Beruflich Dokumente
Kultur Dokumente
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R) Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Cisco NAC Guest Server Installation and Configuration Guide 2011 Cisco Systems, Inc. All rights reserved.
CONTENTS
About This Guide Audience Purpose
xi xi xi xi
New Features in this Release Product Documentation Documentation Updates Document Conventions
1
xii xiii
xvi
CHAPTER
Welcome to Cisco NAC Guest Server Introduction 1-1 Guest Access Concepts
1-1
1-1
Before You Start 1-2 Package Contents 1-2 Rack Mounting 1-3 Cisco NAC Guest Server Licensing Upgrading Firmware 1-3 Additional Information 1-4
2
1-3
CHAPTER
2-1 2-1
Command Line Configuration 2-4 Initial Log In 2-4 Configure IP Address and Default Gateway Change Root Password 2-7 Next Steps 2-7
2-5
Re-Imaging the Appliance 2-8 Configuring Boot Settings on NAC-3310 / NAC-3315 Based Appliances
3
2-11
CHAPTER
System Setup
3-1 3-1
Installing the Product License and Accessing the Administration Interface Obtain and Install Cisco NAC Guest Server License 3-2 Access Cisco NAC Guest Server Administration Interface 3-3
iii
Contents
3-4
3-7
Configuring SSL Certificates 3-9 Accessing the Guest Server Using HTTP or HTTPS 3-9 Generating Temporary Certificates/ CSRs/ Private Key 3-11 Downloading Certificate Files 3-12 Downloading the Certificate 3-12 Downloading the Private Key 3-13 Uploading Certificate Files 3-13 Uploading a Private Key 3-14 Configuring Administrator Authentication 3-14 Add New Admin Account 3-15 Edit Existing Admin Account 3-16 Delete Existing Admin Account 3-17 Admin Session Timeout 3-18 Configuring RADIUS for Administrator Authentication
4
3-18
CHAPTER
4-1 4-1
Configuring Local Sponsor Authentication Add New Local User Account 4-1 Edit Existing User Account 4-3 Delete Existing User Account 4-4
Configuring Active Directory (AD) Authentication 4-6 Add Active Directory Domain Controller 4-7 Edit Existing Domain Controller 4-8 Delete Existing Domain Controller Entry 4-10 Configuring LDAP Authentication 4-10 Add an LDAP Server 4-11 Edit an Existing LDAP Server 4-13 Delete an Existing LDAP Server Entry Configuring RADIUS Authentication 4-16 Add a RADIUS Server 4-16 Edit an Existing RADIUS Server 4-17 Delete an Existing RADIUS Server Entry
4-15
4-18
Configuring Sponsor Authentication Settings 4-19 Changing the Order of Authentication Servers 4-19
Cisco NAC Guest Server Installation and Configuration Guide
iv
OL-18371-01
Contents
Session Timeouts
4-19
Configuring Active Directory Single Sign-On 4-21 Requirements for Active Directory Single Sign-On
5
4-21
CHAPTER
Configuring Sponsor User Groups Adding Sponsor User Groups Editing Sponsor User Groups Deleting User Groups
5-8 5-2 5-5
5-1
Specifying the Order of Sponsor User Groups Mapping to Active Directory Groups Mapping to LDAP Groups Mapping to RADIUS Groups Assigning Guest Roles Assigning Time Profiles
6
5-13 5-14 5-11 5-12 5-10
5-9
CHAPTER
Configuring Guest Roles 6-5 Adding Guest Roles 6-5 Editing Guest Roles 6-6 Edit NAC Roles 6-6 Edit RADIUS Attributes 6-7 Edit Locations 6-8 Edit Authentication Settings 6-9 Configuring Time Profiles 6-10 Adding Time Profiles 6-10 Editing Time Profiles 6-12 Deleting Time Profiles 6-14 External Guest Authentication
7
6-14
CHAPTER
Integrating with Cisco NAC Appliance Adding Clean Access Manager Entries Editing Clean Access Manager Entries Deleting Clean Access Manager Entries Configuring the CAM for Reporting
7-5
Contents
Adding RADIUS Accounting Server 7-5 Configure CAM to Format RADIUS Accounting Data
8
7-6
CHAPTER
8-1
8-5
CHAPTER
Guest Activity Logging 9-1 Configuring Syslog Monitoring Settings 9-1 Guest Activity Logging with Replication Enabled Guest Account Notification
10-1 10-2 10-3
9-2
CHAPTER
10
CHAPTER
Editing a User Interface Template 11-3 Editing the Print Template 11-5 Editing the Email Template 11-7 Editing the SMS Template 11-8 Using Time Profiles 11-10 Deleting a Template
11-11 11-11
CHAPTER
Configuring Hotspots
12-1
Configuring Hotspot Sites 12-1 Adding Hotspot Sites 12-1 Edit Existing Hotspot Site 12-5 Delete Existing Hotspot Site 12-6 Configuring Payment Providers 12-6 Adding a Payment Provider 12-7
vi
OL-18371-01
Contents
12-8
Creating Hotspot Web Pages 12-9 Integrating with Wireless LAN Controller 12-9 Integrating with Switch 12-9 Creating a Login Page (WLC) 12-10 Creating a Login Page (Switch) 12-11 Adding Realms Support (Switch) 12-12 Customizing the Login Page 12-13 Acceptable Usage Policy (WLC) 12-14 Acceptable Usage Policy (Switch) 12-14 Creating a Self Service Page (WLC) 12-15 Creating a Self Service Page (Switch) 12-17 Customizing the Self Service Page 12-18 Auto Login 12-19 Modifying Additional Fields 12-20 Creating a Billing Page (WLC) 12-21 Create a Billing Page (Switch) 12-24 Customizing the Billing Page 12-25 Creating a Password Change Page (WLC and Switch) Authentication Options 12-27 The ngsOptions Configuration Object 12-29 Overriding Error/Status Messages 12-29 Overriding Form Labels 12-29 Default Error/Status Messages 12-30 Default Form Labels 12-32
13
12-26
CHAPTER
13-1
Configuring Backup 13-1 Saving Backup Settings 13-2 Taking Snapshots 13-3 Scheduling Backups 13-3 Restoring Backups
14
13-4
CHAPTER
Replication and High Availability Configuring Replication Configuring Provisioning Replication Status
14-4 14-1 14-3
14-1
vii
Contents
Device Failure
14-4
Deployment Considerations 14-5 Connectivity 14-5 Load Balancing 14-5 Web Interface 14-5 RADIUS Interface 14-5 Data Replication 14-6
15
CHAPTER
15-1
SNMP Configuration 15-1 SNMP Agent Configuration 15-1 Configuring SNMP Version 1 15-2 Configuring SNMP Version 2c 15-3 Configuring SNMP Version 3 15-3 Configuring SNMP Allowed Addresses SNMP Trap Support 15-3 Configuring SNMP Traps 15-4 SNMP MIB Files 15-4 System Logging 15-5 Audit Logs 15-5 Application Logs 15-7 Support Logs 15-8 Log Settings 15-9
16
15-3
CHAPTER
Licensing Licensing
16-1 16-1
CHAPTER
17
Sponsor Documentation
Introduction to Cisco NAC Guest Server Connecting to the Cisco NAC Guest Server Change Default Settings 17-3 Change Password 17-4 Report Settings 17-5 Creating Guest User Accounts 17-6 Print Account Details 17-8 Email Account Details 17-8 Text Message Account Details (SMS) Multiple Guest Accounts
17-9
17-8
viii
OL-18371-01
Contents
Creating Multiple Accounts from Text Entry 17-9 Creating Multiple Accounts from CSV File 17-10 Creating Multiple Random Accounts 17-11 Printing/Email/SMS Multiple Accounts 17-12 Viewing Bulk Account Groups 17-13 Viewing Bulk Account Groups 17-14 Finding Bulk Account Groups by Username 17-14 Finding Bulk Account Groups on the Active Accounts Report Managing Guest Accounts 17-15 Editing Guest Accounts 17-16 Advanced Search 17-17 Suspending Guest Accounts Reporting on Guest Users
17-18 17-19
17-14
Sponsor Reporting 17-21 Summary Reports 17-22 Sponsors Activity Report 17-22 Access Reports 17-23
A
APPENDIX
API Operations A-2 XML Response A-2 create A-3 create Example Use A-3 edit A-5 edit Example Use A-6 getDetails A-8 getDetails Example Use A-8 suspend A-9 suspend Example Use A-10 notifyEmail A-10 notifyEmail Example Use A-10 notifySms A-10 notifySms Example Use A-10 getVersion A-11 getVersion Example Use A-11
Cisco NAC Guest Server Installation and Configuration Guide OL-18371-01
ix
Contents
search A-11 search Example Use Status Codes Error Codes Valid Timezones
B
A-13 A-13 A-13
A-12
APPENDIX
Open Source License Acknowledgements Notices B-1 OpenSSL/Open SSL Project License Issues B-1
B-3 B-1
B-1
OL-18371-01
Audience Purpose New Features in this Release Product Documentation Documentation Updates Obtaining Documentation and Submitting a Service Request Document Conventions
Audience
This guide is for network administrators who are implementing Cisco NAC Guest Server to provision guest access on their networks. Cisco NAC Guest Server works alongside Cisco NAC Appliance, Cisco Unified Wireless Networks and other Cisco Network Enforcement devices which provide the captive portal and enforcement point for guest access.
Purpose
The Cisco NAC Guest Server Installation and Configuration Guide describes how to install and configure the Cisco NAC Guest Server appliance. It describes the simple initial installation of the appliance via CLI and the configuration and administration of the Guest Access Portal through the web-based interface.
xi
Product Documentation
Table 1 lists documents that are available for Cisco NAC Guest Server on Cisco.com at the following URL: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
Tip
To access external URLs referenced in this document, right-click the link in Adobe Acrobat and select Open in Weblink in Browser.
Table 1 Cisco NAC Appliance Document Set
Document Title Release Notes for Cisco NAC Guest Server, Release 2.0.3 Cisco NAC Guest Server Installation and Configuration Guide (this document) Cisco NAC Appliance Service Contract / Licensing Support
Refer to This Document For Information On: Details on the latest Cisco NAC Guest Server release. Hardware information, initial installation, setup and configuration instructions for Cisco NAC Guest Server. Information on service contract support, licensing support and RMA support for Cisco NAC Appliance, Cisco NAC Profiler and Cisco NAC Guest Server. Online links to Ordering Guide Bulletins, Data Sheets, Q&A and Chalk Talk presentations. Configuration guides for the Clean Access Manager and Clean Access Server.
Cisco NAC Appliance Product Literature Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide Cisco Wireless LAN Controller Configuration Guide, Release
Configuration information for Cisco Wireless LAN Controllers (version 4.0.219 and later).
xii
OL-18371-01
Documentation Updates
Table 2 Updates to Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0.3
Description
CSCtr31879 NGS doc should state that not all time-profiles can be deleted.
Added a note in Deleting Time Profiles, page 14.
11/30/10
Controller, page 9. Cisco NAC Guest Server Release 2.0.3 document updates and resolved caveats: Added External Guest Authentication, page 6-14.
CSCtj72333 The configuration guide does not mention any restrictions regarding Cisco NAC Guest Server replication. Cisco NAC Guest Server doc should mention replication must be done in same version.
Added text under Replication and High Availability, page 14-1.
CSCti65248 Cisco NAC Guest Server Guest Access Report page documentation shows non-existant field.
Updated a screenshot in Access Reports, page 17-23.
8/17/10 5/25/10
Updated the NAC-3315 chassis rear panel view: Figure 2-4 on page 3. Document updates for Cisco NAC Guest Server Release 2.0.2: Added new Hardware support and additional screenshots to Chapter 2, Installing Cisco NAC Guest Server.
xiii
Table 2
Updates to Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0.3
Date 2/23/10
Description NAC Guest Server Release 2.0.2 document updates and resolved caveats: Added Uploading a Private Key, page 3-14.
Added Time Format, page A-2. CSCte99509 Cisco NAC Guest Server: getVersion returns extra <bugFixVersion>
Modified the Example in getVersion Example Use, page A-11.
CSCte99544 Cisco NAC Guest Server: Missing Category dropdown in System Logs>Audit Logs & App Logs
Modified the screenshots and description in Audit Logs, page 15-5.
CSCtb77554 Cisco NAC Guest Server guides do not explain how to install SSL certs with intermediate CA
Added a Tip at the end of Generating Temporary Certificates/ CSRs/ Private
CSCtc19817 Cisco NAC Guest Server doc should explain better how to configure WLC to redirect to portal
Included the Web Auth Type and URL in Integrating with Wireless LAN
CSCtc28032 Document how to upload the private key Added the procedure to upload private key in Uploading a Private Key, page 3-14. CSCtd60813 Cisco NAC Guest Server Config Guide Wrongly States RADIUS Acco Attr Can be Requested by Cisco NAC Guest Server
Description of RADIUS Attributes has been updated in Step 6 in Editing
1/12/10
xiv
OL-18371-01
Table 2
Updates to Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0.3
Date 9/23/09
Description NAC Guest Server Release 2.0.1 document updates and resolved caveats: Added TimeZone, From Creation options Configuring Time Profiles, page 6-10.
Added Additional Attributes procedure Configure CAM to Format RADIUS Accounting Data, page 7-6. Added additional special variables to be used in the HTML code in Editing the Print Template, page 11-5 and Editing the Email Template, page 11-7. Added the following sections to Chapter 12, Configuring Hotspots:
Creating a Login Page (WLC), page 12-10. Creating a Billing Page (WLC), page 12-21. Creating a Password Change Page (WLC and Switch), page 12-26. The ngsOptions Configuration Object, page 12-29. Default Error/Status Messages, page 12-30. Default Form Labels, page 12-32.
Added SNMP MIB Files, page 15-4. Added Screenshot for Change Password, page 17-4. Added Report Settings, page 17-5. Added Managing Guest Accounts, page 17-15. Added search, page A-11 API for Guest Account Details. CSCsz54931 Cisco NAC Guest Server: buildNumber & buildOn elements will be removed for getVersion.
buildNumber & buildOn elements removed .getVersion Example Use, page 11
CSCta01186 Install SSL Cert on HA Cisco NAC Guest Server server located behind load balancer.
Added the procedure to Configuring SSL Certificates, page 3-9.
CSCtb28473 Cisco NAC Guest Server guide, "Receive Email Confirmation" behavior is wrong.
Description updated for Receive Email Confirmation checkbox in Change
Editing the Print Template, page 11-5, Editing the Email Template, page 11-7, and Editing the SMS Template, page 11-8.
CSCsy85684 Cisco NAC Guest Server: Admin Radius Login needs to be administrative. IETF Service-Type attribute set to 6 (admin). The text admin has been changed to administrative. Configuring RADIUS for Administrator Authentication, page 3-18.
Cisco NAC Guest Server Installation and Configuration Guide
OL-18371-01
xv
Table 2
Updates to Cisco NAC Guest Server Installation and Configuration Guide, Release 2.0.3
Added new section Configuring Boot Settings on NAC-3310 / NAC-3315 Based Appliances, page 2-11. Added additional screenshot to Creating Multiple Random Accounts, page 17-11.
2/9/09
Document Conventions
Item Indicates command line output. Indicates information you enter. Indicates variables for which you supply values. Indicates web admin console modules, menus, tabs, links and submenu links. Indicates a menu item to be selected. Convention
Screen
Boldface Italic
xvi
OL-18371-01
CH A P T E R
The guest user is the person who needs a guest user account to access the network.
1-1
Sponsor
The sponsor user is the person who creates the guest user account. This person is often an employee of the organization that provides the network access. Sponsors can be specific individuals with certain job roles, or can be any employee who can authenticate against a corporate directory such as Microsoft Active Directory (AD).
Admin
The admin user is the administrator who configures and maintains the Cisco NAC Guest Server appliance.
Network Enforcement Device
These devices are the network infrastructure components that provide the network access. Additionally, network enforcement devices are responsible for pushing guest users to a captive portal where they can enter their guest account details. When a guest enters his or her temporary user name and password, the network enforcement device checks those credentials against the guest accounts created by the Guest Server.
