to the Cisco NAC Guest Server for each Clean Access Manager on which you want the Guest Server to create accounts I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide gy Chapter7 Integrating with Cisco NAC Appliance W Adding Clean Access Manager Entries Step1 From the Guest Server administration interface select Devices gt NAC Appliance from the left hand menu Figure 7 1 Figure 7 1 Cisco NAC Appliances NAC Appliances Add NAC Edit NAC Delete NAC 186758 Step2 Click the Add NAC button Figure 7 2 Figure 7 2 Add Clean Access Mana
67. er of days in the future This specifies how long in the future that guests can create accounts Specify the maximum number of days that they are allowed to create accounts in the future Maximum duration of account This specifies the maximum length in days that the sponsor can configure for an account Show account dates as This defines the method a sponsor can use to specify when an account is valid There are two options Start Date End Date The sponsor is shown a calendar they can use to specify the time and date an account starts and ends Template Options You can specify a list of preset durations that the sponsor can use when creating accounts such as 1 hour 1 day or 3 days If this is selected the template options are shown on the Create Guest page The maximum template option cannot be greater than the value specified in the maximum duration Step5 Click the Save Group button to save the changes to the group Step6 Follow the instruction in Mapping to Active Directory Groups page 5 8 Mapping to LDAP Groups page 5 8 or Mapping to RADIUS Groups page 5 10 so that you can correctly map users to your group based upon group information from the authentication server Deleting User Groups Step1 From the administration interface select Authentication gt User Groups from the left hand menu Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Chapter5 Configuring User Group Permiss
68. ersion LDAP Version 3 Base DN User Search Filter uid USERNAME e g uid USERNAME or cn USERNAME r Use Username attribute for Group mapping O Use attribute r Use Group object membership for Group mapping O Use group object specified under User Groups settings Username Full administrator DN Password Confirm Password Status Active 3 To test the LDAP Server connection enter the details into the form and then click the Test Connection button Items marked are required for connection test Add LDAP Server Reset Form Test Connection 186729 Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EIN Chapter4 Configuring Sponsor Authentication WE Configuring LDAP Authentication LDAP Server Name Type a text description of the LDAP Server Name For example Cisco LDAP Idap cisco com LDAP Server URL Enter the URL for accessing the LDAP server such as Idap ldap cisco com or Idaps Idap cisco com Port Enter the TCP port used to connect to the LDAP server The common port for LDAP is 389 e Version The version of LDAP that the server supports version 1 2 or 3 Base DN This is the Distinguished Name of the container object where an LDAP search to find the user will be started from such as OU Users O Cisco com or OU Engineering O Cisco User Search Filter The User Search Filter defines how u
69. es Add Template J Edit Template Delete Template 186785 From the Current Templates list Figure 10 3 select the template that you want to edit Click the Edit Template button The Edit User Interface page for the template displays Figure 10 4 Figure 10 4 Edit Template Login Home Menu Reporting Notification Sponsor Settings Accounts Upload Logo Template Name default Page Title Guest Server Authentication Page Heading Cisco NAC Guest Server General Text Instruction Enter your Username and Password and then click Login Username Username Password Password Messages Invalid Password Message Your username and password are invalid please try again Login not allowed You do not have permission to log in to the application Session Expired Session has expired Please log back in Buttons Login Button Login Save Settings Save Template Reset Form Click the menu at the top of the page to select any of the sponsor pages that you want to edit 186784 Make any changes to the fields and click the Save Template button Some example edits are described in the following sections Editing the Print Template Editing the Email Template Editing the SMS Template I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter 10 Customizing the Application W Editing a User Interface Template
70. es Organizations commonly have policies in place for creating accounts for their internal users and systems such as the format or length of the username and or complexity of password The Cisco NAC Guest Server allows you to configure guest username and password creation policies to match your organization s policy or to create a policy specific to guest accounts You can also use the guest details policy to define specific guest user information on the Cisco NAC Guest Server Setting the Username Policy The Username Policy determines how to create user names for all guest accounts Step1 From the administration interface select Guest Policy gt Username Policy from the left hand menu Figure 6 1 Figure 6 1 Guest Usemame Policy Username Policy Option 1 Use email address as username Username Policy Option 2 Create username based upon first and last names Minimum Username Length 10 B Username Policy Option 3 Create random username Alphabetic Characters Characters to include ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijkimnoparstt Number to include 6 5B Numeric Characters Characters to include 1234567890 Number to include f2 B Other Characters Valid Charachers amp _ gt Characters to include S Number to include 0 H 186790 _Set Policy Reset Form Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EN Ch
71. est Server such as the time the session started time session ended user IP address and so on This information is transported over the RADIUS Accounting protocol Tip If there is a Firewall between the Cisco NAC Guest Server and the RADIUS client you will need to allow traffic from UDP Port 1812 RADIUS authentication and UDP Port 1813 RADIUS accounting to pass I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter8 Configuring RADIUS Clients W Adding RADIUS Clients D Note Any time you make a change to a RADIUS component on the Cisco NAC Guest Server you will need to Restart the RADIUS service for the changes to become active Adding RADIUS Clients Step1 From the administration interface select Devices gt Radius Clients from the left hand menu Figure 8 1 RADIUS Clients Radius Clients Add Radius Edit Radius Delete Radius Restart Radius If any changes are made to the radius clients please click the Restart Radius button to Restart apply them f Step2 In the Radius Clients page Figure 8 1 click the Add Radius button to add a RADIUS client 185305 Figure 8 2 Add RADIUS Client Radius Client Name IP Address Secret Confirm Secret Description Attribute Value Add Radius Client Reset Form 186732 Step3 In the Add Radius Client page Figure 8 2 type a descriptiv
72. est Server Administration Interface 3 3 Configuring Network Settings 3 4 Date and Time Settings 3 5 SSL Certificate 3 7 Accessing the Guest Server using HTTP or HTTPS 3 7 Generating Temporary Certificates CSRs Private Key 3 8 Downloading Certificate Files 3 9 Downloading the CSR and Certificate 3 9 Downloading the Private Key 3 9 Upload Certificate Files 3 10 Configuring Administrator Authentication 3 10 Add New Admin Account 3 10 CONTENTS Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 ii E Contents Edit Existing Admin Account 3 11 Delete Existing Admin Account 3 13 CHAPTER 4 Configuring Sponsor Authentication 4 1 Configuring Local Sponsor Authentication 4 1 Add New Local User Account 4 1 Edit Existing User Account 4 3 Delete Existing User Account 4 4 Configuring Active Directory AD Authentication 4 5 Add Active Directory Domain Controller 4 6 Edit Existing Domain Controller 4 7 Delete Existing Domain Controller Entry 4 9 Configuring LDAP Authentication 4 9 Add an LDAP Server 4 11 Edit an Existing LDAP Server 4 12 Delete an Existing LDAP Server Entry 4 14 Configuring RADIUS Authentication 4 15 Adda RADIUS Server 4 16 Edit an Existing RADIUS Server 4 17 Delete an Existing RADIUS Server Entry 4 18 Configuring Sponsor Authentication Settings 4 18 Changing the Order of Authentication Servers 4 18 Sponsor Timeouts 4 19 CHAPTER 5 Configuring User Group Permissions 5 1 Adding User Groups 5
73. est accounts It contains the following sections Introduction to Cisco NAC Guest Server Connecting to the Guest Server Creating Guest User Accounts Multiple Guest Accounts Editing Guest Accounts Suspending Guest Accounts Viewing Active Accounts and Resending Details Reporting on Guest Users Introduction to Cisco NAC Guest Server Cisco NAC Guest Server allows you to create temporary network access accounts for your guests visitors contractors or anyone who needs temporary network access You can easily create guest accounts by browsing to the Cisco Guest Server web interface logging in with your corporate credentials and entering the guest s details Cisco NAC Guest Server creates the temporary account and allows you to provide the account details to the guest via printout email or SMS text message In addition to being able to create guest accounts you can also view and amend the accounts to which you have access or run reporting on accounts for auditing purposes Connecting to the Guest Server Step 1 All connections to the Cisco NAC Guest Server are through a web interface To connect to the Cisco NAC Guest Server open a web browser and enter its address into the URL or address field as provided by your network administrator Enter the address of the Cisco NAC Guest Server into the URL fields of a web browser for example http nac guest server Figure 15 1 I OL 15986 01 Cisco NAC Gues
74. ettings Date Time Settings SSL Settings Backup Support Logs System Log Licensing Replication Settings Cisco 2008 Version 1 1 0 186736 Step2 The Network Settings page provides all the network settings that can be changed on the appliance Figure 3 4 Cisco NAC Guest Server Installation and Configuration Guide 34 g OL 15986 01 Chapter3 System Setup Date and Time Settings i Figure 3 4 Network Settings Network Settings Domain Name Hostname localhostlocaldomain IP Address 192 168 137 40 Subnet Mask 255 255 255 0 Default Gateway 192 168 137 2 Nameserver 1 192 168 10 10 Nameserver 2 Save Settings Reset Form Server Restart After changing network settings the server must be restarted for the changes to take PN effect Restart You can change the following Network Settings 185147 Domain Name Enter the domain name for your organization e g cisco com Hostname Enter the name of the appliance as defined in DNS without DNS suffix IP Address Enter the IP address of the ethO interface on the appliance Subnet Mask Enter the corresponding subnet mask Default Gateway The default gateway for the network to which the appliance is connected Nameserver 1 IP address of the primary DNS server Nameserver 2 IP address of the secondary DNS server Step3 Click the Save Settings button to save the changes that you made
75. for the user account and group mapping information Password The password for the user account that has permissions to search the LDAP server To provide resilience in the event of an LDAP server failure you can enter multiple entries for high availability LDAP servers pointing to the same database All that needs to be different in each entry is the Server name and URL The Guest Server attempts to authenticate sponsors against each LDAP server entry in the order specified by Authentication Order detailed in the Configuring Sponsor Authentication Settings section To verify that you have the correct LDAP credentials for connecting to your LDAP server Cisco recommends testing an LDAP browser like the one available at http www ldapbrowser com Cisco NAC Guest Server Installation and Configuration Guide Po i OL 15986 01 Chapter4 Configuring Sponsor Authentication Configuring LDAP Authentication Hi Add an LDAP Server Step1 From the administration interface select Authentication gt Sponsors gt LDAP Servers from the menu Figure 4 11 Figure 4 11 LDAP Authentication LDAP Servers Add LDAP Edit LDAP Delete LDAP 186751 Step2 Click the Add LDAP button Step3 In the Add LDAP Server page enter all the details for authenticating against a specific LDAP server Figure 4 12 Figure 4 12 Add LDAP Server LDAP Server Details LDAP Server Name LDAP Server URL Port V
76. ger NAC Appliance Details Name NAC Manager Hostname or Address 192 168 137 4 Admin Username Password sese Repeat Password Role Guest Access Server Status Active B Add NAC Manager Reset Form Test Connection Step3 Enter the following settings in the NAC Appliance Details page Figure 7 2 Name Type a descriptive name for the Clean Access Manager Hostname of Address Type the DNS name or IP address for the CAM Admin Username Enter an admin username which has API permission to the CAM e Password Type the password for the account Repeat Password Retype the password to ensure it matches correctly Role Type the name of the User Role on the CAM to which you will assign guest users This should match exactly with the User Role name configured on the CAM including correct case Server Status Set the status to be Active for the CAM to have accounts provisioned on it by the Cisco NAC Guest Server Step4 Click the Add NAC Manager button Step5 Optionally click the Test Connection button to ensure that the settings are working correctly Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Chapter7 Integrating with Cisco NAC Appliance Editing Clean Access Manager Entries W Step6 Inthe Clean Access Manager admin console navigate to Monitoring gt Event Logs and verify that the account nacguest_test was successfu