Guest Server
The Cisco NAC Guest Server ties together all the pieces of guest access. The Guest Server links the sponsor creating the guest account, the account details passed to the guest, the guest authentication against the network enforcement device, and the network enforcement devices verification of the guest with the Guest Server. Additionally, the Cisco NAC Guest Server consolidates accounting information from network enforcement devices to provide a single point of guest access reporting.
Package Contents Rack Mounting Cisco NAC Guest Server Licensing Upgrading Firmware Additional Information
Package Contents
Verify the contents of the packing box as shown in Figure 1-1, to ensure that you have received all items necessary to install your Cisco NAC Guest Server. Save the packing material in case you need to repack the unit. If any item is missing or damaged, contact your Cisco representative or reseller for instructions.
1-2
OL-18371-01
Chapter 1
Figure 1-1
Documentation
n co io is t C ma et r k fo ac In P C A N ce ted co an ar is li t C pp g S de A in ui t et G G t an rt ty n po fe tio Im Sa ma r fo In
AC power cord
Note
As product software is preloaded onto the Cisco NAC Guest Server appliance, the shipping contents do not include a separate software installation CD.
Rack Mounting
The Cisco NAC Guest Server occupies one rack unit (1U). A rack-mounting kit is included in the shipment. For rack-mounting information and instructions, refer to the 1U Rack Hardware Installation Instructions for HP Products document also included in the shipment.
Upgrading Firmware
The Cisco NAC Guest Server is based on the following:
Cisco NAC Appliance 3310 (NAC-3310) hardware platform. NAC-3310 is based on the HP ProLiant DL140 G3. The Cisco NAC Guest Server appliance is subject to any system BIOS/Firmware upgrades required for the server model on which it is based. Cisco NAC Appliance 3315 (NAC-3315) hardware platform. The next generation Cisco NAC Appliance (NAC-3315) is based on the IBM System x3250 M2 server platform.
For further details refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).
185434
1-3
Additional Information
For late-breaking or additional details for this release, refer to the Release Notes for Cisco NAC Guest Server, Release 2.0.2. For the latest online updates to this guide, visit http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.ht ml See Product Documentation for a list of related documentation for Cisco NAC Guest Server.
1-4
OL-18371-01
CH A P T E R
Connecting the Cisco NAC Guest Server Command Line Configuration Re-Imaging the Appliance
NAC-3315 NAC-3310
Note
Next generation Cisco NAC Appliance platform (NAC-3315) supports fresh installation of Release 2.0.2 and later. When you receive the Guest Server, perform the initial configuration described in Command Line Configuration, page 2-4. If you need to perform CD installation to re-image the appliance, refer to Re-Imaging the Appliance, page 2-8 for instructions. To perform initial configuration, you need to connect to your appliance and access its command line, as described below.
Step 1
You can access the Cisco NAC Guest Server command line in one of the following methods:
a.
Connect a monitor and keyboard directly to the machine via the keyboard/video monitor connectors on the back panel of the machine as shown in Figure 2-2 for NAC-3310 and Figure 2-4 for NAC-3315. Connect a null modem serial cable from a workstation (PC/laptop) to the serial port on the appliance. Open a serial connection on the workstation using terminal emulation software (such as HyperTerminal or SecureCRT) with settings set to 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
b.
Step 2
Connect a straight-through Category 5 Ethernet cable to the eth0 (NIC1) 10/100/1000 Ethernet port on the back panel of the appliance and to your local area network.
2-1
Step 3 Step 4
Connect the AC power cord to the back panel of the appliance and to a grounded AC outlet, and power on the appliance as shown in Figure 2-1 for NAC-3310 and Figure 2-3 for NAC-3315. Proceed to the instructions in Command Line Configuration, page 2-4.
Figure 2-1 Cisco NAC Guest Server Front Panel (NAC-3310)
4 6 1 2 3 5 7
8
1 2 3 4 5 UID (Unit identification) button with LED indicator (blue) System health LED indicator (amber) Activity/link status LED indicators for NIC 1 (eth0) and NIC2 (eth1) (green)
Cisco NAC Guest Server Rear Panel (NAC-3310)
9
6 7 8 9 Front USB ports
HDD activity LED indicator (green) Power button with LED indicator (bicolor: green/amber) Thumbscrews for the front bezel
Figure 2-2
9 10
11
12 13 15 14
1 2 3 4 5
Ventilation holes Thumbscrew for the top cover Thumbscrews for the PCI riser board assembly NIC 3 (eth2) and NIC 4 (eth3) PCI Express GbE LAN (RJ-45) ports (Intel)
10 Rear USB ports (black) 11 12 Serial port 13 PS/2 keyboard port (purple)
2-2
180957
180955
OL-18371-01
Chapter 2
Installing Cisco NAC Guest Server Connecting the Cisco NAC Guest Server
6 7 8
Standard height/full-length PCI Express x16/PCI-X riser board slot cover Power supply cable socket NIC 1 (eth0) and NIC 2 (eth1) integrated GbE LAN (RJ-45) ports (Broadcom)
PS/2 mouse port (green) 14 10/100 Mbps iLO LAN port for IPMI 15 management (RJ-45)
Note
The three LAN ports each have their own LED indicators for activity/link status and network speed.
Figure 2-3 Cisco NAC Guest Server Front Panel (NAC-3315)
1 2
4
CISCO
1 2 3
Front USB port 1 Front USB port 2 Hard disk drive (HDD) bay 0
4 5
Figure 2-4
3 1 2
199789
10
9 8
7 6
1 2 3 4 5
Power supply cable socket NIC 3 (eth2) add-on card NIC 4 (eth3) add-on card Serial port Video port
6 7 8 9 10
NIC 2 (eth1) GbE interface NIC 1 (eth0) GbE interface Rear USB port 4 Rear USB port 3 Console port
195197
2-3
Configure IP Address and Default Gateway, page 2-5 so that the appliance can be accessed on the network. Change Root Password, page 2-7.
Initial Log In
When logging in for the first time after initial installation, or after re-imaging the appliance, you need to set up a password for the root user.
Step 1 Step 2
Connect to the command line interface using either keyboard and monitor connection to the appliance, or serial console connection. Login as the root user. The login user name for the console is root as shown in Figure 2-5.
Figure 2-5 Login as Root
Step 3
Change the password at the root prompt. Type a password and then confirm the password by re-entering it at the prompt, as shown in Figure 2-6.
Note
Cisco recommends using a strong password that is not based on a dictionary word, has a minimum of 6 characters, and contains at least 5 different characters.
2-4
OL-18371-01
Chapter 2
Figure 2-6
Using either a keyboard and monitor connection to the appliance, or serial console connection, authenticate to the command line interface, as shown in Figure 2-7. The user name for the console is root and the password is the one you configured as described in Initial Log In, page 2-4.
Figure 2-7 Authenticating to the Console
Step 2
To configure the network settings, type the command system-config-network and press <Enter>. The Select A Device menu appears as shown in Figure 2-8.
2-5
Figure 2-8
Step 3 Step 4
Select the eth0 interface from the list using the up and down arrow keys and press <Enter>. You can now enter all the correct network settings for the appliance as shown in Figure 2-9.
Figure 2-9 Change Network Configuration Details
Static IPThe IP Address that you want to assign to the Cisco NAC Guest Server. NetmaskThe corresponding subnet mask. Default gateway IPThe default gateway for the network.
You can use the Tab key, Arrow keys or <Enter> to move between fields. When finished, move to the OK button and press <Enter>.
Step 5
Exit the system-config-network by selecting Quit from the Select A Device as shown in Figure 2-10.
2-6
OL-18371-01
Chapter 2
Figure 2-10
Step 6
At the command line, either reboot the appliance by typing reboot and pressing <Enter>, or follow the instructions to Change Root Password, page 2-7 before entering reboot.
Cisco recommends using a strong password that is not based on a dictionary word, has a minimum of 6 characters, and contains at least 5 different characters. From the command line, enter the command passwd and press <Enter>. Enter the new password and press <Enter>. Repeat the password and press <Enter>.
Next Steps
Continue to Chapter 3, System Setup to access and configure the admin console.
2-7
Caution
Imaging the appliance deletes all data on the appliance. There is no method of recovery of data from the Guest Server after imaging has started. Make sure to backup any data that you need before starting this process. Download the ISO image file from the Cisco NAC Guest Server download page. Log in with your Cisco.com user credentials to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml and navigate to Security >Network Admission Control > Cisco NAC Guest Server > Cisco NAC Guest Server 2.0. Burn this ISO file to a blank CD-ROM to create a bootable disk. Decide whether to perform the installation using a keyboard and monitor connection or over a serial console.
a. b.
Step 1
Step 2 Step 3
Connect either a keyboard and monitor to the back of the unit, or Attach a null modem cable to the serial port on the back of the appliance. From the computer to which the serial cable is attached, run a terminal emulation program with settings set to: 9600 baud, 8 data bits, no parity, 1 stop bit, no flow control.
Once you have connected to the appliance, insert the bootable CD into the CD-ROM drive of the appliance. Power on the appliance. If the appliance is already started, switch it off and then switch it on again. The appliance should now boot from the CD-ROM drive and the initial install is displayed as shown in Figure 2-11.
Caution
If your Cisco NAC Guest Server does not read the software on the CD ROM drive and instead attempts to boot from the hard disk, you need to change the appliance settings to boot from CD ROM as described in Configuring Boot Settings on NAC-3310 / NAC-3315 Based Appliances, page 2-11.
2-8
OL-18371-01
Chapter 2
Figure 2-11
Initial Install
Step 7
At the Initial Installation, run the installation according to the method you are connected to the appliance:
If directly connected using a keyboard and monitor, type install and press <Enter>. If you are using a serial connection, type installserial at the boot prompt, then press <Enter>.
Step 8
The system image is automatically installed on the hard disk as shown in Figure 2-12.
Figure 2-12 Transferring Install Image
Step 9
When the install image is successfully transferred, the system reboots automatically as shown in Figure 2-13.
2-9
Figure 2-13
Appliance Reboots
Step 10
Note
Remove the CD and store it safely so that the appliance does not accidentally reboot from it at a later time.
Step 11
The Cisco NAC Guest Server appliance boots and runs the final setup of the image automatically. The imaging process is complete when the login is displayed as shown in Figure 2-14.
Figure 2-14 Imaging Complete
Step 12
Continue to the instructions in Initial Log In, page 2-4 to complete the installation.
2-10
OL-18371-01
Chapter 2
Press the F10 key while the system is booting. Go to the Boot menu as shown in Figure 2-15.
Figure 2-15 Boot Menu
Step 3
Change the setting to boot from CD ROM by selecting CD-ROM Drive from the menu and pressing the plus (+) key as shown in Figure 2-16.
2-11
Figure 2-16
Step 4
2-12
OL-18371-01
CH A P T E R
System Setup
The Cisco NAC Guest Server is administered entirely using a web interface over either HTTP or HTTPS. After initial installation, the system can be configured through the web interface to provide the networking configuration for the appliance and other system settings that are important such as time and the SSL certificate. This chapter includes the following sections:
Installing the Product License and Accessing the Administration Interface Configuring Network Settings Date and Time Settings Configuring SSL Certificates Configuring Administrator Authentication
Note
For additional details on evaluation licenses refer to Cisco NAC Appliance Service Contract / Licensing Support. This section describes the following:
Obtain and Install Cisco NAC Guest Server License Access Cisco NAC Guest Server Administration Interface
3-1
Chapter 3 Installing the Product License and Accessing the Administration Interface
System Setup
With FlexLM licensing, you receive a Product Authorization Key (PAK) for each Guest Server that you purchase. The PAK is affixed as a sticky label on the Software License Claim Certificate card that is included in your package.
Warning
The PAK is NOT the Cisco NAC Guest Server license. The PAK is used to obtain the Cisco NAC Guest Server license, as described below.
Step 2
Log in as a registered CCO user and fill out the Customer Registration form found at the PAK Cisco Technical Support site: http://www.cisco.com/go/license. During customer registration, submit each PAK you received and the eth0 MAC address of your Cisco NAC Guest Server.
Note
For convenience, the top part of the Cisco NAC Guest Server License Form as shown in Figure 3-1, lists the MAC address of the Guest Server appliance.
Warning
The eth0 MAC address entered in the customer registration form for the Guest Server must be in UPPER CASE (i.e. hexadecimal letters must be capitalized). Do not enter colons (:) in between characters.
Please follow the instructions on the license web pages carefully to ensure that the correct MAC addresses are entered.
Step 3 Step 4 Step 5
For each PAK that you submit, a license file is generated and sent to you by email. Save each license file you receive to disk. Open a web browser to the Cisco NAC Guest Server Administration interface by entering the IP address that you configured through the command line as the URL, followed by /admin:
For HTTP access, open http://<guest_server_ip_address>/admin For HTTPS access, open https://<guest_server_ip_address>/admin
Step 6
In the Cisco NAC Guest Server License Form as shown in Figure 3-1, click the Browse button and locate the license file.
3-2
OL-18371-01
Chapter 3
System Setup Installing the Product License and Accessing the Administration Interface
Figure 3-1
Step 7
If you have installed a license, the admin login is automatically displayed. Otherwise, open a web browser to the Cisco NAC Guest Server Administration interface by entering the IP address that you configured through the command line as the URL, followed by /admin:
For HTTP access, open http://<guest_server_ip_address>/admin For HTTPS access, open https://<guest_server_ip_address>/admin
Step 2 Step 3
The Cisco NAC Guest Server Administration interface is displayed as shown in Figure 3-2. This is the administrator interface to the appliance. Login as the admin user. The default user name/password for the admin console is admin/admin.
3-3
System Setup
Figure 3-2
Admin Login
Note
Cisco recommends setting up SSL access and change the default admin user password for security. Refer to Configuring SSL Certificates, page 3-9 and Edit Existing Admin Account, page 3-16 for details.
Note
Entering the Guest Server IP address without the /admin as the URL brings up the sponsor interface. See Chapter 4, Configuring Sponsor Authentication for details.
Upon logging into the administration interface, by default, the home page displays the Authentication > Sponsors >Authentication Order page as shown in Figure 3-3.
3-4
OL-18371-01
Chapter 3
Figure 3-3
Step 2
From the administration home page, select Server > Network Settings from the left panel to go to the Network Settings page. This page provides all the network settings that can be changed on the Cisco NAC Guest Server appliance as shown in Figure 3-4.
Figure 3-4 Network Settings
HostnameAssign the name of the appliance as defined in DNS (without DNS suffix). IP AddressModify the IP address of the eth0 interface on the appliance. Subnet MaskEnter the corresponding subnet mask. GatewayModify the default gateway for the network to which the appliance is connected. DomainEnter the domain name for your organization (e.g. cisco.com). Primary DNSEnter the IP address of the primary DNS server. Secondary DNSEnter the IP address of the secondary DNS server.
Click the Save Settings button to save the changes that you made.
3-5
System Setup
Step 4
Once changes are saved, you need to restart the Guest Server to ensure all processes use the correct IP address. Click the Reboot Server button, and the restart process will begin on the Guest Server within 60 seconds.
Note
Modifications to Server settings require a reboot. You can modify and save multiple Server settings at a time before a reboot, but you must click Reboot Server for the changes to be applied.
From the administration interface, select Server > Date/Time Settings to display the Date/Time Settings page as shown in Figure 3-5.
Figure 3-5 Date/Time Settings
Select the correct System Date and System Time for the location of the Guest Server. Select the correct System Timezone for the location of the Guest Server. Click the Save Settings button to apply the System Timezone.
Note
Changing the System Timezone automatically adjusts the date and time on the server.
3-6
OL-18371-01
Chapter 3
If you have one, two or three NTP servers available on the network, click the Use NTP to set System Date & Time checkbox. Enter the IP address of each NTP server available into the fields provided. Click the Save Settings button to apply the changes.
Note
When setting the NTP server it may take some time for synchronization. Synchronization occurs much faster if the time is set close to the NTP server (and saved by clicking the Save Settings button) before saving the NTP Server settings. Click the Reboot Server button to restart the NTP process so the new settings take effect.
Step 8
Note
If you modify the Server settings, you need to reboot the system. You can modify and save multiple Server settings at a time, but you must click Reboot Server for the changes to be applied.
Access Restrictions
You can configure Cisco NAC Guest Server to restrict access to only certain IP address ranges for the administration interface and the sponsor interface at any one time.
Administration Access
Step 1
From the administration interface, select Server > Access Restrictions and click the Administration tab as shown in Figure 3-6.
3-7
System Setup
Figure 3-6
In the Allowed IP Addresses field, type a range of IP addresses that are allowed access to the Guest Server Administration interface, and apply a CIDR subnet range using the dropdown menu. Click Add to add addresses to the list. Click Save to make the changes permanent.
Note
Leaving the IP Range field blank allows all IP addresses to access the Administration interface, if users have the required admin account permissions.
Sponsor Access
Step 1
From the administration interface, select Server > Access Restrictions and click the Sponsor tab as shown in Figure 3-7.
3-8
OL-18371-01
Chapter 3
Figure 3-7
Step 2 Step 3
Type the range of IP addresses that are allowed to access the Sponsor interface, and apply a CIDR subnet range using the dropdown menu. Click Save to continue.
Note
Leaving the IP Range field blank allows all IP addresses to access the Sponsor interface, if users have the required sponsor account permissions.
Note
If you modify the Server settings, you need to reboot the system. You can modify and save multiple Server settings at a time, but you must click Reboot Server for the changes to be applied.
Accessing the Guest Server Using HTTP or HTTPS Generating Temporary Certificates/ CSRs/ Private Key Downloading Certificate Files Uploading Certificate Files
From the administration interface, select Server > SSL Settings from the left panel to display the SSL Settings page as shown in Figure 3-8.
3-9
System Setup
Figure 3-8
Step 2
Allow Only HTTPSWhen selected, only allows HTTPS access to the sponsor or administration interfaces of the Guest Server. Allow Only HTTPWhen selected, only allows HTTP access to the sponsor or administration interfaces of the Guest Server. Allow HTTPS and HTTPWhen selected, allows both HTTPS and HTTP access to the sponsor or administration interfaces of the Guest Server. Allow Only HTTPS (with HTTP Redirected to HTTPS)When selected, allows sponsors and administrators to access the portal with HTTPS and standard HTTP; however, sponsors and administrators are redirected via HTTPS if using a standard HTTP connection.
Note Step 3
When you have made your selection, click the Save Settings button.
Note
Modifications to Server settings require a reboot. You can modify and save multiple Server settings at a time before a reboot, but you must click Reboot Server for the changes to be applied.
3-10
OL-18371-01
Chapter 3
From the administration interface, select Server > SSL Settings from the left hand menu and click the Create CSR link from the center section of the page as shown in Figure 3-9 to bring up the Create CSR form as shown in Figure 3-10.
Figure 3-9 Certificate Signing Request
Figure 3-10
Create a CSR
Step 2
Provide the details for the temporary certificate and CSR in the Create CSR form:
Common Name (FQDN or IP Address)This is either the IP address of the Cisco NAC Guest Server, or the fully qualified domain name (FQDN) for the Guest Server. The FQDN must resolve correctly in DNS. OrganizationThe name of your organization or company. Organizational Unit (Section)The name of the department or business unit that owns the device. Locality (e.g. City)The city where the server is located. State or ProvinceThe state where the server is located. CountrySelect the relevant country from the dropdown menu.
3-11
System Setup
Step 3
The Regenerate Private Key checkbox is optional and should be used if you think your existing private key has been compromised. If you regenerate your private key, the current certificate is invalidated and a new self-signed temporary certificate is generated using the new private key and CSR. Select this option to regenerate a private key. Click Create. The Certificate Signing Request page is again displayed as shown in Figure 3-9. If you chose to regenerate the private key, you will be prompted to restart the server. You need to restart the server to use the new certificate and private key. The Create Temporary Certificate from CSR and Download CSR options are now available as shown in Figure 3-11.
Figure 3-11 Create CSR and Download CSR
Step 4 Step 5
Step 6
Step 7 Step 8
Selecting Create Temporary Certificate from CSR generates a temporary certificate from the previously requested Certificate Signing Request that you created in Steps 1 to 4. You can download the CSR by clicking the Download CSR option in Figure 3-11. Once you have sent the CSR to a Certificate Authority and obtained the CA-signed certificate in return, you can upload it by following the instructions in the Uploading Certificate Files, page 3-13. To use the new temporary certificate you must restart the web server process. Click the Reboot Server button as shown in Figure 3-8.
Step 9
Note
Modifications to Server settings require a reboot. You can modify and save multiple Server settings at a time before a reboot, but you must click Reboot Server for the changes to be applied.
Tip
If you want to install SSL certificates issued by an intermediate CA, you need to perform a CLI procedure. Contact Cisco TAC to receive guidance about this procedure.
From the administration interface, select Server > SSL Settings from the left hand menu.
3-12
OL-18371-01
Chapter 3
Step 2
Select Download Current SSL Certificate from the Download Certificate section of the page as shown in Figure 3-12.
Figure 3-12 Download Certificate File
Step 3
Open an SFTP connection to the Cisco NAC Guest Server. The authentication credentials are the same as for the command line. Login with the root username and password you assigned for this account in the initial setup. Download the /etc/pki/tls/private/localhost.key file and store it in a secure backup location.
Step 2
Note
You must upload certificate files in Base 64 PEM format. The certificate files are not backed up as part of any backup process. You must manually back them up as described in Downloading Certificate Files, page 3-12. Wildcard certificates are not supported. From the administration interface, select Server > SSL Settings from the left hand menu. View the Upload Certificates section at the bottom of the page as shown in Figure 3-13.
Figure 3-13 Upload Certificate Files
Step 1 Step 2
3-13
System Setup
Step 3
Click the Browse button to locate the SSL Certificate file or Root CA Certificate file you want to upload and click the Upload button.
Warning Step 4
If uploading a new Server SSL Certificate, you are prompted to restart the server for the certificate to take effect.
Note
Modifications to Server settings require a reboot. You can modify and save multiple Server settings at a time before a reboot, but you must click Reboot Server for the changes to be applied.
Open an SFTP connection to the Cisco NAC Guest Server. The authentication credentials are the same as for the command line. Login with the root username and password you have assigned for this account in the initial setup. Upload the key to /etc/pki/tls/private/localhost.key file. Change the ownership and file permissions, so that it is owned by root and has permissions of 644.
chown root:root /etc/pki/tls/private/localhost.key chmod 644 /etc/pki/tls/private/localhost.key
Step 2 Step 3
Step 4 Step 5
Change the ownership and file permissions, so that it is owned by postgres and has permissions of 700.
chown postgres:postgres /var/lib/pgsql/data/server.key chmod 700 /var/lib/pgsql/data/server.key
Warning
As it is possible to disable a server or invalidate a server certificate, Cisco strongly recommends that you have a strong knowledge of PKI before working with the server private key directly as described in the method.
Add New Admin Account Edit Existing Admin Account Delete Existing Admin Account
3-14
OL-18371-01
Chapter 3
From the administration interface, select Authentication > Administrators from the left hand menu. In the Local Database tab of the Administrators page as shown in Figure 3-14, click the Add Administrator button.
Figure 3-14 Administrator Accounts
Step 3
In the Add Administrator page as shown in Figure 3-15, enter all the admin user credentials.
Figure 3-15 Add Admin User
First NameType the first name of the admin user SurnameType the last name of the admin user. Email AddressType the email address of the admin user UsernameType the user name for the admin account.
3-15
System Setup
Step 4
PasswordType the password for the admin account. ConfirmRetype the password for the admin account If there are any errors, the account is not added and an error message is displayed at the top of the page. If successfully added, a success message is displayed at the top of the page and you can add additional admin accounts.
From the administration interface, select Authentication > Administrators from the left hand menu. In the Local Database tab of the Administrators page as shown in Figure 3-16, click the username from the list.
Figure 3-16 Admin Users to Edit
Step 3
In the Edit Administrator page as shown in Figure 3-17, edit the user credentials.
3-16
OL-18371-01
Chapter 3
Figure 3-17
First NameEdit the first name of the admin user SurnameEdit the last name of the admin user. Email AddressEdit the email address of the admin user PasswordEdit the password for the admin account. ConfirmEdit the password for the admin account.
Note
Cisco recommends using a strong password that is not based on a dictionary word, has a minimum of 6 characters, and contains at least 5 different characters.
Note Step 4
Leaving the Password and Repeat Password fields empty keeps the existing password.
If there are any errors, the account is not changed and an error message is displayed at the top of the page. If successfully changed, a success message is displayed at the top of the page and you can make additional changes to the same admin account.
From the administration interface, select Authentication > Administrators from the left hand menu.
3-17
System Setup
Figure 3-18
Step 2 Step 3
In the Admin Accounts page as shown in Figure 3-18, click the bin icon at the end of the user entry that you want to delete. When prompted, click OK to delete the user or click Cancel to cancel the deletion. If successfully deleted, a success message is displayed at the top of the page.
Cisco NAC Guest Server only allows access to admin users who are successfully authenticated. The RADIUS server must return the IETF Service-Type attribute set to 6 (administrative). As an alternative to configuring local administrator accounts, you can configure admin users to be authenticated over RADIUS to a RADIUS server. To configure RADIUS authentication for Administrator Authentication, perform the following steps:
Step 1 Step 2
From the administration interface, select Authentication > Administrators. Click the RADIUS Authentication tab as shown in Figure 3-19.
3-18
OL-18371-01
Chapter 3
Figure 3-19
Type the Server IP Address for the Primary RADIUS Server. Type the Port that RADIUS authentication is running on for that server (default is 1645 or 1812). In the RADIUS Secret field, type the shared secret to be used between the RADIUS Server and the NAC Guest Server. Confirm the secret to make sure that it is set correctly. Enter details for a Secondary RADIUS Server. These details are used when the NAC Guest Server does not receive response from the Primary RADIUS Server. These fields are optional. Check the Authentication Mode checkbox so that Local Admin account is allowed if both the RADIUS Servers cannot be contacted. If this option is unchecked, Local Admin account is allowed if authentication is denied for any one of the RADIUS Servers. Click the Save button to save the Administrator RADIUS settings.
Step 9
3-19
System Setup
3-20
OL-18371-01
CH A P T E R
Local User AuthenticationCreate local sponsor accounts directly on the Cisco NAC Guest Server. See Configuring Local Sponsor Authentication, page 4-1. Active Directory AuthenticationAuthenticate sponsors against an existing Active Directory (AD) implementation. See Configuring Active Directory (AD) Authentication, page 4-6. LDAP AuthenticationAuthenticate sponsors against a Lightweight Directory Access Protocol (LDAP) server. See Configuring LDAP Authentication, page 4-10. RADIUS AuthenticationAuthenticate sponsors against a RADIUS server. See Configuring RADIUS Authentication, page 4-16. Active Directory Single Sign-OnThis option uses Kerberos between the clients web browser and the Cisco NAC Guest Server to automatically authenticate a sponsor against an Active Directory Domain Controller. See Configuring Active Directory Single Sign-On, page 4-21.
You can configure multiple authentication servers in the Cisco NAC Guest Server as well as the order in which the authentication servers are used to authenticate sponsors. For details, see Configuring Sponsor Authentication Settings, page 4-19.
Add New Local User Account Edit Existing User Account Delete Existing User Account
From the administration interface, select Authentication > Sponsors > Local User Database from the menu as shown in Figure 4-1.
4-1
Figure 4-1
Local Users
Step 2
Click the Add User button to bring up the local sponsor configuration page as shown in Figure 4-2.
Figure 4-2 Add Local User
Step 3
In the Add a Local User Account page, enter all the sponsor user credentials:
First NameType the first name of the sponsor. Last NameType the last name of the sponsor. Email Type email address of the sponsor. GroupSelect the group for the sponsor account from the dropdown. Chapter 5, Configuring Sponsor User Groups provides further details on groups.
4-2
OL-18371-01
Chapter 4
Step 4
UsernameType the user name for the sponsor account. PasswordType the password for the sponsor account. Confirm Retype the password for the sponsor account If there are any errors, the account is not added and an error message is displayed at the top of the page. If successfully added, a success message is displayed at the top of the page and you can add additional user accounts.
From the administration interface, select Authentication > Sponsors and click the Local User Database tab as shown in Figure 4-3.
Figure 4-3 Local Users to Edit
Step 2 Step 3
Select the user from the list and click the underlined username. In the Edit a Local User Account page, edit the user credentials as shown in Figure 4-4.
4-3
Figure 4-4
First NameEdit the first name for the sponsor account. Last NameEdit the last name for the sponsor account. Email Edit the email address of the sponsor. GroupSelect the group for the sponsor account from the dropdown. Chapter 5, Configuring Sponsor User Groups provides further details on groups.
Note Step 4
Leaving the Password and Repeat Password fields empty retains the existing password. PasswordChange the password for the sponsor account. Confirm Retype the changed password for the sponsor account. If there are any errors, the account is not changed and an error message is displayed at the top of the page. If successfully changed, a success message is displayed at the top of the page and you can make additional changes to the same user account.
From the administration interface, select Authentication > Sponsors and then click the Local User Database tab as shown in Figure 4-5.
4-4
OL-18371-01
Chapter 4
Figure 4-5
Step 2 Step 3
A list of local users appears on the page. Choose the user you wish to delete by clicking the bin icon to the right of the Group Name field. Confirm deletion of the user at the prompt.
If successfully deleted, a success message is displayed at the top of the page and you can perform additional local user account operations.
4-5
Add Active Directory Domain Controller Edit Existing Domain Controller Delete Existing Domain Controller Entry
AD authentication supports authentication against multiple domain controllers. The domain controllers can be part of the same Active Directory to provide resilience, or they can be in different Active Directories. The Guest Server can authenticate sponsor users from separate domains, even where no trust relationship is configured. All Active Directory authentication is performed against individual domain controller entries. A domain controller entry consists of 6 items:
Server NameA text description to identify the domain controller. As a best practice, Cisco recommends identifying the domain controller and the account suffix in this field (although it can be set to anything that you choose). User Account SuffixEvery user in Active Directory has a full user logon name which appears as username@domain. Typing the @domain suffix (including the @ symbol) in this field allows sponsor users not to have to enter their full user logon name. Domain Controller IP AddressThe IP address of the domain controller authenticated by the sponsor user. Base DNThe root of the Active Directory. This allows an LDAP search to be performed to find the user group of the sponsor. AD Username The user account that has permissions to search the AD. This allows an LDAP search for the user group of the sponsor. AD PasswordThe password for the user account that has permissions to search the AD.
To allow you to authenticate different user account suffixes against the same domain controller, you can create multiple domain controller entries with the same IP address and different user Account suffixes. The Server Name, User Account Suffix, and Base DN need to be different in each entry. To provide resilience in the event of a domain controller failure, you can enter multiple entries for the same User Account Suffix with different Domain Controller IP Addresses. The Server Name needs to be different in each entry. The Guest Server attempts to authenticate sponsors against each Domain Controller entry according to the Authentication Order specified in Configuring Sponsor Authentication Settings, page 4-19.
4-6
OL-18371-01
Chapter 4
From the administration interface, select Authentication > Sponsors > Active Directory Servers from the menu as shown in Figure 4-6.
Figure 4-6 Active Directory Authentication
Step 2 Step 3
Click the Add Domain Controller button. In the Add Active Directory Domain Controller page, enter all the details for authenticating against a specific AD Domain Controller as shown in Figure 4-7.
Figure 4-7 Add Active Directory Domain Controller
Server NameType a text description of the AD Server Name and account suffix for the domain controller. For example: CCA.CISCO.COM. User Account SuffixType the User Account Suffix and include the leading @. For example: @cca.cisco.com. Every AD user has a full user logon name that appears as username@domain. To allow sponsors to type their user logon name alone, type the @domain part (including the @ symbol) in this field. Domain Controller Type the IP address or DNS name for the domain controller. This is the IP address of the DC authenticated by the sponsor.