77. gure 6 2 Cisco NAC Guest Server Installation and Configuration Guide lt cower Chapter6 Configuring Guest Policies Setting the Guest Details Policy Hi Figure 6 2 Password Policy Alphabetic Characters Characters to include ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijkimnoparstt Number to include 6 H Numeric Characters Characters to include 1234567890 Number to include 2 B Other Characters Valid Charachers S amp _ gt Characters to include Characters to include 0 B 186760 Set Policy Reset Form Step2 In the Alphabetic Characters section enter the characters to use in the password and the amount to include Step3 In the Numeric Characters section enter the numerals to use in the password and the amount to include Step4 Inthe Other Characters section enter the special characters to use in the password and the amount to include A Caution For passwords use only the following characters for the Other Characters field amp _ 3 gt Do not use the following characters in the Other Characters field as they are not supported by the Clean Access Manager API lt 7 I Step5 Click Set Policy to save the settings Note The total length of the password is determined by the total number of characters included You can choose between 0 and 20 characters per type alphabetic numer
78. h the new details Suspending Guest Accounts You can terminate an account so that a guest can no longer login To do this you will also need to contact your network administrator to make sure that the user has been removed from the network Depending on the access method this may happen automatically Step1 From the Main page either click Suspend Guest User Accounts or select User Accounts gt Suspend from the left hand menu Cisco NAC Guest Server Installation and Configuration Guide Ea OL 15986 01 Chapter15 Sponsor Documentation Step 2 Step 3 View ing Active Accounts and Resending Details Mil Figure 15 17 Suspend Accounts Username Created By Full Name Company Start Time End Time N ye email company com username first last company ist Sep 2007 30th Sep 2007 Suspend 2 00 00 00 23 59 00 eee 10 In the Suspend User Accounts page Figure 15 17 you can view a list of the accounts that you are able to suspend Click the Suspend button for the account you want to terminate The account is removed from the list and the guest will not be able to login anymore Viewing Active Accounts and Resending Details Step 1 Step 2 Cisco NAC Guest Server provides an Active Accounts page that lets you view the active accounts you created or have permissions to see This page allows you to view print email or text message SMS the account access details to guests if they have lost or forgotten them From th
79. he input box below use the Browse button to navigate to the text file and hit the Install License button Product Authorization Key PAK If you have received a Product Authorization Key PAK with your purchase please visit the Cisco Technical Support site to register and obtain the proper product license Note During the registration process you will be a for the MAC address above please have this information ready Once this is complete you will receive a license key via email which must be saved to a text file Enter the license file name in the input box below use the Browse button to navigate to the text file and hit the Install License button 185507 Step7 Click Submit to install the license Access Cisco NAC Guest Server Administration Interface Step8 The Cisco NAC Guest Server Administration interface Figure 3 2 displays This is the administrator interface to the appliance Step9 Login as the admin user The default user name password is admin admin Figure 3 2 Admin Login apial 2 cisco Cisco NAC Guest Server Administration Please enter your administrator username and password to access the administration interface Password T i i Username Cisco 2007 185842 amp Note Cisco recommends setting up SSL access and change the default admin user password for security Refer to SSL Certificate page 3 7 and Edit Existing Admin Account page 3 11 for details Cisco N
80. hed you will need to run a terminal emulation program with settings set to 9600 baud 8 data bits no parity 1 stop bit no flow control Once you have connected to the appliance and inserted the CD containing the image power on the appliance Switch the appliance on or if already started switch it off and then back on again The appliance should now boot from the CD ROM drive and the initial install screen displays Figure 2 7 Figure 2 7 Initial Install Screen Welcome to the Cisco NAC Guest Server Installation Process To install using keyboard monitor enter install then To install using the console enter serial and press JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE HE JE JE HE WARNING Running this install CD will remove all existing information from the hard disks in the computer Please make sure there is nothing that you need from the hard disk before proceeding There is no x x x x way of retrieving information after this process JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE JE EH Use the function keys listed below for more information C F
81. her create a point in time snapshot or schedule system back ups to be automatically saved on the Cisco NAC Guest Server or a remote FTP server This chapter includes the following sections Configuring Backup Settings Restoring Backups I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter 11 Backup and Restore WE Configuring Backup Settings Configuring Backup Settings Step 1 From the administration home page select Server gt Backup from the left hand menu Figure 11 1 Figure 11 1 Backup Settings Backup Restore Change the Backup Settings Max number of backups 10 Frequency Monthly B Day Of The Month f E FTP settings Remote Server Address Port Username Password Mode active B Max number of backups 0 Save Settings Reset Form Snapshot Download Snapshot 186738 Taking a snapshot Step 1 You have the option of saving a point in time snapshot which will allow you to download a backup of the Cisco NAC Guest Server at this exact moment To save a snapshot backup click the Snapshot button at the bottom of the form Figure 11 1 You are prompted by your web browser to save the backup file to disk Cisco NAC Guest Server Installation and Configuration Guide n2 g OL 15986 01 Chapter11 Backup and Restore Restoring Backups W Scheduling a Backup Step 1 Step 2 Step 3 Step 4 Y
82. ic or other Setting the Guest Details Policy The guest details policy determines what data the sponsor needs to enter to create a guest account Step1 From the administration interface select Guest Policy gt Guest Details from the left hand menu Figure 6 3 Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 a 63 Chapter6 Configuring Guest Policies E Setting the Guest Details Policy Figure 6 3 Guest Details Policy Requirements for form input First Name Required Last Name Required E3 Email Address Required wy Mobile Phone Unused FA Additional Fields Option 1 Unused Ww Option 2 Unused iz Option 3 Unused a Option 4 Unused FA Note Additional Fields text is defined in the templates section Save Settings Reset Form 186747 Step2 You can specify one of three settings for each requirement Required TIf a field is set to required it is displayed on the create guest page and it is mandatory for the sponsor to complete Optional lIf a field is set to optional it is displayed on the create guest page however the sponsor can choose not to complete the field Unused TIf a field is set to unused then it is not displayed on the create guest page and no value is required Step3 Click the Save Settings button to save the guest details policy Note There are five additional fields that can have any information that you require
83. igure 4 7 Add Active Directory Domain Controller Active Directory Details Server Name User Account Suffix Domain Controller AD Username AD Password Confirm Password Status Active B To test the Active Directory connection enter the details into the form and then click the Test Connection button Add Domain Controller Reset Form Test Connection 186728 The User Account Suffix should start with such as yourdomain com e Server Name Type a text description of the AD Server Name and account suffix for the domain controller for example CCA CISCO COM User Account Suffix Type the User Account Suffix and include the leading for example cca cisco com Every AD user has a full user logon name that appears as username domain To allow sponsors not to have to type their full user logon name type the domain part including the symbol in this field Domain Controller Type the IP address or DNS name for the domain controller This is the IP address of the DC against which the sponsor authenticates Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Chapter4 Configuring Sponsor Authentication Step 4 Step 5 Configuring Active Directory AD Authentication W Base DN Type the Base Distinguished Name DN of the domain controller This is the name of the root of the directory tree It is used so that when gr
84. ils perform the following steps Step1 Using either keyboard and monitor connection to the appliance or serial console connection authenticate to the command line interface The user name for the console is root and the default password is cisco Figure 2 3 Figure 2 3 Authenticate to the Console Fedora Core release 6 Zod Kernel 2 6 26 1 2962 fc6 on an i686 localhost login root Password HEH JE DE JE DE JE PE E JE HE JE HE JE E JE E JE PE JE PE JE PEJE JE JE JE JE JE JE JE JE JE JE JE JE JEJE JEJE JEJE JE JEJE EJE JEJEJE To configure the network settings please enter system conf ig network lt ENTER gt e when changed enter he reboot lt ENTER gt x KK KK KOK K Croot localhost _ Step2 To configure the network settings type the command system config network and press lt Enter gt The Select A Device menu appears Figure 2 4 Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 x Chapter 2 Installing Cisco NAC Guest Server HE Command Line Configuration Figure 2 4 Choose eth0 Interface Select A Device eth eth Advanced Micro Devices AMD 79c976 PCnet32 LANCE lt New Device gt Cancel 185160 lt Tab gt lt Alt Tab gt between elements i lt Space gt selects i lt Fi2 gt next screen Step3 Select the ethO interface from the list using the up and down arrow keys and press lt Enter gt Step4 You can now enter all the correct network sett
85. ines how user entries are named in the LDAP server For example you can define them to be uid uid 7USERNAME or cn cn USERNAME The 2 USERNAME should be placed where the username will be inserted in a search Group Mapping There are two main methods that LDAP servers use for assigning users to groups 1 Storing the group membership in an attribute of the user object With this method the user object has one or more attributes that list the groups that the user is a member of If your LDAP server uses this method of storing group membership you need to enter the name of the attribute which holds the groups the user is a member of This attribute may be called something like groupMembership memberOf or group 2 Storing the user membership in an attribute of the group object With this method there is a group object that contains a list of the users who are members of the group If your LDAP server uses this method you need to specify the group to check under the LDAP mapping section of a User Group you want to match the user to To determine which method to use Cisco recommends checking the LDAP documentation for your server or using an LDAP browser like the one available at http www ldapbrowser com to check the attributes of the server Username The user account that has permissions to search the LDAP server This is needed so that the Cisco NAC Guest Server can search for the user account and group mapping information
86. ing Setting User Default Redirection User Interface Templates Cisco NAC Guest Server allows you to customize the sponsor user interface text and guest notification text using User Interface Templates You can change the labels for the sponsor interface provide different instructions for guest users or create a translated template to provide the sponsor interface and guest instructions in another language altogether Cisco NAC Guest Server provides a default template in English that can be used as is without any further modification If you want to change the default presentation for sponsors and guests you can add one or multiple templates that you can store separately on the Guest Server and modify as desired Once your user interface template is configured you will need to set the default template mapping so that the Guest Server starts using the correct template Once a sponsor has authenticated they can choose a different template to use and save it in the preferences This enables each sponsor to have the application displayed in a different template or language If you are customizing the interface for another language create a new template for the language and edit all pages with the translated text Typically you create a customized template when you need to modify the account details and instructions that are provided to the guest such as the Acceptable Use Policy Cisco NAC Guest Server provides Print Email and SMS templa