4-7
Base DNType the Base Distinguished Name (DN) of the domain controller. This is the name of the root of the directory tree. It is used so that when group searches are performed, the Guest Server knows from where to start. An example of the base DN for the domain cca. cisco.com is DC=cca,DC=cisco,DC=com. UsernameType a username that has permissions to search the Active Directory using LDAP. This allows the Guest Server to find out details about users such as the list of groups to which they belong. PasswordIn addition to the AD Username, type the password for that account. Confirm Retype the password for confirmation. EnabledCheck the checkbox to enable the Guest Server to use this AD server to authenticate sponsors. If not checked, the AD server will not be used.
Step 4
Click the Test Connection button to verify that the settings are correct for the domain controller. Test Connection authenticates with the specified AD Username and Password to verify the settings. Success or failure status is returned by Active Directory Connection Successful or Active Directory Connection Failed messages. Click the Add Domain Controller button to add the Domain Controller button. If successfully added, a confirmation message is displayed at the top of the page.
Step 5
From the administration interface, select Authentication > Sponsor > Active Directory Servers from the menu as shown in Figure 4-6. Select the Active Directory Domain Controller from the list and click the underlined domain name to select and edit the domain controller as shown in Figure 4-8.
Figure 4-8 Select Domain Controller to Edit
Step 3
In the Edit Active Directory Domain Controller page as shown in Figure 4-9, edit the details for authenticating against this AD domain controller.
4-8
OL-18371-01
Chapter 4
Figure 4-9
Step 4
User Account SuffixEdit the User Account Suffix and include the leading @, for example: @cca.cisco.com. Every AD user has a full user logon name that appears as username@domain. To allow sponsors not to have to type their full user logon name, type the @domain part (including the @ symbol) in this field. Domain ControllerEdit the IP address for the domain controller. This is the IP address of the DC against which the sponsor authenticates. Base DNEdit the Base Distinguished Name (DN) of the domain controller. This is the name of the root of the directory tree. It is used so that when group searches are performed, the Guest Server knows from where to start. An example of the base DN for the domain cca. cisco.com is DC=cca,DC=cisco,DC=com. AD UsernameEdit the username that has permissions to search the Active Directory using LDAP. This allows the Guest Server find out details about users such as the list of groups to which they belong.
Note
If you do not want to change the password, leave the Password and Confirm fields empty to retain the existing password. PasswordEdit the password for that AD user account that has search permissions. Confirm Retype the password to make sure it is correct. EnabledCheck this checkbox to enable the Guest Server to use this AD server to authenticate sponsors. If not checked, the AD server will not be used.
Step 5
Click the Test Connection button to verify that the settings are correct for the domain controller. Test Connection authenticates with the specified AD Username and Password to verify the settings. Success or failure status is returned by Active Directory Connection Successful or Active Directory Connection Failed messages.
4-9
Step 6
From the administration interface, select Authentication > Sponsor > Active Directory Servers from the menu. Click the underlined name of the domain controller from the list as shown in Figure 4-10.
Figure 4-10 Delete Domain Controller entries
Step 3 Step 4
Delete the domain controller by clicking the bin icon to the right of the Status field. Confirm deletion of the Domain Controller at the prompt. If there are any errors, the DC is not changed and an error message is displayed at the top of the page. If successfully deleted, a success message is displayed at the top of the page and you can perform additional Domain Controller operations.
Add an LDAP Server Edit an Existing LDAP Server Delete an Existing LDAP Server Entry
LDAP authentication supports authentication against multiple LDAP Servers. An LDAP server entry consists of multiple items:
LDAP Server NameA text description to identify the LDAP Server. LDAP Server URLThis is the URL to access the LDAP server such as ldap://ldap.cisco.com. VersionThe LDAP version to use (version 1, 2 or 3). Base DNThis is the Distinguished Name of the container object where an LDAP search to find the user begins, such as OU=Engineering,O=Cisco.
4-10
OL-18371-01
Chapter 4
User Search FilterThe User Search Filter defines how user entries are named in the LDAP server. For example, you can define them as uid (uid=%USERNAME%) or cn (cn=%USERNAME%). Group MappingThere are two main methods that LDAP servers use for assigning users to groups:
1.
Storing the group membership in an attribute of the user object. With this method, the user object has one or more attributes that list the groups to which the user belongs. If your LDAP server uses this method of storing group membership, you need to enter the name of the attribute which holds the groups of which the user is a member. Storing the user membership in an attribute of the group object. With this method, there is a group object that contains a list of the users who are members of the group. If your LDAP server uses this method, you need to specify the group to check under the LDAP mapping section of a User Group for which you want to match the user.
2.
To determine the method to be used, Cisco recommends checking the LDAP documentation for your server or using an LDAP browser available at http://www.ldapbrowser.com/ to check the attributes of the server.
UsernameThe user account that has permissions to search the LDAP server. This is needed so that the Cisco NAC Guest Server can search for the user account and group mapping information. PasswordThe password for the user account that has permissions to search the LDAP server.
To provide resilience in the event of an LDAP server failure, you can enter multiple entries for high availability LDAP servers pointing to the same database. The Server name and URL need to be different in each entry. The Guest Server attempts to authenticate sponsors against each LDAP server entry in the order specified by Authentication Order, as detailed in Configuring Sponsor Authentication Settings, page 4-19. To verify that you have the correct LDAP credentials for connecting to your LDAP server, Cisco recommends testing an LDAP browser available at http://www.ldapbrowser.com/.
From the administration interface, select Authentication > Sponsors > LDAP Servers from the menu as shown in Figure 4-11.
Figure 4-11 LDAP Authentication
Step 2 Step 3
Click the Add LDAP Server button. In the Add LDAP Server page, enter all the details for authenticating against a specific LDAP server as shown in Figure 4-12.
4-11
Figure 4-12
LDAP Server NameType a text description of the LDAP Server Name. For example: Cisco LDAP - ldap.cisco.com. LDAP Server URLEnter the URL for accessing the LDAP server, such as ldap://ldap.cisco.com or ldaps://ldap.cisco.com. VersionThe version of LDAP supported by the server (version 1, 2 or 3). Base DNThis is the Distinguished Name of the container object from which an LDAP search to find the user is started, such as OU=Users,O=Cisco.com or OU=Engineering,O=Cisco. User Search FilterThe User Search Filter defines how user entries are named in the LDAP server. For example you can define them to be uid (uid=%USERNAME%) or cn (cn=%USERNAME%). The %USERNAME% should be placed where the username will be inserted in a search. Group MappingThere are two main methods that LDAP servers use for assigning users to groups:
1.
Storing the group membership in an attribute of the user object. With this method the user object has one or more attributes that list the groups of which the user is a member. If your LDAP server uses this method of storing group membership, you need to enter the name of the attribute which holds the groups of which the user is a member. This attribute may be called something like groupMembership, memberOf, or group. Storing the user membership in an attribute of the group object. With this method there is a group object that contains a list of the users who are members of the group. If your LDAP server uses this method, you need to specify the group to check under the LDAP mapping section of a User Group to which you want to match the user.
2.
To determine the method to be used, Cisco recommends checking the LDAP documentation for your server or using an LDAP browser like the one available at http://www.ldapbrowser.com/ to check the attributes of the server.
4-12
OL-18371-01
Chapter 4
Step 4
UsernameThe user account that has permissions to search the LDAP server. This is needed so that the Cisco NAC Guest Server can search for the user account and group mapping information. PasswordThe password for the user account that has permissions to search the LDAP server. Confirm Repeat the password for confirmation. EnabledCheck the checkbox to enable the Guest Server to use this LDAP server to authenticate sponsors. If not checked, the LDAP server will not be used.
Click the Add LDAP Server button to successfully save the settings.
From the administration interface, select Authentication > Sponsor > LDAP Servers from the menu. Select the LDAP Server you wish to edit from the list and click the underlined domain of that server as shown in Figure 4-13.
Figure 4-13 Select LDAP Server to Edit
Step 3
In the LDAP Server page as shown in Figure 4-14, edit the details for authenticating against this LDAP server.
4-13
Figure 4-14
Step 4
LDAP Server URLEnter the URL for accessing the LDAP server, such as ldap://ldap.cisco.com or ldaps://ldap.cisco.com. VersionThe version of LDAP supported by the server (version 1, 2 or 3). Base DNThis is the Distinguished Name of the container object where an LDAP search to find the user will be started from, such as OU=Users,O=Cisco.com or OU=Engineering,O=Cisco. User Search FilterThe User Search Filter defines how user entries are named in the LDAP server. For example you can define them to be uid (uid=%USERNAME%) or cn (cn=%USERNAME%). The %USERNAME% should be placed where the username will be inserted in a search. Group MappingThere are two main methods that LDAP servers use for assigning users to groups:
1.
Storing the group membership in an attribute of the user object. With this method the user object has one or more attributes that list the groups of which the user is a member. If your LDAP server uses this method of storing group membership, you need to enter the name of the attribute which holds the groups of which the user is a member. This attribute may be called something like groupMembership, memberOf, or group. Storing the user membership in an attribute of the group object. With this method there is a group object that contains a list of the users who are members of the group. If your LDAP server uses this method, you need to specify the group to check under the LDAP mapping section of a User Group to which you want to match the user.
2.
4-14
OL-18371-01
Chapter 4
To determine the method to be used, Cisco recommends checking the LDAP documentation for your server or using an LDAP browser like the one available at http://www.ldapbrowser.com/ to check the attributes of the server.
UsernameThe user account that has permissions to search the LDAP server. This is needed so that the Cisco NAC Guest Server can search for the user account and group mapping information. PasswordThe password for the user account that has permissions to search the LDAP server. Confirm Repeat the password for confirmation.
Note
If you do not want to change the password, leave the Password and Confirm fields empty to retain the existing password. EnabledCheck the checkbox to enable the Guest Server to use this LDAP server to authenticate sponsors. If not checked, the LDAP server will not be used.
Step 5
Click the Test Connection button to verify that the settings are correct for the LDAP server. The Test Connection will bind with the username and password specified to the LDAP server to verify that it can bind successfully. Success or failure status is returned by LDAP Connection Successful or LDAP Connection Failed messages. Click the Save Settings button.
Step 6
From the administration interface, select Authentication > Sponsor > LDAP Servers from the menu. Select the LDAP Server from the list as shown in Figure 4-15.
Figure 4-15 Delete LDAP Server entries
Step 3 Step 4
A list of LDAP Servers appears on the choose the server you wish to delete by clicking the bin icon to the right of the Status field. Confirm deletion of the LDAP Server at the prompt. If there are any errors, the LDAP Server is not changed and an error message is displayed at the top of the page. If successfully deleted, a success message is displayed at the top of the page and you can perform additional LDAP Server operations.
4-15
Add a RADIUS Server Edit an Existing RADIUS Server Delete an Existing RADIUS Server Entry
From the administration interface, select Authentication > Sponsors > RADIUS Servers from the menu as shown in Figure 4-16.
Figure 4-16 RADIUS Authentication
Step 2 Step 3
Click the Add RADIUS Server button. In the Add RADIUS Server page, enter all the details for authenticating against a specific RADIUS server as shown in Figure 4-17.
Figure 4-17 Add RADIUS Server
Server NameType a text description of the RADIUS Server Name. For example: Cisco RADIUS - radius.cisco.com.
4-16
OL-18371-01
Chapter 4
Step 4
Server IP AddressEnter the IP address or domain name of the RADIUS server. PortEnter the UDP port used to connect to the RADIUS server. The common ports for RADIUS authentication are ports 1645 or 1812. RADIUS SecretThe shared secret used to secure the communications between the Cisco NAC Guest Server and the RADIUS server. ConfirmRepeat the shared secret for confirmation. EnabledCheck the checkbox to enable the Guest Server to use this RADIUS server to authenticate sponsors. If not checked, the RADIUS server will not be used.
From the administration interface, select Authentication > Sponsor > RADIUS Servers from the menu. Select the RADIUS server from the list and click the underlined name of the server you wish to edit as shown in Figure 4-18.
Figure 4-18 Select RADIUS Server to Edit
Step 3
In the Edit RADIUS Server Details page as shown in Figure 4-19, edit the details for authenticating against this RADIUS server.
Figure 4-19 Edit RADIUS Server Settings
4-17
Step 4
Server IP AddressEnter the IP address or domain name of the RADIUS server. PortEnter the UDP port used to connect to the RADIUS server. The common ports for RADIUS authentication are ports 1645 or 1812. RADIUS SecretThe shared secret used to secure the communications between the Cisco NAC Guest Server and the RADIUS server.
Note
If you do not want to change the shared secret, leave the Secret and Confirm fields to retain the existing shared secret. EnabledCheck the checkbox to enable the Guest Server to use this RADIUS server to authenticate sponsors. If not checked, the RADIUS server will not be used.
Step 5
From the administration interface, select Authentication > Sponsor > RADIUS Servers from the menu. Select the RADIUS server from the list as shown in Figure 4-20.
Figure 4-20 Delete RADIUS Server Entries
Step 3 Step 4
A list of RADIUS Servers appears on the page. Click the bin icon to the right of the Status field to delete the server. Confirm deletion of the RADIUS server at the prompt. If there are any errors, the RADIUS server is not changed and an error message is displayed at the top of the page. If successfully deleted, a success message is displayed at the top of the page and you can perform additional RADIUS operations.
4-18
OL-18371-01
Chapter 4
From the administration interface, select Authentication > Sponsor > Authentication Order from the menu as shown in Figure 4-21.
Figure 4-21 Authentication Order
The first server to be authenticated against is at the top of the list and the last one at the bottom.
Step 2 Step 3
Select the server that you want to re-order from the list and click either the move up or move down button. Perform this action with all the servers until they are in the correct order. To save the authentication order click the Change Order button.
Session Timeouts
A sponsor that logs in to the Cisco NAC Guest Server is logged out after a period of inactivity. You can set the inactivity period through the Session Timeout Settings page.
Note
The Session Timeout defined here applies to both the Sponsor and Administration interfaces. See Admin Session Timeout, page 3-18. From the administration interface, select Authentication > Sponsor > Settings from the menu as shown in Figure 4-22.
Step 1
4-19
Figure 4-22
Session Timeout
Step 2 Step 3
Enter the Session Timeout value in minutes (default is 10 minutes). When sponsors are inactive for this amount of time, their sessions expire and the next action they perform takes them to the login page. Click the Save Settings button to save the session timeout.
4-20
OL-18371-01
Chapter 4
DNS must be configured and working on the Cisco NAC Guest Server DNS must be configured and working on the Domain Controller. Both of the following DNS entries for the Cisco NAC Guest Server must be defined:
A record PTR record
Both of the following DNS entries for the Domain Controller must be defined:
A record PTR record
Cisco NAC Guest Server time settings must be synchronized with the Active Directory Domain.
If any of these setting are not met, then AD SSO configuration will fail.
Note
Cisco strongly recommends to configure NTP so that time is synchronized with the Active Directory Domain. Single Sign-On will fail if the time on the Cisco NAC Guest Server time differs by more than 5 minutes from the client or the domain. Configure an Active Directory Server as described in Configuring Active Directory (AD) Authentication, page 4-6. An Active Directory Server is needed so that users performing Single Sign-On can be correctly mapped against a sponsor group. The Active Directory Server must be in the same domain as the Single Sign-On configuration. From the administration interface, select Authentication > AD Single Sign-On from the left menu as shown in Figure 4-23.
Step 1
Step 2
4-21
Figure 4-23
Check the Enable AD Single Sign On checkbox to enable AD SSO. Type the Active Directory Domain Name for the domain for which you want to enable SSO. Type the Fully Qualified Domain Name of the Active Directory Domain Controller. The Cisco NAC Guest Server needs to be able to resolve both A and PTR records for the Domain Controller. Type the Fully Qualified Domain Name of the NAC Guest Server. The NAC Guest Server needs to be able to resolve both A and PTR records for itself with DNS. Type an AD Administrator Username for the Domain, this account is used for adding the NAC Guest Server to the domain and creating its computer account. Type the Password for the AD Administrator and retype it in the Confirm field. Click Save. The NAC Guest Server will join to the domain, create a computer account and turn on Active Directory Single Sign on.
4-22
OL-18371-01
CH A P T E R
Tip
By default, all users are assigned to the DEFAULT group. If you only want to have a single classification of sponsors, you can edit the DEFAULT group. This chapter describes the following:
Adding Sponsor User Groups Editing Sponsor User Groups Deleting User Groups Specifying the Order of Sponsor User Groups Mapping to Active Directory Groups Mapping to LDAP Groups Mapping to RADIUS Groups Assigning Guest Roles Assigning Time Profiles
5-1
From the administration interface, select Authentication > Sponsor User Groups as shown in Figure 5-1.
Figure 5-1 Sponsor User Groups
Step 2 Step 3
Click the Add Sponsor Group button to add a new user group. From the Add a New Sponsor Group page as shown in Figure 5-2, type the name for a new user group in the Sponsor Group Name field.
Figure 5-2 Add New Sponsor Group
Step 4
Click the Add Sponsor Group button to add a user group. You can now edit the settings for the new user group by clicking the Edit Group button as shown in Figure 5-3.
5-2
OL-18371-01
Chapter 5
Figure 5-3
Step 5
Edit and set the permissions for the new User Group as follows:
Allow LoginSelect Yes to allow sponsors in this group to access the Cisco NAC Guest Server. Create AccountSelect Yes to allow sponsors to create guest accounts. Create Bulk AccountsSelect Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details. Create Random AccountsSelect Yes to allow sponsors to be able to create multiple random accounts without initially capturing the guests details. Import CSV Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file. Send EmailSelect Yes to allow sponsors to send account details via email from the Guest Server to the guest user. Send SMSSelect Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user. View Guest PasswordSelect Yes to allow sponsors to view the password that has been created for the guest. Allow Printing Guest DetailsSelect Yes to allow sponsors to print out the guests details.
5-3
Note
Select No, if you want to disable any of the above permissions. Edit AccountChoose one of the following permissions for editing the end date/time on guest accounts:
NoSponsors are not allowed to edit any guest accounts. Own AccountSponsors are allowed to edit only the guest accounts they created. Group AccountsSponsors are allowed to edit guest accounts created by anyone in the same
Full ReportingChoose one of the following permissions for viewing reporting details for full reporting. See Reporting on Guest Users, page 17-19 for additional details.
NoSponsors are not allowed to view reporting details on any guest accounts. Own AccountSponsors are allowed to view reporting details for only the guest accounts they
created.
Group AccountsSponsors are allowed to view active guest accounts created by anyone in the
Detailed Reports-Accounting Log Choose one of the following permissions for running a full report on accounting logs:
NoSponsors are not allowed to run accounting log reporting on any guest accounts. Own AccountSponsors are allowed to run full accounting log reporting for only the guest
accounts.
Detailed Reports - Audit LogChoose one of the following permissions for running a full report on audit logs:
NoSponsors are not allowed to run an audit log report on logs on any accounts. Own AccountSponsors are allowed to run an audit log report on logs for only the guest
accounts.
5-4
OL-18371-01
Chapter 5
Detailed Reports - Activity LogChoose one of the following permissions for running a full report on activity logs.
NoSponsors are not allowed to run detailed reports on activity logs on any guest accounts. Own AccountSponsors are allowed to run detailed reports on activity logs for only the guest
accounts.
Management ReportsSelect Yes to allow the sponsors to run the management reports. If you select No, the sponsors are not allowed to run the reports. Number of days in the future the account can be createdThis specifies the period in the future for which the guests can create accounts. Specify the maximum number of days, hours, or minutes that they are allowed to create accounts in the future. Maximum duration of accountThis specifies the maximum duration for which the sponsor can configure an account. Specify the duration in days, hours, or minutes.
Step 6
Click the Save button to add the group with the permissions specified.
Note Step 7
Until you click the Save button, the group is not created. Execute one of the following set of instructions to correctly map sponsor users to your group based upon group information from the authentication server:
Mapping to Active Directory Groups, page 5-10 Mapping to LDAP Groups, page 5-11 Mapping to RADIUS Groups, page 5-12
From the administration interface, select Authentication > Sponsor User Groups from the left hand menu. Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4.
5-5
Figure 5-4
Step 3
In the Edit Permissions page as shown in Figure 5-5, change the settings for the group.
Figure 5-5 Edit User Group
Step 4
Allow LoginSelect Yes to allow sponsors in this group to access the Cisco NAC Guest Server. Create AccountSelect Yes to allow sponsors to create guest accounts. Create Bulk AccountsSelect Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details. Create Random AccountsSelect Yes to allow sponsors to be able to create multiple random accounts without initially capturing the guests details.
5-6
OL-18371-01
Chapter 5
Import CSV Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file. Send EmailSelect Yes to allow sponsors to send account details via email from the Guest Server to the guest user. Send SMSSelect Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user. View Guest PasswordSelect Yes to allow sponsors to view the password that has been created for the guest. Allow Printing Guest DetailsSelect Yes to allow sponsors to print out the guests details. Otherwise, select No.
Note
Select No, if you want to disable any of the above permissions. Edit AccountChoose one of the following permissions for editing the end date/time on guest accounts:
NoSponsors are not allowed to edit any guest accounts. Own AccountSponsors are allowed to edit only the guest accounts they created. Group AccountsSponsors are allowed to edit guest accounts created by anyone in the same
Full ReportingChoose one of the following permissions for viewing reporting details for full reporting. See Reporting on Guest Users, page 17-19 for additional details.
NoSponsors are not allowed to view reporting details on any guest accounts. Own AccountSponsors are allowed to view reporting details for only the guest accounts they
created.
Group AccountsSponsors are allowed to view active guest accounts created by anyone in the
Detailed Reports-Accounting Log Choose one of the following permissions for running a full report on accounting logs:
NoSponsors are not allowed to run accounting log reporting on any guest accounts. Own AccountSponsors are allowed to run full accounting log reporting for only the guest
5-7
All AccountsSponsors are allowed to run full accounting log reporting on any active guest
accounts.
Detailed Reports - Audit LogChoose one of the following permissions for running a full report on audit logs:
NoSponsors are not allowed to run an audit log report on logs on any accounts. Own AccountSponsors are allowed to run an audit log report on logs for only the guest
accounts.
Detailed Reports - Activity LogChoose one of the following permissions for running a full report on activity logs.
NoSponsors are not allowed to run detailed reports on activity logs on any guest accounts. Own AccountSponsors are allowed to run detailed reports on activity logs for only the guest
accounts.
Management ReportsSelect Yes to allow the sponsors to run the management reports. If you select No, the sponsors are not allowed to run the reports. Number of days in the future the account can be createdThis specifies the period in the future for which the guests can create accounts. Specify the maximum number of days, hours, or minutes that they are allowed to create accounts in the future. Maximum duration of accountThis specifies the maximum duration for which the sponsor can configure an account. Specify the duration in days, hours, or minutes.
Step 5
Click the Save button to add the group with the permissions specified.
Note Step 6
Until you click the Save button, the changes are not saved. Execute one of the following set of instructions to correctly map sponsor users to your group based upon group information from the authentication server:
Mapping to Active Directory Groups, page 5-10 Mapping to LDAP Groups, page 5-11 Mapping to RADIUS Groups, page 5-12
From the administration interface, select Authentication > Sponsor User Groups from the left hand menu.
5-8
OL-18371-01
Chapter 5
Configuring Sponsor User Groups Specifying the Order of Sponsor User Groups
Figure 5-6
Step 2 Step 3
Select and highlight the group you wish to delete and click the Delete Group button as shown in Figure 5-6. Confirm deletion at the prompt.
Note
If any Local Users are part of this group, you must delete the user before deleting the user group. Alternatively, you can move Local Users to another group to empty the user group before deleting it.
From the administration interface, select Authentication > Sponsor User Groups from the left hand menu.
Figure 5-7 Order User Groups
Step 2 Step 3
Select the group you wish to order. Each group can be ordered by clicking the move up or move down arrow icon button until the group is in position as shown in Figure 5-7. Repeat for all groups until they appear in the required order.
5-9
Step 4
Note
Cisco NAC Guest Server does not support recursive group lookups. You must specify a group that the user is directly a member. If you have configured AD authentication (as described in Configuring Active Directory (AD) Authentication, page 4-6), then the Guest Server automatically retrieves a list of all the groups configured within all the AD servers. Selecting an Active Directory Group from the dropdown provides all sponsor users in this AD group and the permissions of this group.
From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1. Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4. Click the Active Directory Mapping tab to bring up the Edit Active Directory Mapping as shown in Figure 5-8.
Figure 5-8 Active Directory Group Mapping
Step 4
Select the group you wish to match from the dropdown menu and then click the Save button.
Note
By default, Active Directory only returns a maximum of 1000 groups in response to a Cisco NAC Guest Server search. If you have more than 1000 groups and have not increased the LDAP search size, it is possible that the group you want to match does not appear. In this situation, you can manually enter the group name in the Active Directory Group combo box.
5-10
OL-18371-01
Chapter 5
Note
Cisco NAC Guest Server does not support recursive group lookups. You must specify a group that the user is directly a member of. Based on the settings of the LDAP server that you authenticate against, the Cisco NAC Guest Server uses one of the following methods for mapping the sponsor using group information. There are two main methods that LDAP servers use for assigning users to groups:
1.
Storing the group membership in an attribute of the user object. With this method, the user object has one or more attributes that list the groups to which the user belongs. If your LDAP server uses this method of storing group membership, you need to enter the name of the attribute which holds the groups for which the user is a member. Storing the user membership in an attribute of the group object. With this method, there is a group object that contains a list of the users who are members of the group. If your LDAP server uses this method, you need to specify the group to check under the LDAP mapping section of a User Group for which you want to match the user.
2.
When you define the LDAP server, you will have specified one of these two options. If the LDAP server supports the first option, you need to specify to check the user attribute for a certain string. If the LDAP server supports the second option, you need to enter the full DN of the group you want to check membership. The Cisco NAC Guest Server will then check the attribute to make sure that it contains the name of the user who has logged in.
Step 1 Step 2 Step 3
From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1. Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4. Click the LDAP Mapping tab in the top menu of the page to bring up the Edit LDAP Mapping as shown in Figure 5-9.
Figure 5-9 LDAP Group Mapping
5-11
Step 4
If your LDAP server uses user attributes to store group membership, type the group name to check in the Check the user attribute field and specify either contains the string or equals the string from the dropdown menu.
Note Step 5
If using contains the string then the LDAP server must have wildcard searches enabled. If your LDAP server stores group membership in the group object, then specify the full DN of the group you want to check in the Check the group object (group DN) field and type the name of the attribute to be checked for the sponsors username in the Membership Attribute field. Click the Save button to save the LDAP group mapping.
Step 6
Note
You can specify both options for the same group. The option that you check depends on the setting on the LDAP server with which the sponsor successfully authenticates.
From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1. Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4. Click the RADIUS Mapping tab to bring up the Edit RADIUS Mapping as shown in Figure 5-10.
Figure 5-10 RADIUS Group Mapping
Step 4
Enter the string you want to match against the Class Attribute that is returned in the RADIUS authentication reply. Use the dropdown to specify if you want to exactly match the string (equals the string) or match a substring (contains the string). Click the Save button.
Step 5
5-12
OL-18371-01
Chapter 5
From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1. Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4. Click the Guest Roles tab to bring up the Edit Roles as shown in Figure 5-11.
Figure 5-11 Edit Roles
Step 4 Step 5
The roles that the sponsor user group has permission to assign are displayed in the Selected Roles list. Move the roles between the Available Roles and Selected Roles lists using the arrow buttons. Click the Save button to assign the permission to create guests in the specified roles to the sponsor user group.
5-13
From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1. Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4. Click the Time Profiles tab to bring up the Edit Time Profiles as shown in Figure 5-12.
Figure 5-12 Time Profiles
Step 4
The time profiles that the sponsor user group has permission to assign are displayed in the Selected Time Profiles list. Move the roles between the Available Time Profiles and Selected Time Profiles lists using the arrow buttons. Click the Save button to assign the permission to create guests in the time profiles to the sponsor user group.
Step 5
5-14
OL-18371-01
CH A P T E R
Setting Username Policy Setting Password Policy Setting Guest Details Policy Configuring Guest Roles Configuring Time Profiles External Guest Authentication
From the administration interface, select Guest Policy > Username Policy as shown in Figure 6-1.
6-1
Figure 6-1
Step 2
Choose one of the username policy options for creating the user name for the guest account:
a.
Username Policy 1 - Email address as username Use the guests email address as the username. If an overlapping account with the same email address exists, a random number is added to the end of the email address to make the username unique. Overlapping accounts are accounts that have the same email address and are valid for an overlapping period of time. With the Create Username With Case option, you can determine the case of the guest username created by the sponsor:
Case entered by sponsorThe username remains in the same case set by the sponsor. UPPERCASEThe username is forced into uppercase after being set by the sponsor. lowercaseThe username is forced into lowercase after being set by the sponsor.
b.
Username Policy 2 - Create username based on first and last names Create a username based on combining the first name and last name of the guest. You can set a Minimum username length for this username from 1 to 20 characters (default is 10). User names shorter than the minimum length are padded up to the minimum specified length with a random number. With the Create Username With Case option, you can determine the case of the guest username created by the sponsor:
6-2
OL-18371-01
Chapter 6
Case entered by sponsorThe username remains in the same case set by the sponsor. UPPERCASEThe username is forced into uppercase after being set by the sponsor. lowercaseThe username is forced into lowercase after being set by the sponsor. c.
Username Policy 3 - Create random username Create a username based upon a random mixture of Alphabetic, Numeric or Other characters. Type the characters to include to generate the random characters and the number to use from each set of characters.
Note Step 3
The total length of the username is determined by the total number of characters included.
When done, click Save to have the username policy take effect.
From the administration interface, select Guest Policy > Password Policy as shown in Figure 6-2.
Figure 6-2 Password Policy
In the Alphabetic Characters section, enter the characters to be used in the password and the number to be included. In the Numeric Characters section, enter the numerals to be used in the password and the number to be included. In the Other Characters section, enter the special characters to be used in the password and the number to be included.
6-3
Caution
For passwords, use only the following characters for the Other Characters field: !$^&*()-_=+[]{};:@#~,>? Do not use the following characters in the Other Characters field, as they are not supported by the Clean Access Manager API: % < ` ' \ |. Click the Save button to save the settings.
Step 5
Note
The total length of the password is determined by the total number of characters included. You can choose between 0 and 20 characters per type (alphabetic, numeric, or other).
From the administration interface, select Guest Policy > Guest Details as shown in Figure 6-3.
Figure 6-3 Guest Details Policy
Step 2
RequiredIf a field is set to required it is displayed on the Create Guest Account page and it is mandatory for the sponsor to complete. OptionalIf a field is set to optional it is displayed on the Create Guest Account page. However the sponsor can choose not to complete the field. UnusedIf a field is set to unused then it is not displayed on the Create Guest Account page and no value is required.
6-4
OL-18371-01
Chapter 6
Step 3
Note
There are five Additional Fields that you can use to add any additional information that you require sponsors to fill out when creating guest accounts. These are described on the Guest Details page as Option 1 through Option 5. If you want to use these fields, Cisco recommends customizing the text that is shown to the sponsor by editing the templates as described in User Interface Templates, page 11-1.
From the administration interface, select Guest Policy > Guest Roles as shown in Figure 6-4.
Figure 6-4 Guest Roles
Step 2 Step 3
Click the Add Role button to add a new guest role. From the Add Guest Role page as shown in Figure 6-5, enter the name for a new guest role.
6-5
Figure 6-5
Step 4 Step 5
Enter a Role Name and its Description in the fields provided. Click the Add Role button to add the guest role. You can now edit the settings for the new guest role as described in Editing Guest Roles, page 6-6.