87. ings for the appliance Figure 2 5 Figure 2 5 Change Network Configuration Details Devernet Configuration Name Device Use DHCP Static IP 185161 lt Tab gt lt Alt Tab gt between elements i lt Space gt selects i lt Fi2 gt next screen Enter the following information Static IP The IP Address that you want to assign to the Cisco NAC Guest Server Netmask The corresponding subnet mask Default gateway IP The default gateway for the network You can use the Tab key Arrow keys or lt Enter gt to move between fields When finished tab to the OK button and press lt Enter gt Step5 Exit the system config network by selecting Quit from the network selection screen Figure 2 6 Cisco NAC Guest Server Installation and Configuration Guide P24 E OL 15986 01 Chapter 2 Installing Cisco NAC Guest Server Command Line Configuration W Figure 2 6 Quit the Utility Step6 At the command line either reboot the appliance by typing reboot and pressing lt Enter gt or follow the instructions to Change Root Password page 2 5 before entering reboot Change Root Password amp Note You should change the root password from the default of cisco it is advised to use a complex password for enhanced security Step1 From the command line enter the command passwd and press lt Enter gt Step2 Enter the new password and press lt Enter gt Step3 Repeat the password and press lt Enter gt Continue
88. inistration interface select Authentication gt Replication Settings from the left hand menu Figure 12 1 Figure 12 1 Replication Settings Replication Settings Remote Guest Server 10 1 60 44 Shared Secret Confirm Shared Secret Replication Mode On wy This node contains the data This node will copy data from other node all data on this node will be overwritten Save Settings Reset Form Provisioning Provisioning Primary Secondary O Save Settings Reset Form Enter the Remote Guest Server address This is the address of the Cisco NAC Guest Server that you want to enable replication with Enter a Shared Secret and confirm it The shared secret is used to authenticate with the other Cisco NAC Guest Server The shared secret must be identical on both Guest Servers Set the Replication Mode to be On amp NoteSetting a servers Replication Mode to be Off removes it from the replication process There is no method of re synchronizing a Server without starting the process from the beginning and by doing this you will loose non replicated data on one of the Servers Only turn Replication off if you are making a standalone system Turning on replication enables you to specify whether this server is the one that contains the current data or will copy data from the other server Choose This node contains the data if you want to keep the data from th
89. ions Specifying the Order of User Groups W Figure 5 6 List Groups to Delete User Groups Normal Users Admin Users Helpdesk Users DEFAULT Change Order Add Group Edit Group Delete Group 186789 Step2 Select the group you wish to delete and click the Delete Group button Figure 5 6 Step3 Confirm deletion at the prompt Note If any Local Users are part of this group you must delete the user before deleting the user group Alternatively you can move Local Users to another group to empty it before deleting the user group Specifying the Order of User Groups When a sponsor logs in to the Cisco NAC Guest Server the system checks each group in turn to see if the sponsor should be given the privileges of that group The groups are processed in the order in which they appear in the User Groups list box Figure 5 7 If a user does not match a user group they are given the privileges of the DEFAULT group Step1 From the administration interface select Authentication gt User Groups from the left hand menu Figure 5 7 Order User Groups User Groups Normal Users Admin Users Helpdesk Users DEFAULT Change Order Add Group Edit Group Delete Group 186789 Step2 Select the group you wish to order and click the up or down button until the group is in position Figure 5 7 Step3 Repeat for all groups until they appear in the order you require Step4 Click the Change Orde
90. is server Choose This node will copy data from other node if you want to erase all data on this server and copy the data from the other server Warning Step 7 Step 8 Make sure you set these correctly on each server otherwise you will loose data Itis advised to take a backup before running this procedure Click Save Settings to save the settings and turn on the replication process Repeat Step 1 through Step 7 to set up replication on the other Cisco NAC Guest Server Cisco NAC Guest Server Installation and Configuration Guide P22 E OL 15986 01 Chapter12 Replication and High Availability Configuring Provisioning i Configuring Provisioning When the Cisco NAC Guest Server provisions accounts in other systems such as the Clean Access Manager only one of the Guest Servers should be performing the provisioning at any one time One Cisco NAC Guest Server should be defined as the primary and the other as the secondary The server set to primary will perform the provisioning by default If a server is set to secondary it will check the status of the primary server if it fails to contact the primary server three times then it will perform the provisioning This process happens every minute when the provisioning service runs Step1 From the administration interface select Authentication gt Replication Settings from the left hand menu Figure 12 2 Figure 12 2 Configuring Provisioning Order Replication Settings
91. itors contractors consultants or customers The Guest Server works alongside Cisco NAC Appliance or Cisco Wireless LAN Controller which provide the captive portal and enforcement point for guest access Cisco NAC Guest Server allows any user with privileges to easily create temporary guest accounts and sponsor guests Cisco NAC Guest Server performs full authentication of sponsors the users who create guest accounts and allows sponsors to provide account details to the guest by printout email or SMS The entire experience from user account creation to guest network access is stored for audit and reporting When guest accounts are created they are either provisioned within the Cisco NAC Appliance Manager Clean Access Manager or stored within the built in database on the Cisco NAC Guest Server When using the Guest Server s built in database external network access devices such as the Cisco Wireless LAN Controller can authenticate users against the Guest Server using the RADIUS Remote Authentication Dial In User Service protocol The Cisco NAC Guest Server provisions the guest account for the amount of time specified when the account is created Upon expiry of the account the Guest Server either deletes the account directly from the Cisco NAC Appliance Manager or sends a RADIUS message which notifies the network access device NAD of the amount of valid time remaining for the account before the NAD should remove the user Cisco NAC G
92. jh cryptsoft com Cisco NAC Guest Server Installation and Configuration Guide lt a OL 15986 01 Appendix A Open Source License Acknowledgements Notices W THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The license and distribution terms for any publicly available version or derivative of this code cannot be changed i e this code cannot simply be copied and put under another distribution license including the GNU Public License Cisco NAC Guest Server Installation and Configuration Guide ce Appendix A Open Source License Acknowledgements HI Notices Cisco NAC Guest Server Installation and Configuration Guide PAS es OL 15986 01
93. lly created and then deleted Editing Clean Access Manager Entries The following steps describe how to edit an existing entry for a Clean Access Manager Step1 From the Guest Server administration interface select Devices gt NAC Appliance from the left hand menu Figure 7 3 Figure 7 3 List of Cisco NAC Appliances NAC Appliances NAC Manager Add NAC Edit NAC Delete NAC 186759 Step2 Select the Cisco NAC Appliance that you want to edit from the list and click the Edit NAC button Figure 7 4 Figure 7 4 Edit a Clean Access Manager Change the settings for the Clean Access Manager AP account Name NAC Manager Hostname or Address 192 168 137 4 Admin Username Password sese Repeat Password Role Guest Access Server Status Active B Save Settings Reset Form Test Connection 186743 Step3 In the NAC Appliance Settings page Figure 7 4 enter the following settings Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EN Chapter7 Integrating with Cisco NAC Appliance HI Deleting Clean Access Manager Entries Hostname of Address Type the DNS name or IP address for the CAM Admin Username Enter an admin username which has API permission to the CAM Password Type the password for the account Repeat Password Retype the password to ensure it matches correctly Role Type the name of the User Role on
94. merica Los_Angeles America Los_Angeles Full Name peter jones 18th Feb 2008 18th Feb 2008 Company cisco 00 00 00 23 59 00 Email Address pjones cisco com Amenca Los_Angeles America Los_Angeles Print Email SMS 1867 I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter 15 Sponsor Documentation W Multiple Guest Accounts Figure 15 12 Print for random account creation Create Random Accounts Print All CreatedBy Username Password Account Start Account End username gOZJB57Q19 ydCu6yA1 Full Name 18th Feb 2008 18th Feb 2008 Print Company 00 00 00 23 59 00 es Email Address America Los_Angeles America Los_Angeles username DzY7Mieg86 M2fwEBJ4 Full Name 18th Feb 2008 18th Feb 2008 Print Company 00 00 00 23 59 00 Email Address America Los_Angeles America Los_Angeles username b9mizLwoi6 ROgO8pi0 Full Name 18th Feb 2008 18th Feb 2008 Print Company 00 00 00 23 59 00 j Email Address America Los_Angeles America Los_Angeles username A20KtZbk51 mq3kzvh0 Full Name 18th Feb 2008 18th Feb 2008 Print Company 00 00 00 23 59 00 a Email Address America Los_Angeles America Los_Angeles username JOOREJTb10 SA33qJnB Full Name 18th Feb 2008 18th Feb 2008 Print Hes Company 00 00 00 23 59 00 5 Email Address Amernca Los_Angeles America Los_Angeles co When creating accounts with preset details by either importing text or creating a CSV file you can print email o
95. n By Show All B Between 01 F Jan FP 2007 F Category Show All i And 31 FP Dec F 2007 F Submit Reset User Action most recent first Date Time Category admin Template French created 8th Sep 2007 Template 15 57 00 admin Administrator account admin successful login 8th Sep 2007 Login Logout 15 51 00 admin Administrator account admin successful login 8th Sep 2007 Login Logout 13 16 00 admin Radius client 20 20 20 20 added 8th Sep 2007 Server 06 00 00 admin NAC Appliance Settings changed 8th Sep 2007 Server 04 00 00 admin NAC Appliance Settings changed 8th Sep 2007 Server 03 59 00 admin Administrator account admin successful login 8th Sep 2007 Login Logout 03 20 00 admin Active Directory Server test added 6th Sep 2007 Server 07 44 00 admin Active Directory Server test deleted 6th Sep 2007 Server 07 16 00 admin Active Directory Server test added 6th Sep 2007 Server 07 15 00 co oa m First Page E 2 NextPage LastPage Ea I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter 13 Logging and Troubleshooting E Logfiles Log Files The system records information in different log files depending on the application function Downloading the log files Application Logging Email Logging RADIUS Logging CAM Update Logging Web Server Logging Downloading the log files Step 1 Step 2 To download the files from the administration i
96. new temporary certificate private key When doing this a certificate signing request CSR is also generated that can be used to obtain a CA signed certificate The whole process of generating a temporary certificate CSR and private key is performed on the Create page Entering the correct details on the Create page automatically generates the required files Step1 From the administration interface select Server gt SSL Settings from the left hand menu then select Create from the menu at the top of the page Figure 3 7 Figure 3 7 Create SSL Page Main Create Upload Download Create SSL Certificate Private Key CSR Common Name IP Address Domain Name Organisation j Organisational Unit City State 2 Letter Country Code Create Certificate Reset Form Creating certificate will create a new temporary certificate new private key and a certificate signing request CSR Step2 Enter the details on the screen to provide the details for the temporary certificate and CSR Common Name This is either the IP address of the Cisco NAC Guest Server or the fully qualified domain name FQDN for the Guest Server The FQDN must resolve correctly in DNS Organization The name of your organization or company Organizational Unit The name of the department or business unit that owns the device e City The city where the server is located State The state where the server i