From the administration interface, select Guest Policy > Guest Roles from the left hand menu.
Figure 6-6 Edit Guest Roles
Step 2
Select the role you wish to edit and click the underlined name of that role as shown in Figure 6-6 to bring up the NAC Roles edit. You can edit the following attributes:
Edit NAC Roles Edit RADIUS Attributes Edit Locations Edit Authentication Settings
6-6
OL-18371-01
Chapter 6
By default, no Clean Access Managers are selected and the role that is shown is copied from the relevant Cisco NAC Appliance setting. Refer to Chapter 7, Integrating with Cisco NAC Appliance for additional details.
Step 1 Step 2
From the administration interface, select Guest Policy > Guest Roles and click the underlined name of the role you want to edit. Select NAC Roles from the top of the page.
Figure 6-7 NAC Role
For each Cisco NAC Appliance, check the Enabled box if you want accounts created with this guest role to be provisioned onto that Clean Access Manager. For each Cisco NAC Appliance, enter the role in the Map to NAC Role field that corresponds to the role on the Cisco NAC Appliance in which you want to create the guest account. Click the Save Role button.
From the administration interface, select Guest Policy > Guest Roles and click the underlined name of that role you want to edit. Select RADIUS Attributes from the top of the page as shown in Figure 6-8.
6-7
Figure 6-8
RADIUS Attributes
Enter each Attribute and Value pair and click the Add button. If you need to re-order the attributes that are sent, use the Move up and Move down buttons. Click the Save Role button to save the RADIUS Attributes.
Edit Locations
If a guest authenticates with a RADIUS client device such as a Cisco Wireless LAN Controller, you can specify from which IP address ranges the guest is allowed to authenticate for each role. This enables you to specify roles based upon location so that guests assigned to a specific role can only login from locations that you specify.
Step 1 Step 2
From the administration interface, select Guest Policy > Guest Roles and click the underlined name of that role you want to edit. Click the Locations tab as shown in Figure 6-9.
Figure 6-9 Locations
6-8
OL-18371-01
Chapter 6
Step 3 Step 4
Enter each Network Address and select the appropriate prefix length from the dropdown menu. Only valid Network Addresses will be acceptedhost addresses must be specified using a /32 prefix length. Click the Add Location button to add the Network Address.
Note
When you add a role, the location 0.0.0.0/0 is automatically added. This means that the role is valid from any IP address. If you want to restrict to other IP address ranges you must remove this address.
Note
Locations only apply to users authenticating through RADIUS clients such as the Cisco Wireless LAN Controller.
From the administration interface, select Guest Policy > Guest Roles and click the underlined name of that role you want to edit. Click the Authentication Settings tab as shown in Figure 6-10.
Figure 6-10 Authentication Settings
Step 3
Enter a number for the Maximum Concurrent Connections and a number for the Maximum Failed Authentications that Guests in this Role are allowed to make in the fields provided. Leave the fields blank for an unlimited number of connections and authentications. If you wish to allow the Guest to change the password, check the Allow Password Change checkbox. If you wish to force the Guest to change their password, check the Require Password Change checkbox. Click the Save button to save your changes.
6-9
Note
Cisco NAC Guest Server Version 2.0 supports only start/end and from creation profiles when used with Cisco NAC Appliances.
From the administration interface, select Guest Policy > Time Profiles as shown in Figure 6-11.
Figure 6-11 Time Profiles
Step 2 Step 3
Click the Add Time Profile button to add a new Time Profile. From the Add Time Profile page as shown in Figure 6-12, type the Name and Description of the new time profile.
6-10
OL-18371-01
Chapter 6
Figure 6-12
Step 4
From the Timezone dropdown menu, specify the timezone for which any Account Restrictions will apply.
Note
The Timezone function is only available starting from version 2.0.1 and later. In version 2.0.0, the account restrictions are determined by the timezone set on the Date/Time settings in the Server configurations. From the Account Type dropdown menu, you can choose one of the predefined options:
Step 5
Start EndAllows sponsors to define start and end times for account durations. From First LoginAllows sponsors to define a length of time for guest access from their first login. From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.
Note
The From Creation option is only available starting from version 2.0.1 and later.
Time UsedAllows sponsors to create a time period during which the guest can login. For example, account can be valid for 2 hours and usable for any time within 24 hours from first login. Start EndAllows sponsors to define start and end times for account durations; therefore, no duration is necessary. From First LoginAllows sponsors to define a length of time for guest access from their first login. Duration in days is required. From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.
Step 6
Depending on the Account Type selected, enter the duration in the following fields:
6-11
Note
The From Creation option is only available starting from version 2.0.1 and later.
Time UsedAllows sponsors to create a time period during which the guest can login. For example account can be valid for 2 hours and usable for any time within 24 hours from first login. You need to specify how long the sponsor can allocate a guest account for, and the time frame in which it must end. Click the Save button to save.
Step 7
Once a Time Profile is created, you can implement Account Restrictions in the Restrictions section. Use the dropdown menus to select the days and time you wish to restrict guest access to and from. Once a time criteria is complete, click Add, then create the next restriction.
From the administration interface, select Guest Policy > Time Profiles from the left hand menu.
Figure 6-13 Editing a Time Profile
Step 2 Step 3
Select the time profile you wish to edit and click the underlined name of that role as shown in Figure 6-13. From the Edit Time Profile page as shown in Figure 6-14, you can edit the Name and Description of that profile.
6-12
OL-18371-01
Chapter 6
Figure 6-14
Step 4
From the Timezone dropdown menu, specify the timezone for which any Account Restrictions will apply.
Note
The Timezone function is only available starting from version 2.0.1 and later. In version 2.0.0, the account restrictions are determined by the timezone set on the Date/Time settings in the Server configurations. From the Account Type dropdown menu, you can choose one of three predefined options:
Step 5
Start EndAllows sponsors to define start and end times for account durations. From First LoginAllows sponsors to define a length of time for guest access from their first login. From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.
Note
The From Creation option is only available starting from version 2.0.1 and later.
Time UsedAllows sponsors to create a time period during which the guest can login. For example account can be valid for 2 hours and usable for any time within 24 hours from first login. Start EndAllows sponsors to define start and end times for account durations; therefore, no duration is necessary. From First LoginAllows sponsors to define a length of time for guest access from their first login. Duration in days is required. From Creation - Allows sponsors to define a length of time for guest access from the moment of account creation.
Step 6
Depending on the Account Type selected, enter the duration in the following fields:
6-13
Note
The From Creation option is only available starting from version 2.0.1 and later.
Time UsedAllows sponsors to create a time period during which the guest can login. For example, account can be valid for 2 hours and usable for any time within 24 hours from first login. You need to specify how long the sponsor can allocate a guest account for, and the time frame in which it must end. Click the Save button to save.
Step 7
Once a Time Profile is created, you can implement Account Restrictions in the Restrictions section. Use the dropdown menus to select the days and times you wish to restrict guest access to and from. Once a time criteria is complete, click Add, then create the next restriction.
From the administration interface, select Guest Policy > Time Profiles from the left hand menu.
Figure 6-15 Deleting a Time Profile
Step 2 Step 3
From the Time Profiles page as shown in Figure 6-15, choose the profile you wish to delete and click the bin icon. Confirm the deletion when prompted.
Note
Only time profiles that have never been used to create guest accounts can be deleted. The used time profiles cannot be deleted as they are required for audit purposes.
6-14
OL-18371-01
Chapter 6
Step 2
Figure 6-16
RADIUS Authentication
Type the Server IP Address for the Primary RADIUS Server. Type the Port that RADIUS authentication is running on for that server (default is 1645 or 1812). Type the shared secret to be used between the RADIUS Server and the NAC Guest Server, in the RADIUS Secret field. Confirm the secret to make sure that it is set correctly. Enter details for a Secondary RADIUS Server. These details are used when the NAC Guest Server does not receive response from the Primary RADIUS Server. These fields are optional. Click Save to save the Administrator RADIUS settings.
From the administration interface, select Authentication > External Guests. Click the RADIUS Mappings tab as shown in Figure 6-17.
6-15
Figure 6-17
RADIUS Mapping
Step 3
You can enter RADIUS mapping in the blank field and by using the drop down menus that have pre-defined text in them. The text within the drop down menu relates to time profiles and guest roles that have been previously created by the Administrator on the NAC Guest Server.
External Guest Authentication supports only the From First Login time profile. Once a rule has been created, click the Add Rule button to apply. You can change the order of the rules by selecting and highlighting rules and then clicking the move up and move down buttons. Click Change Order button to apply the changes.
6-16
OL-18371-01
CH A P T E R
Adding Clean Access Manager Entries Editing Clean Access Manager Entries Deleting Clean Access Manager Entries Configuring the CAM for Reporting
Guest users commonly authenticate to networks via a captive portal through which they provide their authentication details using a web browser. Cisco NAC Appliance provides a secure guest user access portal which administrators can customize. The Cisco NAC Guest Server integrates with the Clean Access Manager through the use of the Cisco NAC Appliance API. This is an HTTPS-based API that requires the Guest Server to communicate with the Cisco NAC Appliance Manager, also known as the Clean Access Manager (CAM). The Cisco NAC Guest Server creates the guest user accounts on the CAM as Local User accounts assigned to a specific role that you define for guest users. The Guest Server creates new accounts that are valid every minute. Every minute it also removes accounts that have expired. When accounts are suspended, the Guest Server removes both the accounts from the CAM and the guest users from the network if they are logged in. The Clean Access Manager can also send accounting information to the Cisco NAC Guest Server via RADIUS accounting. This information is used for reporting and tracking of guests by access time and IP address. You can add multiple Clean Access Managers to the Cisco NAC Guest Server. When accounts are provisioned they are created on all active Clean Access Managers that are defined.
7-1
From the Guest Server administration interface, select Devices > NAC Appliances from the left hand menu as shown in Figure 7-1.
Figure 7-1 Cisco NAC Appliances
Step 2 Step 3
Click the Add NAC Appliance button. Enter the following settings in the NAC Appliance Details page as shown in Figure 7-2:
Figure 7-2 Add Clean Access Manager
7-2
OL-18371-01
Chapter 7
Integrating with Cisco NAC Appliance Editing Clean Access Manager Entries
NameType a descriptive name for the Clean Access Manager. ServerType the DNS name or IP address for the CAM. Admin UsernameEnter an admin username which has Full-Control API permission to the CAM. PasswordType the password for the account. Confirm PasswordRetype the password to ensure it matches correctly. Default RoleType the name of the User Role on the CAM to which you will assign guest users. This should match exactly with the User Role name configured on the CAM, including correct case. Server ActiveCheck this checkbox to set the Cisco NAC Guest Server to Active status so that it provisions accounts on the CAM. Leaving this field unchecked disables the provisioning of Guest Server.
Click the Add NAC Appliance button. Click the Test Connection button to ensure that the settings are working correctly. In the Clean Access Manager admin console, navigate to Monitoring > Event Logs and verify that the account nacguest_test was successfully created and then deleted.
Note
Clean Access Managers are automatically added to the Default guest role, and set to provision using the role name specified here. If you do not want the Clean Access Manager to be added to the role, you must manually remove the entry.
From the Guest Server administration interface, select Devices > NAC Appliances from the left hand menu as shown in Figure 7-3.
Figure 7-3 List of Cisco NAC Appliances
Step 2 Step 3
Click the underlined name of the NAC appliance from the list to edit it. In the NAC Appliance Settings page as shown in Figure 7-4, enter the following settings:
7-3
Figure 7-4
ServerType the DNS name or IP address for the CAM. Admin UsernameEnter an admin username which has API permission to the CAM. PasswordType the password for the account. Confirm PasswordRetype the password to ensure it matches correctly. Default RoleType the name of the User Role on the CAM to which you will assign guest users. This should match exactly with the User Role name configured on the CAM, including correct case. Server ActiveCheck this checkbox to set the Cisco NAC Guest Server to Active status so that it provisions accounts on the CAM. Leaving this field unchecked disables the provisioning of Guest Server.
Click the Save Settings button. Click the Test Connection button to ensure that the settings are working correctly. In the Clean Access Manager admin console, navigate to Monitoring > Event Logs and verify that the account nacguest_test was successfully created and then deleted.
From the Guest Server administration interface, select Devices > NAC Appliances from the left hand menu as shown in Figure 7-5.
Figure 7-5 List of Cisco NAC Appliances
Step 2
Select the Cisco NAC Appliance that you want to delete from the list and click the bin icon to the right of the active field. Confirm the deletion when prompted.
7-4
OL-18371-01
Chapter 7
Integrating with Cisco NAC Appliance Configuring the CAM for Reporting
Step 3
A further message appears prompting you whether to delete the records of accounts that were created on the NAC Appliance from the NAC Guest Server database. You may need the provisioning records if you are planning to add the NAC Appliance at a later date.
Warning
When deleting a NAC Appliance you need to manually manage any guest accounts created on the Clean Access Manager.
Note
For detailed instructions on how to access and configure settings on the CAM, refer to the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide.
Log into the CAM web console as an admin user with an appropriate password (default username/password is admin/cisco123).
Note Step 2
Any CAM admin user with Edit privileges can perform this configuration.
Navigate to User Management > Auth Servers > Accounting > Server Config
7-5
Figure 7-6
Step 3
Click the checkbox for Enable RADIUS Accounting and configure the following fields:
Server Name Type the IP address of the Cisco NAC Guest Server Server Port Type 1813 as the port Timeout (sec)Type a timeout value; 10 seconds is typically sufficient. Shared SecretType the shared secret used with the Cisco NAC Guest Server. This must match the shared secret configured on the Guest Server when adding the CAM as a RADIUS client to the Guest Server, as described in Adding RADIUS Clients, page 8-2. Make sure both shared secrets are the same. NAS-IP-AddressType the address of the CAM itself as the NAS-IP-Address.
Step 4
Note
Refer to the RADIUS Accounting section of the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide for additional details. Log into the CAM admin console, and navigate to User Management > Auth Servers > Accounting > Shared Events as shown in Figure 7-7.
Step 1
7-6
OL-18371-01
Chapter 7
Integrating with Cisco NAC Appliance Configuring the CAM for Reporting
Figure 7-7
Shared Events
Step 2 Step 3
On the Shared Events page, click the Edit button to the right of the User_Name attributes entry. In the Edit User_Name attribute page as shown in Figure 7-8, click the Reset Element button to remove the existing sample data format.
Figure 7-8 Edit User Name Attribute
Select User Name from the Add Data dropdown menu. Click the Add Data button. Click the Commit Changes button. The main Shared Events lists page reappears as shown in Figure 7-9. Verify that the Data column lists [User_Name].
7-7
Figure 7-9
Step 8
Click the New Entry... link to the right of the page as shown in Figure 7-9 to add additional attributes.
Figure 7-10 Add Calling Station Id Attribute
In the New Shared Events attribute form as shown in Figure 7-10, select Calling_Station_Id from the Send RADIUS Attributes dropdown menu. Click the Change Attribute button. Select User IP from the Add Data dropdown menu. Click the Add Data button. Click Commit Changes. Click the New Entry link to the right of the page as shown in Figure 7-9 to add additional attributes as shown in Figure 7-11.
7-8
OL-18371-01
Chapter 7
Integrating with Cisco NAC Appliance Configuring the CAM for Reporting
Figure 7-11
Additional Attributes
In the New Shared Events attribute form as shown in Figure 7-11, select Acct_Session_Id from the send RADIUS Attributes dropdown menu. Click the Change Attribute button. Select User Key from the Add Data dropdown menu. Click the Add Data button. Select Login Time from the Add Data dropdown menu. Click the Add Data button. Click Commit Changes.
Note
Remember to add the CAM as a RADIUS client using the instructions in Chapter 8, Configuring RADIUS Clients.