97. nt is created the details of the account need to be passed from the sponsor to the guest The Cisco NAC Guest Server provides a number of ways to do this Manually reading the details to the guest from the screen Printing the details out on paper Sending the details in an email Sending the details as an SMS text message Sponsors always have the option of reading and printing out guest account details to guests Email and SMS text message notification require email servers to be configured but can be configured based upon policy Note Email and SMS guest account notification policies need to be configured globally then enabled per user group for individual sponsor permissions This chapter describes the following Configuring Email Notification Configuring SMS Notification Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 a Chapter9 GuestAccountNotification WE Configuring Email Notification Configuring Email Notification The following steps describe how to configure email settings for the Cisco NAC Guest Server to correctly deliver guest account details via email Step1 From the administration interface select Devices gt Email Settings from the left hand menu Figure 9 1 Email Settings Change the settings for sending email to guests Enable Email Yes No SMTP Server 127 0 0 1 Sent From m Email Address guest jocalhost Save Settings Reset Form
98. nterface select Server gt Support Logs from the left hand menu Figure 13 2 Figure 13 2 Download the log files Download Download support logs download 186783 Click the download button and save the log file on your computer The support logs are contained within the tar file Application Logging All the application error and warning messages are stored in the application log file You may need to view this file to see errors with the main application Email Logging Email is processed by the sendmail daemon on the Guest Server To troubleshoot issues you need to view the email log file called maillog RADIUS Logging RADIUS is processed by the radiusd daemon on the Guest Server To troubleshoot issues you need to view the radius log file Cisco NAC Guest Server Installation and Configuration Guide cower Chapter 13 Logging and Troubleshooting LogFiles W CAM Update Logging The accounts on the Cisco NAC Appliance Clean Access Manager are created by a process that runs every minute on the Cisco NAC Guest Server To troubleshoot issues you need to view the camlog file W eb Server Logging The httpd daemon on the appliance runs the application web server To troubleshoot issues you need to view the error_log file Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Chapter 13 Logging and Troubleshooting E Log Files Cisco NAC Guest Server
99. nts on the Active Accounts Report username JOOREJTb10 SA33qJnB Bulk Account 186727 I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter 15 Sponsor Documentation WE Editing Guest Accounts Editing Guest Accounts If you create an account for a guest and you need to extend their account access you can change the expiry date and time of the account Step1 From the Main page either click the link for Edit Guest User Account end time or select User Accounts gt Edit from the left hand menu Step2 Inthe Edit User Accounts page or any of the multiple account reports Figure 15 15 you can view a list of the accounts that you are able to edit Figure 15 15 Edit Guest User Accounts List Username Created By Full Name Company Account Expires email company com username first last company 30th Sep 2007 ait 23 59 00 SS 185327 Step3 Click the Edit button next to the account you want to change Figure 15 16 Edit Guest Account Username email company com First Name first Last Name last Company company Email email company com Mobile Phone Number 1 mh Account Starts Time 00 00 00 Date 18 Feb 2008 Account Expires Time 23 i 59 i Date 18 A Feb 2008 F3 E Timezone America Los_Angeles Submit Reset 186774 Step4 Change the Account details as desired Step5 Click the Submit button to update the account wit
100. om the left hand menu Step2 Select Upload from the menu at the top of the page Figure 3 9 Figure 3 9 Upload Certificate Files Main Create Upload Download Upload SSL Certificate Upload SSL Certificate Choose File no file selected Upload Root CA Certificate Choose File no file selected Upload Private Key Choose File no file selected Upload Reset Form 186786 Step3 In the Upload SSL Certificate page click the Browse button to locate the SSL Certificate file Root CA Certificate or Private Key file you want to upload and click the Upload button Configuring Administrator Authentication Cisco NAC Guest Server has a single default administrator account called admin The Admin Accounts pages under the Authentication menu allow you to create edit and delete additional administrator accounts This section describes the following Add New Admin Account Edit Existing Admin Account Delete Existing Admin Account Add New Admin Account Step1 From the administration interface select Authentication gt Administrators from the left hand menu Cisco NAC Guest Server Installation and Configuration Guide E cower Chapter3 System Setup Configuring Administrator Authentication W Figure 3 10 Admin Accounts Admin Accounts Add User Edit User Delete User 185789 Step2 Inthe Admin Accounts page Figure 3 10 click the Add User button Figure 3 11 A
101. onfiguring LDAP Authentication Base DN This is the Distinguished Name of the container object where an LDAP search to find the user begins such as OU Engineering O Cisco User Search Filter The User Search Filter defines how user entries are named in the LDAP server For example you can define them as uid uid USERNAME or cn cn USERNAME Group Mapping There are two main methods that LDAP servers use for assigning users to groups 1 Storing the group membership in an attribute of the user object With this method the user object has one or more attributes that list the groups that the user is a member of If your LDAP server uses this method of storing group membership you need to enter the name of the attribute which holds the groups the user is a member of 2 Storing the user membership in an attribute of the group object With this method there is a group object that contains a list of the users who are members of the group If your LDAP server uses this method you need to specify the group to check under the LDAP mapping section of a User Group you want to match the user to To determine which method to use Cisco recommends checking the LDAP documentation for your server or using an LDAP browser like the one available at http www ldapbrowser com to check the attributes of the server Username The user account that has permissions to search the LDAP server This is needed so that the Cisco NAC Guest Server can search
102. op of the page and you can make additional changes to the same user account Delete Existing User Account You can delete existing sponsor user accounts from the administration interface Step1 From the administration interface select Authentication gt Sponsors gt Local User Database from the menu Figure 4 5 Figure 4 5 Select User to Delete Local Users username Add User Edit User Delete User 185145 Step2 Select the user from the list and click the Delete User button Step3 Confirm deletion of the user at the prompt If successfully deleted a success message displays at the top of the page and you can perform additional local user account operations Cisco NAC Guest Server Installation and Configuration Guide maa es OL 15986 01 Chapter4 Configuring Sponsor Authentication Configuring Active Directory AD Authentication W Configuring Active Directory AD Authentication Active Directory Authentication authenticates sponsor users to the Guest Server using their existing AD user accounts This keeps sponsors from having to remember another set of user names and passwords just to authenticate to the Guest Server It also enables the administrator to quickly roll out Guest Access because there is no need to create and manage additional sponsor accounts Active Directory authentication allows you to do the following Add Active Directory Domain Controller Edit Existing Domain Cont
103. options that will be available to you are configured by your administrator Figure 15 7 Multiple Accounts Select Multiple Account Option Create Multiple Accounts Create multiple accounts from a comma separated text field Import Accounts from File Import accounts from a CSV file e Create Accounts with Random Username Password Create multiple random Username Password accounts Show Multiple Account Groups List all multiple account groups e Search for multiple account group from Username Enter Username Submit 186779 Creating Multiple Accounts from Text Entry Step1 Select User Accounts gt Multiple Accounts from the left hand menu Figure 15 7 Step2 Select Create Multiple Accounts Figure 15 8 Figure 15 8 Multiple Accounts from text entry Input is comma separated text in the format First Name Last Name Company Email Address Country Code Mobile Phone Number first last company email company com 1 55555555 Account Start Account End Time 00 Z 00 Time 23 We 59 Date 18 b Feb fey 2008 je EH Date 18 F Feb fey 2008 fe E Timezone America Los_Angeles E Note Mobile phone country codes and Account timezone information will be taken from your preferences settings Create Bulk Accounts Reset 186780 Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EEE Chapter 15 Sponsor Documentation W M
104. or the sponsor is set to Create Account By Template Options See Adding User Groups page 5 1 for more details The only account duration options that appear are the durations within the maximum duration set on the sponsors user group Deleting a Template Step1 From the administration interface select User Interface gt Templates from the left hand menu Step2 Select the template you want to delete from the Current Templates list and click the Delete Template button Step3 Confirm deletion of the template Setting the Default Interface M apping Once you have created your template you need to make the template active This is a global operation for the Cisco NAC Guest Server Step1 From the administration interface select User Interface gt Mapping from the left hand menu Cisco NAC Guest Server Installation and Configuration Guide P08 W OL 15986 01 Chapter 10 Customizing the Application Setting User Default Redirection W Figure 10 10 Default User Interface Mapping Select the default user interface template to use Template default ee Se Set Template 186740 Step2 Select the Template from the dropdown list This will become the template used for the sponsor and guest user interface Step3 Click the Set Template button Setting User Default Redirection There are a number of options that each sponsor may want to customize for their environment so that they don t need to make changes eve
105. ord The password for the user account that has permissions to search the LDAP server Confirm Password Repeat the password to make sure it matches Status Select the status of the LDAP server If it is set to Active the Guest Server will use it for authenticating sponsors If it is set to Disabled it will not be used Step4 Optionally click the Test Connection button to verify the settings are correct for the LDAP server The Test Connection will bind with the username and password specified to the LDAP server to verify that it can bind successfully Step5 Click the Add LDAP Server button Edit an Existing LDAP Server Step1 From the administration interface select Authentication gt Sponsor gt LDAP Servers from the menu Step2 Select the Active Directory Domain Controller from the list and click the Edit DC button Figure 4 13 Cisco NAC Guest Server Installation and Configuration Guide Ca OL 15986 01 Chapter4 Configuring Sponsor Authentication Configuring LDAP Authentication Hi Figure 4 13 Select LDAP Server to Edit LDAP Servers Cisco LDAP Server Add LDAP Edit LDAP Delete LDAP 186754 Step3 In the LDAP Server page Figure 4 14 edit the details for authenticating against this LDAP server Figure 4 14 Edit LDAP Server Settings Edit LDAP Server LDAP Server Name Cisco LDAP Server LDAP Server URL Idap Idap cisco com Port 389 Version L
106. ou can schedule backups to occur every day week or month at 1 00 AM Scheduled backups are stored in either the guest backups directory of the Cisco NAC Guest Server or on a remote FTP server From the administration home page select Server gt Backup from the left hand menu Figure 11 1 To perform local backups Enter the Maximum number of backups that you want to keep The Cisco NAC Guest Server will remove old backups that exceed this amount by discarding the oldest backup s when new ones are created amp Note If you do not want to limit the number of files you can specify a number less than 1 like 0 or 1 for example Specify the Frequency how often you want the Cisco NAC Guest Server to perform backups of when you want to perform the backup You can specify Daily Weekly or Monthly If you select Weekly you must also specify which day of the week If you select Monthly you must also specify which day of the month amp Note Cisco recommends specifying a date between the 1st and 28th day of the month to ensure you automatically back up your system every month of the year To perform the backup to a remote FTP server Enter the Remote Server Address for the FTP server Enter the TCP Port to use usually port 21 Enter a Username and Password that allows access to the FTP server Select either active or passive for the FTP Mode Enter the Maximum number of backups that you want to keep The Cisco NAC Gue
107. oup Edit an existing User Group Group Name Helpdesk Users Permissions Allow Login Create Account Create Bulk Accounts Create Random Accounts Import CSV Send Email Send SMS Edit Account Suspend Account Active Accounts N Full Reporting 1 Number of days in the future the account can be created Maximum duration of account in days Create Account By Start Date End Date iz Save Group Reset Form 8 Step4 Edit Permissions for the User Group as follows Allow Login Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server Otherwise select No Create Account Select Yes to allow sponsors to create guest accounts Otherwise select No Create Bulk Accounts Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details Otherwise select No Create Random Accounts Select Yes to allow sponsors to be able to create multiple random accounts without initially capturing guests details Otherwise select No Import CSV Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file Otherwise select No Send Email Select Yes to allow sponsors to send account details via email from the Guest Server to the guest user Otherwise select No Send SMS Select Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user Otherwise select No Edit A
108. oup searches are performed the Guest Server knows from where to start An example of the base DN for the domain cca cisco com is DC cca DC cisco DC com AD Username Type a username that has permissions to search the Active Directory using LDAP This allows the Guest Server find out details about users such as the list of groups to which they belong AD Password lIn addition to the AD Username type the password for that account Confirm AD Password Retype the password to make sure it is correct Status Select the status of the Domain Controller If it is set to Active the Guest Server will use it for authenticating sponsors If it is set to Disabled it will not be used Optionally click the Test Connection button to verify the settings are correct for the domain controller The Test Connection will authenticate with the specified AD Username and Password to verify the settings Click the Add Domain Controller button Edit Existing Domain Controller Step1 From the administration interface select Authentication gt Sponsor gt Active Directory Servers from the menu Step2 Select the Active Directory Domain Controller from the list and click the Edit DC button Figure 4 8 Figure 4 8 Select Domain Controller to Edit Active Directory Domain Controllers add DC EditDC Delete DC ko Step3 In the Active Directory Domain Controller page Figure 4 9 edit the details for authenticating against this AD domain
109. p Servers Mapping Rules Auth Test Accounting Server Config Login Event Logout Event Data sent when User Logs in or Logs out New Entry User 5 User_Name Key _ User 192 168 151 200 _XSOQRDGDTANKNVW3_0A 0B DB 1F 05 E1 x MAC Login_IP_Host CA hil 192 168 151 1 X Framed_IP_Address User IP 192 168 151 200 X Current gt Event_Timestamp Time Unix 1107558172 thd x Seconds a Calling Station_Id User IP 192 168 151 200 X 2 Step2 On the Shared Events page click the Edit button to the right of the User_Name attributes entry Cisco NAC Guest Server Installation and Configuration Guide 7e E OL 15986 01 Chapter7 Integrating with Cisco NAC Appliance Configuring the CAM for Reporting W Figure 7 8 Edit User Name Attribute User Management gt Auth Servers Auth Servers Lookup Servers Mapping Rules Auth Test Accounting Server Config Login Event Logout Event Data sent when User Logs in or Logs out Send RADIUS Attribute User Name B Change Attribute RADIUS Attribute type String Data to send thus far User Key _ User MAC Sample of data to be sent 192 168 151 200_XSOQRDGDTANKNVW3_0A 0B DB 1F 05 E1 Add Data Current Time Unix Seconds is Add Text Selecting dynamic data from the drop down list and clicking Add Data will cause that data to be sent with the associated RADIUS Attribute Static data can be entered via Add Text Dynamic and static
110. p9 Click the Restart button to restart the RADIUS service to make the changes take effect Deleting RADIUS Clients Step1 From the administration interface select Devices gt Radius Clients from the left hand menu Cisco NAC Guest Server Installation and Configuration Guide sa E OL 15986 01 Chapter8 Configuring RADIUS Clients Step 2 Step 3 Step 4 Step 5 Deleting RADIUS Clients W Figure 8 5 List RADIUS Clients Radius Clients Wireless Lan Controller Add Radius Edit Radius Delete Radius Restart Radius If any changes are made to the radius clients please click the Restart Radius button to meee apply them Restart In the Radius Clients page Figure 8 5 select the RADIUS client from the list 185306 Click the Delete Radius button and confirm the action From the administration interface select Devices gt Radius Clients Figure 8 1 from the left hand menu Click the Restart button to restart the RADIUS service to make the changes take effect Note Any time you make a change to a RADIUS component you will need to restart the RADIUS service for the changes to become active I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter8 Configuring RADIUS Clients HZ Deleting RADIUS Clients Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 CHAPTER Guest Account Notification When a guest accou
111. r 2 Installing Cisco NAC Guest Server W sRe Imaging the Appliance Step9 The appliance boots and runs the final setup of the image automatically The imaging process is complete when the login screen displays Figure 2 10 Figure 2 10 Imaging Complete Fedora Core release 6 Zod Kernel 2 6 26 1 2962 fc6 on an i686 localhost login _ 185156 Step 10 Login as user root and continue to the instructions in Command Line Configuration page 2 3 to complete the installation Cisco NAC Guest Server Installation and Configuration Guide CHAPTER System Setup The system can be configured through the web interface to provide the networking configuration for the appliance and other system settings that are important such as time and SSL certificate The Cisco NAC Guest Server is administered entirely using a web interface over either HTTP or HTTPS This chapter includes the following sections Accessing the Administration Interface Configuring Network Settings Date and Time Settings SSL Certificate Configuring Administrator Authentication Accessing the Administration Interface Upon first accessing the web administration interface of the Cisco NAC Guest Server you will need to install a product license You can obtain a license using the instructions in the PAK shipped with the appliance or by registering for a evaluation license at https tools cisco com S WIFT Licensing PrivateRegistrationServlet FormId 1
112. r button to save the order Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 E57 Chapter5 Configuring User Group Permissions W Mapping to Active Directory Groups M apping to Active Directory Groups Step 1 If a sponsor authenticates to the Cisco NAC Guest Server using Active Directory authentication then the Cisco NAC Guest Server can map them into a user group by their membership in Active Directory groups If you have configured AD authentication as described in Configuring Active Directory AD Authentication page 4 5 then the Guest Server automatically retrieves a list of all the groups configured within all the AD servers configured Selecting an Active Directory Group from the dropdown provides all sponsor users who are in this AD group the permissions of this group Select Active Directory Mapping from the top menu when in the add user group or edit user group screen Figure 5 8 Active Directory Group Mapping Map Active Directory group to User Group User Group Name DEFAULT Active Directory Group No Active Directory Mapping DnsUpdateProxy Domain Admins Domain Computers Domain Controllers Domain Guests Domain Users Enterprise Admins Group Policy Creator Owners Schema Admins Assign Group Reset Form 186735 Select the group you wish to match against and click the Assign Group button By default Active Directory only returns a maximum of 100
113. r can text message to the guest after creating the account The contents of the text message can be fully customized p Tip Navigating to Reporting gt Active Accounts on the sponsor interface and clicking the SMS button next to the guest account entry brings up the output of the SMS Template and also text messages the guest Step1 Go to User Interface gt Templates and click the Edit Template button for the template you want to edit in the Current Templates list Step2 In the Edit User Interface page click the SMS Template tab at the top of the page to bring up the SMS Template configuration page Figure 10 7 Figure 10 7 SMS Template Page Template Name French SMS Template SMS Subject SMS Destination OBILENUMBER smsgateway SMS Body The following guest user account has been created for you Username USERNAME Password PASSWORD Valid From STARTTIME Valid To ENDTIME Timezome TIMEZONE Save Template Reset Form 185314 Step3 Change the SMS Subject as desired Step4 Change the SMS Destination to be the email address of the SMS gateway that you use To send the text message to mobile phone number of the guest use the variable 7 MOBILENUMBER The ZMOBILENUMBER variable is replaced by the mobile phone number including country code of the guest as entered by the sponsor For example if the country code selected is the UK 44 and the guest s phone number is 055
114. r from the list and click the Edit User button Step3 In the Edit a Local User Account page edit the user credentials Figure 4 4 Figure 4 4 Edit Local Sponsor Account Edit the local user account details Username username First Name first Last Name last Password Repeat Password If you don t wish to change the password please keep the entry empty Group DEFAULT B Email Address firstlast cisco com Save Settings Reset Form 185143 First Name Edit the first name for the sponsor account Last Name Edit the last name for the sponsor account Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EN Chapter4 Configuring Sponsor Authentication E Configuring Local Sponsor Authentication amp Note Leaving the Password and Repeat Password fields empty keeps the existing password Password Change the password for the sponsor account Repeat Password Retype the changed password for the sponsor account Groups Select the group for the sponsor account from the dropdown Chapter 5 Configuring User Group Permissions provides further details on groups e Email Address Edit the email address of the sponsor Step4 Click the Save Settings button If there are any errors the account is not changed and an error message displays at the top of the page If successfully changed a success message displays at the t
115. r the latest online updates to this guide visit http www cisco com en US products ps6128 products_installation_and_configuration_guides_list ht ml See Product Documentation for a list of related documentation for Cisco NAC Guest Server For details on how to obtain technical support refer to section Obtaining Documentation and Submitting a Service Request Cisco NAC Guest Server Installation and Configuration Guide lt cower CHAPTER Installing Cisco NAC Guest Server This chapter contains the following sections Connecting the Cisco NAC Guest Server Command Line Configuration Re Imaging the Appliance Connecting the Cisco NAC Guest Server Step 1 Step 2 Step 3 Step 4 The Cisco NAC Guest Server is based on the Cisco NAC Appliance 3310 NAC 3310 hardware platform and comes preloaded with a default system image When you receive the Guest Server perform the initial configuration described in Command Line Configuration page 2 3 If you need to perform CD installation to re image the appliance refer to Re Imaging the Appliance for instructions To perform initial configuration you will need to connect to your appliance and access its command line as described below a You can access the Cisco NAC Guest Server command line in one of two ways a Connect a monitor and keyboard directly to the machine via the keyboard video monitor connectors on the back panel of the machine Figu
116. r transmit via SMS the guest account details Figure 15 11 When you create random accounts however you can only use the print option Figure 15 12 The additional options to both of these is the ability to perform the required action for all accounts at the same time by clicking the lt action gt All button at the top right of the table For the random accounts it is also useful to print the table out so that you can write down the corresponding guests details for later input in to the Cisco NAC Guest Server Viewing Multiple Account Groups When you create multiple accounts you may want to find the batch of accounts that were created at the same time You can accomplish this using one of the following three methods Viewing Multiple Account Groups Finding Multiple Account Groups by username Finding Multiple Account Groups on the Active Accounts Report View ing Multiple Account Groups This option allows you to select the batch of accounts that you created Step1 Select User Accounts gt Multiple Accounts from the left hand menu Figure 15 7 Step2 Select Show Multiple Account Groups Cisco NAC Guest Server Installation and Configuration Guide 15 10 OL 15986 01 Chapter15 Sponsor Documentation Step 3 Multiple GuestAccounts W Figure 15 13 Multiple Account Groups Show Multiple Groups Created By Time Date Created No of Accounts Account Start Account End username 18th Feb 2008 1 18th Feb 200