7-9
7-10
OL-18371-01
CH A P T E R
Overview Adding RADIUS Clients Editing RADIUS Clients Deleting RADIUS Clients
Overview
Remote Authentication Dial In User Service (RADIUS) is an AAA (authentication, authorization and accounting) protocol. Cisco NAC Guest Server uses the RADIUS protocol to authenticate and audit guests who login through RADIUS-capable network enforcement devices, such as Cisco Wireless LAN Controllers. Although the Cisco NAC Appliance uses its own API and a different method for creating accounts and authenticating users, as described in Chapter 7, Integrating with Cisco NAC Appliance, it still uses RADIUS Accounting to record user activity and therefore still needs to be configured as a RADIUS client. When a guest authenticates against a RADIUS client, such as the Wireless LAN Controller, the RADIUS client uses RADIUS authentication to check with the Cisco NAC Guest Server whether the user authentication is valid. If the guest authentication is valid, the Cisco NAC Guest Server returns a message stating that the user is valid and the duration of time remaining before the user session expires. The RADIUS client must honor the session-timeout attribute to remove the guest when the guest account time expires.
Note
The Cisco Wireless LAN Controller needs to be specifically configured to Allow AAA Override. This enables it to honor the session-timeout attribute returned to it by the Cisco NAC Guest Server. In addition to authentication, the RADIUS client device reports details to the Cisco NAC Guest Server, such as the time the session started, time session ended, user IP address, and so on. This information is transported over the RADIUS Accounting protocol.
Tip
If there is a Firewall between the Cisco NAC Guest Server and the RADIUS client, you need to allow traffic from UDP Port 1812 or 1645(RADIUS authentication) and UDP Port 1813 or 1646(RADIUS accounting) to pass.
8-1
Note
Every time you make a change to a RADIUS component on the Cisco NAC Guest Server, you need to Restart the RADIUS service for the changes to become active.
Note
The Debug button under Devices > RADIUS Clients turns the RADIUS server on in debugging mode. This enables detailed debug information to be viewed under Server > System Logs > Support Logs. See Support Logs, page 15-8 for additional details.
From the administration interface, select Devices > RADIUS Clients from the left hand menu. In the RADIUS Clients page as shown in Figure 8-1, click the Add RADIUS Client button to add a RADIUS client.
Figure 8-1 RADIUS Clients
Step 3
In the Add RADIUS Client page as shown in Figure 8-2, type a descriptive Name for the RADIUS client.
8-2
OL-18371-01
Chapter 8
Figure 8-2
Type the IP Address of the RADIUS client. This needs to match the IP address from which the RADIUS request is originated. Type a shared Secret for the RADIUS client. This must match the shared secret specified in the configuration of the RADIUS client. Retype the shared secret in the Confirm field. Type a Description of the client and any other information needed. If you want the RADIUS client to send any additional attributes upon successful authentication, enter the attribute name and value in the Attribute and Value fields and click the Add button. You can enter as many attributes as you need.
If you want to remove an attribute, select the attribute from the table and click the Remove button. Use the Move up and Move down buttons to change the order of the RADIUS attributes as they are sent in the RADIUS Accept Message.
Upon completion, click the Add RADIUS Client button. From the administration interface, select Devices > RADIUS Clients as shown in Figure 8-1. Click the Restart button to restart the RADIUS service to make the changes take effect.
Note
From the administration interface, select Devices > RADIUS Clients from the left hand menu. In the RADIUS Clients page as shown in Figure 8-3, select the RADIUS client from the list you wish to edit and click the underlined name of that client.
8-3
Figure 8-3
Step 3
In the Edit RADIUS Client page as shown in Figure 8-4, edit the IP Address of the RADIUS client.
Figure 8-4 Edit RADIUS Client
Edit the shared secret used between the client and the Cisco NAC Guest Server in the Secret and Confirm fields. Make any desired changes to the Description. If you want the NAC Guest Server to send any additional RADIUS attributes upon successful authentication to the RADIUS Client, enter the attribute name and value in the Attribute and Value fields and click the Add button. You can enter as many attributes as you need. If you want to remove an attribute, select the attribute from the table and click the Remove button.
8-4
OL-18371-01
Chapter 8
Click Save Settings. From the administration interface, select Devices > RADIUS Clients as shown in Figure 8-1from the left hand menu. Click the Restart button to restart the RADIUS service to make the changes take effect.
From the administration interface, select Devices > RADIUS Clients from the left hand menu.
Figure 8-5 List RADIUS Clients
In the RADIUS Clients page as shown in Figure 8-5, click the underlined name of the RADIUS client in the list to edit it. Click the bin icon to the right of the entry to delete it, and confirm the action. From the administration interface, select Devices > RADIUS Clients as shown in Figure 8-1 from the left hand menu. Click the Restart button to restart the RADIUS service to make the changes take effect.
Note
Every time you make a change to a RADIUS component, you need to restart the RADIUS service for the changes to become active.
8-5
8-6
OL-18371-01
CH A P T E R
Note
Guest Activity Logging relies on correlating the syslog information with the IP Address received from RADIUS accounting. This means that it will not work if you use a deployment method where the guests IP address changes after authentication and no additional RADIUS accounting messages are sent. Once the Cisco NAC Guest Server has the IP Address of each of the guests, then it needs to receive syslog information from the network devices. You should configure each of your network devices to send syslog to UDP port 514 on the Guest Server. The Guest Server then processes the syslog information and correlates it against each guest. This correlation enables you to view the guests activity on the guest activity log details page for each guest as described in Reporting on Guest Users, page 17-19. Guest Activity is correlated into individual files that are stored on the disk of the appliance. The appliance can store log files until less than 30% disk space remains; it then either deletes the oldest log files or archives the log files to an external FTP server as described in Configuring Syslog Monitoring Settings, page 9-1.
From the administration interface, select Devices > Syslog Monitoring from the left hand menu as shown in Figure 9-1.
9-1
Chapter 9
Figure 9-1
Syslog Monitoring
If you want to configure the NAC Guest Server to archive guest logs, check the Archive to FTP Server checkbox. In the Server field, enter the name or IP address of the FTP server. Enter the Port of the FTP server Specify the Directory on the FTP server where you want the archive files to be stored. Enter the Username and Password for an account that has the ability to log in to the FTP server and has write permissions to the directory specified. By default, the FTP mode used is Active FTP. If you want to use Passive mode, check the Passive Mode checkbox.
9-2
OL-18371-01
CH A P T E R
10
Manually reading the details to the guest from the screen. Printing the details out on paper. Sending the details in an email. Sending the details as an SMS text message.
Sponsors always have the option of reading and printing out guest account details to guests. Email and SMS text message notification require email servers to be configured, but can be configured based upon policy.
Note
Email and SMS guest account notification policies need to be configured globally, then enabled per user group for individual sponsor permissions. This chapter describes the following:
10-1
Note
Emails sent from Cisco NAC Guest Server v2.0.2 and later are encoded with the quoted-printable mime type. From the administration interface, select Devices > Email Settings from the left hand menu.
Figure 10-1 Email Settings
Step 1
Step 2 Step 3
In the Email Settings page as shown in Figure 10-1, check the Enable Email option to enable email functionality globally for the Cisco NAC Guest Server. For SMTP Server, type the IP address of the outbound SMTP server to which you need to deliver email. If you enter localhost, or leave this field empty, the Cisco NAC Guest Server attempts to deliver the email directly to the guests SMTP server. In the Sent From field, type the email address from which you want guest notification emails to be sent (for example, host@company.com). Click the Save Settings button.
Step 4 Step 5
Note
Refer to Editing the Email Template, page 11-7 for additional details.
10-2
OL-18371-01
Chapter 10
From the administration interface, select Devices > SMS Settings from the left hand menu.
Figure 10-2 SMS Settings
In the SMS Settings page as shown in Figure 10-2, check the Enable SMS checkbox to globally enable SMS on the Cisco NAC Guest Server. SMS requires an SMTP server to deliver the email to the SMS gateway. Go to Devices > Email Settings to configure the SMTP Server as described Configuring Email Notification, page 10-2. In the Sent From field, type the sending email address for the email to be sent to the SMS gateway. Click Save.
Note
Depending on how details are routed to the SMS provider, you need to customize the SMS portion of the User Interface template to include the guests mobile phone number in the correct format for your SMS gateway. See Editing the SMS Template, page 11-8 for details.
10-3
Print Notification
Print notification is configured as described in Editing the Print Template, page 11-5.
10-4
OL-18371-01
CH A P T E R
11
User Interface Templates Adding a User Interface Template Editing a User Interface Template Deleting a Template Setting the Default Interface Mapping Setting User Default Redirection
Change the labels for the sponsor interface. Provide different instructions for guest users. Change the default Acceptable Use Policy. Create a translated template to provide the sponsor interface and guest instructions in another language altogether.
Cisco NAC Guest Server provides a default template (in English) that can be used as is without any further modification. If you want to change the default presentation for sponsors and guests, you can add one or multiple templates that you can store separately on the Guest Server and modify as desired. Typically, you create a customized template when you need to modify the account details and instructions that are provided to the guest, such as the Acceptable Usage Policy. Cisco NAC Guest Server provides Print, Email, and SMS templates that allow you to customize the information that is printed, emailed, or text messaged to guests. If you are customizing the interface for another language, create a new template for the language and edit all pages with the translated text. Once your user interface template is configured, you need to set the default template mapping so that the Guest Server starts using the correct template. Once a sponsor has authenticated, the sponsor can choose a different template to use and save it under My Settings > Preferences > Language Template in the sponsor interface. This enables each sponsor to have the application displayed in a different template or language.
11-1
Note
You can set the default user interface template globally for the Cisco NAC Guest Server sponsor and guest interfaces under User Interfaces > User Defaults.
Tip
When customizing, it is a good idea to open the sponsor interface in a second browser for reference. This allows you to view how the configuration tabs map to the actual sponsor interface pages. You can bring up the sponsor interface by entering the Guest Server IP address without the /admin as the URL, for example, http://<guest_server_ip_address> or https://<guest_server_ip_address>. The sponsor must logout and login again to view the changes.
From the administration interface, select User Interfaces > Templates from the left hand menu. On the User Interface Templates page as shown in Figure 11-1, click the Add Template button
Figure 11-1 User Interface Templates
Step 3
In the Add New Template page as shown in Figure 11-2, type a Template Name. This can be any descriptive text to identify the template later from the User Interface Templates list as shown in Figure 11-1.
11-2
OL-18371-01
Chapter 11
Figure 11-2
Step 4
Click the Add Template button. The Edit User Interface Template page for the new template is displayed, initially, with all details copied from the default template. If you only need to make small changes, this allows you not to have to retype all the entries.
Step 5
Modify these settings as desired, as described in Editing a User Interface Template, page 11-3.
When customizing, it is a good idea to open the sponsor interface in a second browser for reference. This allows you to view how the configuration tabs map to the actual sponsor interface pages. You can bring up the sponsor interface by entering the Guest Server IP address without the /admin as the URL, for example, http://<guest_server_ip_address> or https://<guest_server_ip_address>. The sponsor must logout and login again to view the changes. From the administration interface, select User Interfaces > Templates from the left hand menu.
Step 1
11-3
Figure 11-3
Step 2 Step 3
From the User Interface Templates list as shown in Figure 11-3, click the underlined name of the template you wish to edit. The Edit Home Page for the template is displayed as shown in Figure 11-4.
Figure 11-4 Edit Template
Step 4 Step 5
Click the menu tabs at the top of the page to select any of the sponsor page settings that you want to edit. Make any changes to the fields and click the Save Template button. Some example edits are described in the following sections:
11-4
OL-18371-01
Chapter 11
Editing the Print Template, page 11-5 Editing the Email Template, page 11-7 Editing the SMS Template, page 11-8 Using Time Profiles, page 11-10
Note
The Upload Logo feature allows upload an image with maximum height of 75 pixels and maximum width of 150 pixels. The image can be in .png, .jpg, or .gif format.
Tip
Navigating to Account Management > Manage Accounts on the sponsor interface and clicking the Print button next to the guest account entry brings up the output of the Print Template for printing. Go to User Interfaces > Templates and click the underlined name of the template you wish to edit in the Templates list. Under Edit Home Page, click the Notification tab to bring up the Edit Notification Page as shown in Figure 11-5. From the Select Template for dropdown menu, choose Print Template and click the Show button.
11-5
Figure 11-5
Step 4
In the Page Body text field, edit the default HTML code for the web page. The Page Body contains all the HTML code that appears between the BODY tags on a HTML page. All HTML code outside these tags is used by the application. In the HTML code you can use the following special variables to replace them with the details from the created guest account.
Step 5
%USERNAME% = The Username created for the guest. %PASSWORD% = The Password created for the guest. %STARTTIME% = The time from which the guest account will be valid. %ENDTIME% = The time at which the guest account will expire. %FIRSTNAME% = The first name of the guest. %LASTNAME% = The last name of the guest. %TIMEZONE% = The timezone of the user. %MOBILENUMBER% = The mobile number of the guest. %OPTION1% = Optional field for editing. %OPTION2% = Optional field for editing. %OPTION3% = Optional field for editing. %OPTION4% = Optional field for editing. %OPTION5% = Optional field for editing. %MOBILENUMBER_ONLY% = Mobile phone number of guest without country code pre-pended. %COUNTRYCODE% = Country code of the mobile phone number. %DURATION% = Duration of time for which the account will be valid.
11-6
OL-18371-01
Chapter 11
Step 6
%ALLOWEDWINDOW% = The time window during which the account can be used after first login. %TIMEPROFILE% = The name of the time profile assigned.
Tip
Navigating to Account Management > Manage Accounts on the sponsor interface and clicking the Email button next to the guest account entry brings up the output of the Email Template and also emails the guest. Go to User Interfaces > Templates and click the underlined name of the template you wish to edit in the Templates list. Under Edit Home Page, click the Notification tab to bring up the Edit Notification Page as shown in Figure 11-6. From the Select Template for dropdown menu, choose Email Template and click the Show button.
Figure 11-6 Edit Notification PageEmail Template
11-7
Change the Email Subject as desired. In the Email Body text field, edit the default email text to be sent to the guest page. In the Email Body you can use the following special variables to replace them with the details from the created guest account.
%USERNAME% = The Username created for the guest. %PASSWORD% = The Password created for the guest. %STARTTIME% = The time from which the guest account will be valid. %ENDTIME% = The time at which the guest account will expire. %FIRSTNAME% = The first name of the guest. %LASTNAME% = The last name of the guest. %TIMEZONE% = The timezone of the user. %MOBILENUMBER% = The mobile number of the guest. %OPTION1% = Optional field for editing. %OPTION2% = Optional field for editing. %OPTION3% = Optional field for editing. %OPTION4% = Optional field for editing. %OPTION5% = Optional field for editing. %MOBILENUMBER_ONLY% = Mobile phone number of guest without country code pre-pended. %COUNTRYCODE% = Country code of the mobile phone number. %DURATION% = Duration of time for which the account will be valid. %ALLOWEDWINDOW% = The time window during which the account can be used after first login. %TIMEPROFILE% = The name of the time profile assigned.
Step 7
Tip
Navigating to Account Management > Manage Accounts on the sponsor interface and clicking the SMS button next to the guest account entry brings up the output of the SMS Template and also text messages the guest. Go to User Interfaces > Templates and click the underlined name of the template you wish to edit in the Templates list. Under Edit Home Page, click the Notification tab to bring up the Edit Notification Page as shown in Figure 11-7. From the Select Template for dropdown menu, choose SMS Template and click the Show button.
11-8
OL-18371-01
Chapter 11
Figure 11-7
Step 4 Step 5
Change the SMS Subject as desired. Change the SMS Destination to be the email address of the SMS gateway that you use. To send the text message to the mobile phone number of the guest, use the variable %MOBILENUMBER%. The %MOBILENUMBER% variable is replaced by the mobile phone number, including country code of the guest as entered by the sponsor. For example, if the country code selected is the UK (+44) and the guests phone number is 055 555-5555, then %MOBILENUMBER% will contain 44555555555.
Note
The initial plus symbol (+) is not inserted and the initial 0, any spaces, or hyphens (-) are removed from the phone number. If you need (+) to be inserted, then enter +%MOBILENUMBER%.