117. re 2 2 preferred method b Connecta null modem serial cable from a workstation PC laptop to the serial port on the appliance Open a serial connection on the workstation using terminal emulation software such as HyperTerminal or SecureCRT with settings set to 9600 baud 8 data bits no parity 1 stop bit no flow control Connect a straight through Category 5 Ethernet cable to the ethO NIC1 10 100 1000 Ethernet port on the back panel of the appliance and to your local area network Connect the AC power cord to the back panel of the appliance and to a grounded AC outlet and power on the appliance Figure 2 1 Proceed to the instructions in Command Line Configuration page 2 3 I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter 2 Installing Cisco NAC Guest Server E Connecting the Cisco NAC Guest Server Figure 2 1 Cisco NAC Guest Server Front Panel 1 Hard disk drive HDD bay 6 HDD activity LED indicator green CD ROM DVD drive Power button with LED indicator bicolor 2 7 green amber UID Unit identification button with LED Thumbscrews for the front bezel 3 indicator blue 8 4 System health LED indicator amber 9 Front USB ports Activity link status LED indicators for NIC 1 5 ethO and NIC2 eth1 green Figure 2 2 Cisco NAC Guest Server Rear Panel te et 180957 1
118. reate Upload Download Change the SSL settings C Redirect http to https Allow http access Save Settings Reset Form Restart Web Server Restart Web Server Restart Step2 The Main SSL Settings page provides the following options Redirect http to https When enabled any sponsor or administrator accessing the Guest Server using HTTP is automatically redirected to the HTTPS interface If this setting is not enabled then no redirection occurs Allow http access When enabled allows sponsors and administrators to access the portal with standard HTTP If this is not enabled sponsors and administrators are redirected if the first option is set or if not set are shown a web page explaining that HTTP access is not available Step3 When you have made your changes click the Save Settings button Cisco NAC Guest Server Installation and Configuration Guide E E Chapter3 System Setup HZ SSL Certificate amp Note The Main SSL Settings page also provides the Restart Web Server button You need to restart the Web Server component of the appliance when new certificates are generated or uploaded to the appliance Clicking the Restart button makes the Guest Server use the new certificates Generating Temporary Certificates CSRs Private Key Cisco NAC Guest Server ships with a default certificate installed If you are planning on using HTTPS Cisco highly recommends generating a
119. relation at a later date This is useful when you don t have access to a computer to create accounts when you need to provide guest accounts Step1 Select User Accounts gt Multiple Accounts from the left hand menu Figure 15 7 Step2 Select Create Accounts with Random Username Password Figure 15 10 Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 Chapter 15 Sponsor Documentation Figure 15 10 Create Random Accounts Multiple GuestAccounts W Time 00 fay 00 TA Number of accounts required Account End Time 23 faq 59 Date 18 b Feb be 2008 F39 E Date 18 FA Feb fq 2008 fe E Timezone America Los_Angeles B Submit 186781 Step3 Enter the amount of accounts that you want to generate Step4 Specify the Account Start time Account End time and Timezone Step5 Click the Submit button Printing Email SM S M ultiple Accounts When you have created accounts using one of the multiple account creation methods the screen for the users details is slightly different to the single user Figure 15 11 Bulk User Accounts Print Email SMS for text csv creation methods Print All Email All SMS All Created By Username Full Name Start Time End Time username jdoe cisco com username pjones cisco com D9rp6XPs Full Name john doe 18th Feb 2008 18th Feb 2008 Company cisco 00 00 00 23 59 00 Email Address jdoe cisco com A
120. ributes button to save the LDAP group mapping amp Note You can specify both options for the same group The option that you check depends on the setting on the LDAP server with which the sponsor successfully authenticates Cisco NAC Guest Server Installation and Configuration Guide oL 15986 01 EN Chapter5 Configuring User Group Permissions W Mapping to RADIUS Groups Mapping to RADIUS Groups If a sponsor authenticates to the Cisco NAC Guest Server using RADIUS authentication then the Cisco NAC Guest Server can map them into a user group by using information returned to the Cisco NAC Guest Server in the authentication request The information must be placed into the class attribute on the RADIUS server Step1 Select Radius Mapping from the top menu when in the add user group or edit user group page Figure 5 10 Figure 5 10 RADIUS Group Mapping Map Radius Attribute to User Group User Group Name DEFAULT Class Attribute Contains the string we Assign Group Reset Form wo wo co Step2 Enter the string you want to match against the class attribute that is returned in the RADIUS authentication reply You can specify from the drop down if you want to exactly match the string equals the string or match a substring contains the string Step3 Click the Assign Group button Cisco NAC Guest Server Installation and Configuration Guide u OL 15986 01 CHAPTER Configuring Guest Polici
121. rmissions to search the AD To allow you to authenticate different user account suffixes against the same domain controller you can create multiple domain controller entries with the same IP address and different user Account suffixes All that needs to be different in each entry is the Server Name User Account Suffix and Base DN To provide resilience in the event of a domain controller failure you can enter multiple entries for the same User Account Suffix with different Domain Controller IP Addresses All that needs to be different in each entry is the Server Name The Guest Server attempts to authenticate sponsors against each Domain Controller entry according to the Authentication Order specified in Configuring Sponsor Authentication Settings page 4 18 OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter4 Configuring Sponsor Authentication HI Configuring Active Directory AD Authentication Add Active Directory Domain Controller Step1 From the administration interface select Authentication gt Sponsors gt Active Directory Servers from the menu Figure 4 6 Figure 4 6 Active Directory Authentication Active Directory Domain Controllers Add DC EditDC Delete DC 185137 Step2 Click the Add DC button Step3 In the Add Active Directory Domain Controller page enter all the details for authenticating against a specific AD Domain Controller Figure 4 7 F
122. roller Delete Existing Domain Controller Entry AD authentication supports authentication against multiple domain controllers The domain controllers can be part of the same Active Directory to provide resilience or they can be in different Active Directories so that the Guest Server can authenticate sponsor users from separate domains even where no trust relationship is configured All Active Directory Authentication is performed against individual domain controller entries A domain controller entry consists of 6 items Server Name A text description to identify the domain controller As a best practice Cisco recommends identifying the domain controller and the account suffix in this field although it can be set to anything that you choose User Account Suffix Every user in Active Directory has a full user logon name which appears as username domain Typing the domain suffix including the symbol in this field allows sponsor users not to have to enter their full user logon name Domain Controller IP Address The IP address of the domain controller that the sponsor user authenticates against Base DN The root of the Active Directory This allows an LDAP search to be performed to find the user group of the sponsor AD Username The user account that has permissions to search the AD This allows an LDAP search for the user group of the sponsor AD Password The password for the user account that has pe
123. rom Failures Deployment Considerations Setting up replication A Initial replication is configured by setting one of the Cisco NAC Guest Servers to copy all of the data from the other Guest Server The Guest Server that is configured to copy the data from the other device will be first set to delete all its own data This ensures that no conflicts exist Cisco recommends setting up replication at initial install time of Cisco NAC Guest Server or when adding a new Guest Server to an existing implementation Warning All Data on one of the Guest Servers will be overwritten If you have data that is needed on both Guest Servers then you should not configure replication as you will loose data Once one of the Guest Servers has received a copy of the data from the other device they are synchronized and replication is turned on Any data that is updated on one Guest Server is then automatically replicated to the other Guest Server All communication between the Cisco NAC Guest Servers is encrypted using SSL and runs over TCP destination port 5432 I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter 12 Replication and High Availability HI Setting up replication Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 A Create a backup of the Cisco NAC Guest Server before starting by following the Taking a snapshot instructions in Configuring Backup Settings page 11 2 From the adm
124. rom the menu Figure 4 16 Figure 4 16 RADIUS Authentication Radius Servers Add Radius Edit Radius Delete Radius Step2 Click the Add Radius button Step3 In the Add RADIUS Server page enter all the details for authenticating against a specific RADIUS server Figure 4 17 Figure 4 17 Add RADIUS Server Radius Server Details Server Name Server IP Address Port Radius Secret Confirm Secret Status Active F Add Radius Server Reset Form 186733 Server Name Type a text description of the RADIUS Server Name for example Cisco RADIUS radius cisco com e Server IP Address Enter the IP address or domain name of the RADIUS server Port Enter the UDP port used to connect to the RADIUS server The common ports for RADIUS authentication are ports 1645 or 1812 Radius Secret The shared secret used to secure the communications between the Cisco NAC Guest Server and the RADIUS server Status Select the status of the RADIUS Server If it is set to Active the Guest Server will use it for authenticating sponsors If it is set to Disabled it will not be used Step4 Click the Add Radius Server button Cisco NAC Guest Server Installation and Configuration Guide Ca OL 15986 01 Chapter4 Configuring Sponsor Authentication Configuring RADIUS Authentication W Edit an Existing RADIUS Server Step1 From the administration interfa
125. rom when they click the button to create the account Select User Interface gt Templates and click the Edit Template button for the template you want to edit in the Current Templates list From the menu at the top of the page select Accounts gt Account Duration The Account Durations screen appears Figure 10 8 Figure 10 8 Account Duration Account Duration Add Duration Edit Duration Delete Duration Click the Add Duration button to add a new account duration Figure 10 9 186940 OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide gy Chapter 10 Customizing the Application W Deleting a Template Figure 10 9 Add Account Duration Duration Option Description Duration 0 Years 7 0Days 0 Hours 0 Minutes Note Account Durations are displayed in the User Account creation pages in accordance with the User Groups policy regarding maximum account duration Add Duration Option Reset Form 186941 Step4 Enter a description that you want to appear in the sponsor interface such as 1 Hour Step5 Select the desired duration from the drop down menu Step6 Click the Add Duration Option button You are taken back to the account durations list Figure 10 8 Step7 If you want to edit or delete an account option select the entry from the list and click the appropriate button Note The Account Durations options only appear on the sponsor s screen if the user group f
126. ry time they log in to the sponsor interface The items you can change are the template for another language the time zone and the telephone country code Sponsors can change these settings from their Preferences page once they are logged in However to ease the situation for first time users of the application you can choose to direct sponsors to their preference page on their first login to the system Step1 From the administration interface select User Interface gt User Defaults from the left hand menu Figure 10 11 User Defaults User Defaults Go to User Settings Page on first login M Save Settings 186787 Step2 Check the check box if you want the sponsors to be redirected to the preferences pages upon their first login to the system If you don t then make sure it is unchecked Step3 Click the Save Settings button Cisco NAC Guest Server Installation and Configuration Guide E E Chapter 10 Customizing the Application HI Setting User Default Redirection Cisco NAC Guest Server Installation and Configuration Guide P1010 fy OL 15986 01 avn AF Backup and Restore You should backup the Cisco NAC Guest Server on a regular basis so that in the event of a hardware failure you do not loose critical data The Cisco NAC Guest Server backup process backs up the system setup account database and all audit records enabling you to recover everything you need in the event of a failure You can eit
127. s by clicking the Set System Timezone button Note If you change the time zone this action automatically adjusts the date and time on the server Step6 If you have an NTP server available on the network enter the address of the NTP server Step7 Click the Set NTP Server button This saves the settings and restarts the NTP process so the new settings take effect Note When setting the NTP server it may take some time for synchronization to occur Synchronization occurs much faster if the time is set to be close to the NTP server and saved with the Set button before clicking the Set NTP Server button Cisco NAC Guest Server Installation and Configuration Guide 36 E OL 15986 01 Chapter3 System Setup SSL Certificate W SSL Certificate Both sponsors and administrators can access the Cisco NAC Guest Server using either HTTP or HTTPS For more secure access Cisco recommends using HTTPS access This section describes the following Accessing the Guest Server using HTTP or HTTPS Generating Temporary Certificates CSRs Private Key Downloading Certificate Files e Upload Certificate Files Accessing the Guest Server using HTTP or HTTPS You can configure whether sponsors and administrators access the portal using HTTP both HTTP and HTTPS or HTTPS only Step1 From the administration interface select Server gt SSL Settings from the left hand menu Figure 3 6 Figure 3 6 SSL Settings Main Page Main C
128. s located 2 Letter Country Code The 2 letter ISO abbreviation for the country where the Guest Server is located such as US for United States GB for Great Britain or United Kingdom Step3 Click Create Certificate This creates a temporary self signed certificate a new private key and also the corresponding CSR which can be used for obtaining a certificate from a Certificate Authority CA Cisco NAC Guest Server Installation and Configuration Guide EN OL 15986 01 Chapter3 System Setup Step 4 SSL Certificate W To use the new temporary certificate you must restart the web server process Click the Main tab from the top of the screen then click the Restart Web Server button Figure 3 6 Note If you want the CSR you can download it from the download page as described in Downloading Certificate Files page 3 9 Downloading Certificate Files Downloading the CSR and Certificate Step 1 Step 2 Step 3 Step 4 You will need to download the CSR from the appliance so that it can be sent to a Certificate Authority to obtain a certificate Cisco strongly recommends backing up the certificate and private key From the administration interface select Server gt SSL Settings from the left hand menu Select Download from the menu at the top of the page Figure 3 8 Figure 3 8 Download Certificate Files Main Create Upload Download Current SSL Certificate CSR Click Here to download CSR SSL Cer
129. ser entries are named in the LDAP server For example you can define them to be uid uid USERNAME or cn cn USERNAME The 2 USERNAME should be placed where the username will be inserted in a search Group Mapping There are two main methods that LDAP servers use for assigning users to groups 1 Storing the group membership in an attribute of the user object With this method the user object has one or more attributes that list the groups that the user is a member of If your LDAP server uses this method of storing group membership you need to enter the name of the attribute which holds the groups the user is a member of This attribute may be called something like groupMembership memberOf or group 2 Storing the user membership in an attribute of the group object With this method there is a group object that contains a list of the users who are members of the group If your LDAP server uses this method you need to specify the group to check under the LDAP mapping section of a User Group you want to match the user to To determine which method to use Cisco recommends checking the LDAP documentation for your server or using an LDAP browser like the one available at http www ldapbrowser com to check the attributes of the server Username The user account that has permissions to search the LDAP server This is needed so that the Cisco NAC Guest Server can search for the user account and group mapping information Passw
130. server uses this method then you need to specify the group to check under the LDAP mapping section of a User Group you want to match the user to When you define the LDAP server you will have specified one of these options If the LDAP server supports the first option then you will have to specify to check the user attribute for a certain string If the LDAP server supports the second option then you will need to enter the full DN of the group you want to check membership of The Cisco NAC Guest Server will then look in the attribute to make sure that it contains the name of the user who has logged in Step1 Select LDAP Mapping from the top menu when in the add user group or edit user group screen Figure 5 9 Figure 5 9 LDAP Group Mapping Map LDAP group to User Group User Group Name Helpdesk Users Check the user attribute contains the string i helpdesk the user attribute to check is specified under the LDAP server Check the group object CN admingroup OU groups O cisco com Membership Attribute membemame contains the username Assign Attributes Reset Form 2 Step2 If your LDAP server uses user attributes to store group membership then enter the group name to check is either contained or equals the specified string Step3 If your LDAP server stores group membership in the group object then specify the full DN of the group you want to check and the name of the attribute that will be checked for the sponsors username Step4 Click the Assign Att
131. sions for viewing reporting details for active accounts No Sponsors are not allowed to view reporting details on any accounts Own Account Sponsors are allowed to view reporting details for only the accounts they created All Accounts Sponsors are allowed to view reporting details on any active guest accounts Full Reporting Choose one of the following permissions for running full reporting No Sponsors are not allowed to run full reporting on any accounts Own Account Sponsors are allowed to run full reporting for only the accounts they created All Accounts Sponsors are allowed to run full reporting on any active guest accounts Number of days in the future This specifies how long in the future that guests can create accounts Specify the maximum number of days that they are allowed to create accounts in the future Maximum duration of account This specifies the maximum length in days that the sponsor can configure for an account Show account dates as This defines the method a sponsor can use to specify when an account is valid There are two options Start Date End Date The sponsor is shown a calendar they can use to specify the time and date an account starts and ends OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide pg Chapter5 Configuring User Group Permissions WE Editing User Groups Step 6 Template Options You can specify a list of preset dura
132. st Server will remove old backups that exceed this amount by discarding the oldest backup s when new ones are created Click the Save Settings button to save the backup settings Note If you choose to only store backups locally on the Cisco NAC Guest Server then they will be placed in the guest backups directory Cisco recommends backing this directory up remotely using SFTP logging in with the root username and password This will make sure you have an external copy if there is a hardware failure to the disk in the appliance Restoring Backups If you need to restore a backup to the Cisco NAC Guest Server then you can do so from the administration interface OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter 11 Backup and Restore W Restoring Backups D Note You can only restore a backup to the same version of Cisco NAC Guest Server software with which the backup was taken If you want need to determine which version was used to perform the backup open the backup archive file directory and view the version html in the backup archive A Warning If you are running a resilient pair of Cisco NAC Guest Servers and want to restore a backup you must turn off replication on both servers and only restore the backup to one of the servers Then you must re synchronize the other server Failure to follow this process may resultin data loss on one of the servers Step1 From th
133. t Select Yes to allow sponsors to create guest accounts Select No otherwise Create Bulk Accounts Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details Otherwise select No Create Random Accounts Select Yes to allow sponsors to be able to create multiple random accounts without initially capturing guests details Otherwise select No Import CSV Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file Otherwise select No Send Email Select Yes to allow sponsors to send account details via email from the Guest Server to the guest user Otherwise select No Send SMS Select Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user Otherwise select No Edit Account Choose one of the following permissions for editing the end date time on guest accounts No Sponsors are not allowed to edit any accounts Own Account Sponsors are allowed to edit only the accounts they created All Accounts Sponsors are allowed to edit any guest accounts Suspend Account Choose one of the following options for suspending accounts No Sponsors are not allowed to suspend any accounts Own Account Sponsors are allowed to suspend only the accounts they created All Accounts Sponsors are allowed to suspend any guest accounts Active Accounts Choose one of the following permis
134. t Server Installation and Configuration Guide jg Chapter 15 Sponsor Documentation E Connecting to the Guest Server Authentication Screen Guest Server Authentication Cisco Guest Server Enter your Username and Password and then click Login Username Password Login 1Q gt Google Step2 In the Cisco Guest Server login page enter your Username and Password and click the Login button Figure 15 1 Use the login credentials specified by your network administrator Step3 On your first successful login you may see the User Default Setting page Figure 15 2 where you can change default settings like the language template time zone and telephone country code as described in Step 4 Otherwise the Welcome to the Cisco NAC Guest Server page Figure 15 3 likely appears If so and you would like to change the default settings select the My Settings gt Preferences link using the left hand menu and proceed to Step 4 Figure 15 2 stfectte cisco Main Home Logout User Accounts Create Multiple Accounts Edit Suspend Reporting Active Accounts Full Reporting My Settings Preferences Password Default Settings Page User Default Settings Language Template default Default Timezone America Los_Angeles Default Telephone Country Code 1 Default Location default Bese Email Address Receive Email Confirmation
135. tes that allow you to customize the information that is printed emailed or text messaged to guests Note When customizing it is a good idea to open the sponsor interface in a second browser for reference This allows you to view how the configuration tabs map to the actual sponsor interface pages You can bring up the sponsor interface by entering the Guest Server IP address without the admin as the URL for example http lt guest_server_ip_address gt or https lt guest_server_ip_address gt I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter 10 Customizing the Application W Adding a User Interface Template Adding a User Interface Template When you add a new template it is automatically based on the default template to facilitate editing Step1 From the administration interface select User Interface gt Templates from the left hand menu Figure 10 1 User Interface Templates User Interface Templates are used to customise the text of the sponsor interface You can add additional templates for additional languages Current Templates default Add Template Edit Template Delete Template Step2 On the User Interface Templates page Figure 10 1 click the Add Template button Figure 10 2 Add Template Page Add New Template New Template Name Add Template Reset Form gt Step3 In the Add New Template page Figure 10 2
136. the CAM to which you will assign guest users This should match exactly with the User Role name configured on the CAM including correct case e Server Status Set the status to be Active for the CAM to have accounts provisioned on it by the Cisco NAC Guest Server Step4 Click the Save Settings button Step5 Optionally click the Test Connection button to ensure that the settings are working correctly Step6 Inthe Clean Access Manager admin console navigate to Monitoring gt Event Logs and verify that the account nacguest_test was successfully created and then deleted Deleting Clean Access Manager Entries The following steps describe how to delete Cisco NAC Appliance entries Step1 From the Guest Server administration interface select Devices gt NAC Appliance from the left hand menu Figure 7 5 Figure 7 5 List of Cisco NAC Appliances NAC Appliances NAC Manager Add NAC Edit NAC Delete NAC 186757 Step2 Select the Cisco NAC Appliance that you want to delete from the list and click the Delete NAC button You will receive a warning message which you must agree to for the appliance entry to be deleted Configuring the CAM for Reporting In order for the Cisco NAC Guest Server to correctly display details for guest users when reporting is run you need to configure the CAM to send RADIUS accounting information to the Guest Server Additionally the CAM needs to format the information correctly Cisco
137. tificate Click Here to download SSL Certificate 186741 Click the relevant link to download the CSR or SSL Certificate Save the SSL Certificate to a secure backup location Downloading the Private Key Step 1 Step 2 The private key can only be obtained through an SFTP connection to the Guest Server For windows platforms you can get a free SFTP client from http winscp net Open an SFTP connection to the Cisco NAC Guest Server the authentication credentials are the same as for the command line This is the username of root and the password you have assigned for this account The default password is cisco Cisco recommends you change this as detailed in Command Line Configuration page 2 3 Download the etc pki tls private localhost key file and store it in a secure backup location OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter3 System Setup WE Configuring Administrator Authentication Upload Certificate Files The Cisco NAC Guest Server provides a method of importing uploading certificate files to the appliance The Upload SSL Certificate pages is used to install a CA signed certificate or to restore files previously backed up Note The certificate files are not backed up as part of any backup process You must manually back them up as described in Downloading Certificate Files page 3 9 Step1 From the administration interface select Server gt SSL Settings fr
138. tion interface Step1 From the administration interface select Authentication gt Administrators from the left hand menu Figure 3 14 Select Admin Account to Delete Admin Accounts Add User Edit User Delete User 185788 Step2 Inthe Admin Accounts page Figure 3 14 select the user from the list and click the Delete User button Step3 At the prompt Are you sure you want to delete the user click OK to delete the user or Cancel to cancel the deletion If successfully deleted a success message displays at the top of the page and you can perform additional admin account operations Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 SEE Chapter3 System Setup WE Configuring Administrator Authentication Cisco NAC Guest Server Installation and Configuration Guide Pos OL 15986 01 cuaprer amp Configuring Sponsor Authentication Sponsors are the people who use Cisco NAC Guest Server to create guest accounts Sponsor authentication is the method used to authenticate sponsor users on the Guest Server There are four options available Local User Authentication Create sponsor accounts directly on the Cisco NAC Guest Server See Configuring Local Sponsor Authentication Active Directory Authentication Authenticate sponsors against an existing Active Directory AD implementation See Configuring Active Directory AD Authentication LDAP Authentication A
139. tions that the sponsor can use when creating accounts such as 1 hour 1 day or 3 days If this is selected the template options are shown on the Create Guest page The maximum template option cannot be greater than the value specified in the maximum duration Click the Save Group button to add the group with the permissions specified Note Step 7 Until you click the Save Group button on this screen the group will not be created Follow the instructions in Mapping to Active Directory Groups page 5 8 Mapping to LDAP Groups page 5 8 or Mapping to RADIUS Groups page 5 10 so that you can correctly map users to your group based upon group information from the authentication server Editing User Groups Step 1 Step 2 Step 3 The following steps describe how to edit sponsor user groups From the administration interface select Authentication gt User Groups from the left hand menu Select the group you wish to edit and click the Edit Group button Figure 5 4 Figure 5 4 Select the User group to Edit User Groups Normal Users Admin Users Helpdesk Users DEFAULT Change Order Add Group Edit Group Delete Group 186789 In the Edit an existing User Group page Figure 5 5 change the settings for the group Cisco NAC Guest Server Installation and Configuration Guide a Bs OL 15986 01 Chapter5 Configuring User Group Permissions Editing User Groups W Figure 5 5 Edit User Gr
140. ts Editing RADIUS Clients Deleting RADIUS Clients Remote Authentication Dial In User Service RADIUS is an AAA authentication authorization and accounting protocol Cisco NAC Guest Server uses the RADIUS protocol to authenticate and audit guests who login through RADIUS capable network enforcement devices such as Cisco Wireless LAN Controllers Although the Cisco NAC Appliance uses its own API and a different method for creating accounts and authenticating users as described in Chapter 7 Integrating with Cisco NAC Appliance it still uses RADIUS Accounting to record user activity and therefore still needs to be configured as a RADIUS client When a guest authenticates against a RADIUS client such as the Wireless LAN Controller the RADIUS client uses RADIUS authentication to ask the Cisco NAC Guest Server whether the user authentication is valid If the guest authentication is valid the Cisco NAC Guest Server returns a message stating that the user is valid and the amount of time remaining before the user session expires The RADIUS client must honor the session timeout attribute to remove the guest when the guest account time expires Note The Cisco Wireless LAN Controller needs to be specifically configured to Allow AAA Override This enables it to honor the session timeout attribute returned to it by the Cisco NAC Guest Server In addition to authentication the RADIUS client device reports details to the Cisco NAC Gu
141. tween the BODY tags on a HTML page All HTML outside these tags is used by the application In the HTML code you can use the following special variables to replace them with the details from the created guest account USERNAME The Username created for the guest PASSWORD The Password created for the guest STARTTIME The time from which the guest account will be valid ENDTIME The time the guest account will expire FIRSTNAME The first name of the guest LASTNAME The last name of the guest Cisco NAC Guest Server Installation and Configuration Guide EzE OL 15986 01 Chapter 10 Customizing the Application Step 6 Editing a User Interface Template W Click the Save Template button to save your changes Editing the Email Template p The Email Template page contains the guest account details that the sponsor can email to the guest after creating the account The page is configured in HTML and can be fully customized Tip Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Navigating to Reporting gt Active Accounts on the sponsor interface and clicking the Email button next to the guest account entry brings up the output of the Email Template and also emails the guest Go to User Interface gt Templates and click the Edit Template button for the template you want to edit in the Current Templates list In the Edit User Interface page click the Email Template tab at the top of th
142. uest Server provides vital guest network access accounting by consolidating the entire audit trail from guest account creation to guest use of the account so that reports can be performed through a central management interface Guest Access Concepts Cisco NAC Guest Server makes use of a number of terms to explain the components needed to provide guest access Guest User The Guest User is the person who needs a user account to access the network I OL 15986 01 Cisco NAC Guest Server Installation and Configuration Guide jg Chapter1 Welcome to Cisco NAC Guest Server HZ Before You Start Sponsor The Sponsor is the person who creates the guest user account This person is often an employee of the organization that provides the network access Sponsors can be specific individuals with certain job roles or can be any employee who can authenticate against a corporate directory such as Microsoft Active Directory AD Netw ork Enforcement Device These devices are the network infrastructure components that provide the network access Additionally network enforcement device are responsible for pushing guest users to a captive portal where they can enter their guest account details When a guest enters his or her temporary user name and password the network enforcement device checks those credentials against the guest accounts created by the Guest Server Guest Server This is the Cisco NAC Guest Server which ties together all
143. ultiple Guest Accounts Step3 Enter the details in the text field as requested with a comma separating the values Step4 Select the Account Start time Account End time and Timezone for the account Step5 Click the Create Bulk Accounts button Creating Multiple Accounts from CSV File Step1 Select User Accounts gt Multiple Accounts from the left hand menu Figure 15 7 Step 2 Select Import Accounts from File Figure 15 9 Figure 15 9 Multiple Accounts from CSV File Download CSV Template File Input is comma separated text in the format First Name Last Name Company Email Address Country Code Mobile Phone Number Select CSV File Choose File no file selected Account Start Account End Time 00 fay 00 fey Time 23 F 59 F Date 18 F Feb F 2008 E Date 18 FA Feb fey 2008 fey E Timezone America Los_Angeles B Upload CSV Upload CSV 186778 Step3 Download the CSV Template file Step4 Fill out the CSV Template file using a program such as Microsoft Excel Step5 Save the CSV Template file in CSV format Step6 Click Choose File or Browse and select the CSV file Step7 Select the Account Start time Account End time and Timezone for the account Step8 Click the Upload CSV button Creating Multiple Random Accounts You can create random accounts when you want to hand out details to visitors and then record the details on paper for recording in the system or storing for cor
144. use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 All advertising materials mentioning features or use of this software must display the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org 4 The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission For written permission please contact openssl core openss org Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EN Appendix A Open Source License Acknowledgements HI Notices 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org
145. uthenticate sponsors against a Lightweight Directory Access Protocol LDAP server See Configuring LDAP Authentication RADIUS Authentication Authenticate sponsors against a RADIUS server See Configuring RADIUS Authentication You may specify multiple authentication services for authenticating sponsors to the Cisco NAC Guest Server and then specify the order in which you want to authenticate sponsors For details see Configuring Sponsor Authentication Settings Configuring Local Sponsor Authentication Local authentication allows you to set up sponsor user accounts directly on the Cisco NAC Guest Server Local authentication allows you to do the following Add New Local User Account Edit Existing User Account Delete Existing User Account Add New Local User Account Step1 From the administration interface select Authentication gt Sponsors gt Local User Database from the menu Figure 4 1 Cisco NAC Guest Server Installation and Configuration Guide OL 15986 01 EN Chapter4 Configuring Sponsor Authentication E Configuring Local Sponsor Authentication Figure 4 1 Local Users Local Users Add User Edit User Delete User 185144 Step2 Click the Add User button to bring up the local sponsor configuration page Figure 4 2 Figure 4 2 Add Local User Local User Accounts can create guest user accounts First Name Last Name Username Password Repe
Download Pdf Manuals
Related Search
Related Contents
MANUALE ITALIANO DEF. - TAB Siemens D1675 Motherboard ELP-362D90 Underwater Locator Beacon User`s Manual User Manual.Rx Only Advanced 1D and 2D Experiments Guide Ocularis Client Lite Manual PC CHIPS P29G (V1.0) Leaf & Soil Moisture/Temperature Station for Vantage Pro Electrolux EI30BM55HZ User's Manual Copyright © All rights reserved.
Failed to retrieve file