Step 6
The SMS Body contains the SMS text to be sent to the guest. In the SMS Body you can use the following special variables to replace them with the details from the created guest account.
%USERNAME% = The Username created for the guest. %PASSWORD% = The Password created for the guest. %STARTTIME% = The time from which the guest account will be valid. %ENDTIME% = The time at which the guest account will expire. %FIRSTNAME% = The first name of the guest. %LASTNAME% = The last name of the guest. %TIMEZONE% = The timezone of the user.
11-9
Step 7
%MOBILENUMBER% = The mobile number of the guest. %OPTION1% = Optional field for editing. %OPTION2% = Optional field for editing. %OPTION3% = Optional field for editing. %OPTION4% = Optional field for editing. %OPTION5% = Optional field for editing. %MOBILENUMBER_ONLY% = Mobile phone number of guest without country code pre-pended. %COUNTRYCODE% = Country code of the mobile phone number. %DURATION% = Duration of time for which the account will be valid. %ALLOWEDWINDOW% = The time window during which the account can be used after first login. %TIMEPROFILE% = The name of the time profile assigned.
Go to User Interfaces > Templates and click the underlined name of the template you wish to edit in the Templates list. Under Edit Home Page, click the Accounts tab to bring up the Edit Accounts Page as shown in Figure 11-7. From the Select Template for dropdown menu, choose Time Profiles and click the Show button as shown in Figure 11-8.
Figure 11-8 Edit Accounts PageTime Profiles
11-10
OL-18371-01
Chapter 11
Step 4
The Time Profiles you previously created are displayed. Enter the text for each template that you wish the sponsor to use.
Deleting a Template
Step 1 Step 2 Step 3
From the administration interface, select User Interface > Templates from the left hand menu. Select the template you want to delete from the User Interface Templates list and click the bin icon to the right of the template name field. Confirm deletion of the template.
From the administration interface, select User Interfaces > User Defaults to bring up the User Defaults page as shown in Figure 11-9.
Figure 11-9 Default User Interface Mapping
Step 2 Step 3
Select the template from the Template dropdown menu under Default Interface Mapping. This becomes the template used for the sponsor and guest user interface. Click the Save Settings button.
11-11
Sponsors can change these settings from their User Settings page once they are logged in. However, to make it easy for first time users of the application, you can choose to direct sponsors to their preference page on their first login to the system.
Step 1
From the administration interface, select User Interfaces > User Defaults from the left hand menu to bring up the User Defaults page as shown in Figure 11-10.
Figure 11-10 User Settings Page Redirection
Step 2
Check the Go to User Settings Page on first login checkbox under Settings, if you want the sponsors to be redirected to the User Settings pages upon their first login to the system. If not, then make sure to leave this option unchecked. Click the Save Settings button.
Step 3
11-12
OL-18371-01
CH A P T E R
12
Configuring Hotspots
Hotspots on the Cisco NAC Guest Server are used to allow administrators to create their own portal pages and host them on the Cisco NAC Guest Server. Hotspots created by administrators can be fully customized and used as the captive portal to provide the following:
Customized authentication pagesAllow guest portal pages to be located on the Guest Server instead of on each captive portal device, providing a centralized location for configuration and display. Guest Self ServiceAllows guests to self register by entering their details to create their own guest accounts. Credit Card Billing supportEnables administrators to allow guests to purchase guest accounts by linking into payment gateways to purchase accounts. Configuring Hotspot Sites Configuring Payment Providers Creating Hotspot Web Pages
From the administration interface, select Hotspot > Sites from the menu as shown in Figure 12-1.
12-1
Configuring Hotspots
Figure 12-1
Hotspot Sites
Step 2
Click the Add Site button and the Add New Site page is displayed as shown Figure 12-2.
Figure 12-2 Add New Site
Step 3 Step 4
In the Add New Site Page, enter the Site Name and the Site Description into the fields provided and click the Create Site button. You are directed to the Files tab as shown in Figure 12-3. You can upload/download your files into the site you have created.
12-2
OL-18371-01
Chapter 12
Figure 12-3
Step 5
You can find the location of the site on the Cisco NAC Guest Server in the Files tab. You must manually upload all your files to this directory on the Guest Server. To upload the files use an SCP or SFTP client and connect to the Guest Server with the root user account. Place all the web pages into the directory as specified.
Note
If you have replication between two NAC Guest Servers, then the site files are not automatically replicated. You need to SFTP the files to both boxes. Once you have completed the above steps, click the Settings tab as shown in Figure 12-4.
Figure 12-4 Sites Settings
Step 6
Step 7
From the Operation mode dropdown menu, you can select one of the following methods of operation:
Payment ProviderThis option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. (Refer to Configuring Payment Providers, page 12-6 for details.) Select the relevant payment provider and proceed to Step 8. Self ServiceThis option allows guest self service. After selection proceed to Step 8. AuthenticationThis option allows RADIUS authentication for guests. Proceed to Step 9. Auto LoginLogs in to account after account is created. Display account detailsDisplays the account details after the account is created.
Step 8
In the General Settings section, check or uncheck the boxes to determine whether to allow the following:
12-3
Configuring Hotspots
Send account details by SMSSends the account details by SMS. Send account details by e-mailSends the account details by e-mail.
Leaving the boxes unchecked does not allow any of the above options.
Step 9 Step 10 Step 11
Click the Save Settings button once completed. If you have selected Payment Provider or Self Service in Step 7 proceed to Step 11. Otherwise, you have completed the configuration of the site. Once you have completed the above steps, click the Access Plans tab as shown in Figure 12-5.
Figure 12-5 Access Plans
Step 12
Click the Add Access Plan button to add an access plan as shown in Figure 12-6, for your site, if you are using the Self Service or Payment Provider operation mode.
Figure 12-6 Adding an Access Plan
Step 13
Enter the relevant information in the following fields for your Access Plan:
NameName of your access plan. DescriptionDescription of your access plan. Time ProfileFrom the dropdown menu, select a predefined time profile, created as described in Configuring Time Profiles, page 6-10.
Note
PriceEnter the Price of your access plan. This value is only used for Payment Provider Sites.
12-4
OL-18371-01
Chapter 12
Step 14
Upon completion of the above steps, click the Create Access Plan button to finish.
From the administration interface, select Hotspot > Sites as shown in Figure 12-7.
Figure 12-7 Editing Hotspots
Step 2 Step 3
Select the site you want to edit from the list and click the username. You can find the location of the site on the Cisco NAC Guest Server in the Files tab. You must manually upload all of your files to this directory on the Guest Server. To upload the files use an SCP or SFTP client and connect to the Guest Server with the root user account. Place all the web pages into the directory as specified.
Note
If you have replication between two NAC Guest Servers, then site files are not automatically replicated. You need to SFTP the files to both boxes. Once you have completed the above steps, click the Settings tab. In the Operation Mode dropdown menu, you can select one of following methods of operation:
Step 4 Step 5
Payment ProviderThis option allows your page to integrate with a payment providing billing system. You need to select a predefined Payment Provider from the dropdown. Refer to Configuring Payment Providers, page 12-6 for more details. Self ServiceThis option allows guest self service. AuthenticationThis option allows RADIUS authentication for guests. Auto LoginLogs in to the account automatically after account has been created. Display account detailsDisplays the account details after the account has been created. Send account details by SMSSends the account details by SMS. Send account details by e-mailSends the account details by e-mail.
Step 6
In the General Settings section, check or uncheck the boxes to determine whether to allow the following:
Leaving the boxes unchecked does not allow any of the above options.
12-5
Configuring Hotspots
Click the Save Settings button once completed. If you have selected Payment Provider or Self Service in Step 5 proceed to Step 9. Otherwise you have completed the configuration of the site. Once you have completed the above steps click the Access Plans tab. Enter the relevant information in the following fields for your Access Plan:
NameName of your access plan. DescriptionDescription of your access plan. Time ProfileFrom the dropdown menu, select a predefined time profile, created as described in Configuring Time Profiles, page 6-10.
Note
PriceEnter the Price of your access plan. This value is only used for Payment Provider Sites.
Step 11
Upon completion of the above steps, click the Create Access Plan button to finish editing the hotspot.
From the administration interface, select Hotspots > Sites as shown in Figure 12-8.
Figure 12-8 Select Hotspot to Delete
Step 2 Step 3
Select the site you want to delete from the list and click the bin icon next to the Description field. Confirm deletion of the user at the prompt.
12-6
OL-18371-01
Chapter 12
From the administration interface, select Hotspot > Payment Providers as shown in Figure 12-9.
Figure 12-9 Adding Payment Provider
Step 2
Click the Add Account button and enter the relevant details in the fields as shown in Figure 12-10.
Figure 12-10 Adding New Payment Provider
Step 3
12-7
Configuring Hotspots
Step 4
Account DescriptionEnter the description of the payment provider account. Payment ProviderChoose the relevant payment provider from the dropdown menu provided. API LoginEnter the API login for the payment provider account. Transaction KeyEnter the transaction key for the payment provider account.
From the administration interface, select Hotspot > Payment Providers as shown in Figure 12-11.
Figure 12-11 Editing Payment Providers
Step 2 Step 3
Click the name of the payment provider you want to edit. Enter the details as follows:
Account NameEnter the name of the payment provider account. Account DescriptionEnter the description of the payment provider account. Payment ProviderChoose the relevant payment provider from the dropdown menu provided. API LoginEnter the API login for the payment provider account. Transaction KeyEnter the transaction key for the payment provider account.
Step 4
12-8
OL-18371-01
Chapter 12
Note
To view all variables that can be used in the following examples, see The ngsOptions Configuration Object, page 12-29.
Note
You can use only a single component per web page. If you need multiple components such as Self Service component and Login component, they need to be used on individual pages.
Layer 3 Security Web Authentication Pre-Authentication ACL This field must be configured for Cisco WLC 5500 series devices running firmware version 7.0 and later, in order to permit traffic from the clients to the Guest Server and traffic from the Guest Server back to the clients. For older WLC versions, this field can be left "None." Over-ride Global Config Enable (checked) Web Auth typeExternal (re-direct to external server) URL https://<ngs IP address/sites/<site name>/<html file> (For Example: https://192.168.137.20/sites/auth/login.html)
Note
Switch integration is supported only from NAC Guest Server version 2.0.2 and later.
Router(config)# Router(config)# Router(config)# Router(config)# ip ip ip ip admission admission admission admission proxy proxy proxy proxy http http http http login page file flash:login.html success page file flash:success.html fail page file flash:failed.html login expired page file flash:expired.html
Before you setup the configuration parameters, upload the files mentioned in the above commands to the switch. You can find samples of these files in the directory /guest/sites/samples/switch_includes/.
Note
Samples are available only from NAC Guest Server version 2.0.2 and later.
12-9
Configuring Hotspots
You can edit the sample files to suit your needs. The login.html is the file that triggers the initial redirect to the Cisco NAC Guest Server hotspot and needs to be changed essentially.
<html> <head> <meta Http-Equiv="Cache-Control" Content="no-cache"> <meta Http-Equiv="Pragma" Content="no-cache"> <meta Http-Equiv="Expires" Content="0"> <meta HTTP-EQUIV="REFRESH" content="2; url= https://<ngs ip address>:8443/sites/<site name>/<html file>"> <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> <title>Authentication Proxy Login Page</title> <script type="text/javascript"> location.href="https://<ngs ip address>:8443/sites/<site name>/<html file>?redirect_url="+location.href; </script> <noscript> <meta HTTP-EQUIV="REFRESH" content="0; url= https://<ngs ip address>:8443/sites/<site name>/<html file>"> </noscript> </head> <body> Redirecting ... continue <a href=" https://<ngs ip address>:8443/sites/<site name>/<html file>">here</a> </body> </html>
There are several references to https://<ngs ip address>:8443/sites/<site name>/<html file> in the above example. After replacing these placeholders with the correct values, the line should contain the URL for the hotspot page to which you want to redirect the guest user. For example, the URL may look like: https://192.168.137.20:8443/sites/auth/login.html.
Step 2
12-10
OL-18371-01
Chapter 12
</body> </html>
Step 3
Save the file as wlc_login.html and copy the file to the NAC Guest Server. You can find the right directory from the administration interface. Select the site name and click the Files tab as shown in Figure 12-12. The location to where the widget is rendered on the page depends on where the ngs_wlc_login.js script is included in the HTML.
Figure 12-12 Directory Location
Step 2
12-11
Configuring Hotspots
<script type="text/javascript"> ngsOptions = {}; ngsOptions.actionUrl = "https://1.1.1.1/"; </script> </head> <body> <script type="text/javascript" src="/sites/js/ngs_switch_login.js"></script> </body> </html>
Step 3
Save the file as switch_login.html' and copy the file to the NAC Guest Server. You can find the right directory from the administration interface. Select the site name and click the Files tab as shown in Figure 12-12. The location to where the widget is rendered on the page depends on where the ngs_switch_login.js script is included in the HTML.
Note
The parameter "ngsOptions.actionUrl" is mandatory. It defines whether the widget should use HTTP or HTTPS and where to submit the credentials. To avoid problems with clients using Internet Explorer this parameter should point to an address that is not used but is resolvable. Browse to https://<ngsip>/sites/hotspot/switch_login.html. A simple Login Form is displayed as shown in Figure 12-13.
ngsOptions.realm Set this option to the realm to be used by the hotspot. ngsOptions.realmSeparator This option defines the character to be used as a separator between realm and username.
If you want to use the realm hotspot for guests authenticating through the hotspot, set the source code for the switch_login.html' page as follows:
<html> <head> <script type="text/javascript"> ngsOptions = {}; ngsOptions.actionUrl = "https://1.1.1.1/"; ngsOptions.realm = "hotspot"; ngsOptions.separator = "\\"; </script> </head> <body> <script type="text/javascript" src="/sites/js/ngs_switch_login.js"></script> </body> </html>
For example if a user enters "username", the widget sends "REALM\username" to the switch so that it is proxied by an upstream RADIUS server.
12-12
OL-18371-01
Chapter 12
Note
In the above example, ngsOptions.separator has been set as "\\". The slash (\) is a special character in javascript and hence you need to provide double slash (\\) to enable the slash (\) as separator. If you use the @ character as separator, then the command should be given as ngsOptions.separator = "@".
Create a CSS file, and save it as style.css. In the CSS file, define the following styles:
.ngs_Form{ font-family:Arial, Helvetica, sans-serif; font-size:10px; margin:50px; max-width@500px; } .ngs_FormRow{ line-height: 20px; vertical-align:middle; text-align:right; margin: 5px 5px; } .ngs_Label{ font-size:12px; padding:5px; margin-right:10px; } .ngs_Input,.ngs_TextArea,.ngs_Select{ width:200px; border-color:#666666; border-width:1px; border-style:solid; } .ngs_Input:focus{ background-color: #eef; }
Step 2
Save the file in your site directory and include it in your login.html page using the <link> tag. The contents of wlc_login.html appear as follows:
<html> <head> <link rel=stylesheet type=text/css href=/sites/hotspot/style.css/> </head> <body> <script type=text/javascript src=/sites/js/ngs_wlc_login.js></script> </body> </html>
Step 3
Refresh the page and the controls appear as shown in Figure 12-14.
12-13
Configuring Hotspots
Figure 12-14
Step 2
Create a file named wlc_aup.html. This page must contain the AUP text and the AUP widget as follows:
<html> <head> </head> <body> <div> <p>Acceptable Usage Policy</p> </div> <script type=text/javascript src=/sites/js/ngs_wlc_aup.js></script> </body> </html>
12-14
OL-18371-01
Chapter 12
Step 1
Step 2
Create a file named switch_aup.html'. This page must contain the AUP text and the AUP widget as follows:
<html> <head> </head> <body> <div> <p>Acceptable Usage Policy</p> </div> <script type="text/javascript" src="/sites/js/ngs_switch_aup.js"></script> </body> </html>
To use the Self Service widget, the site should be configured using the Self Service Operation mode as shown in Figure 12-15.
12-15
Configuring Hotspots
Figure 12-15
Operation Mode
Step 2
Add one or more access plans to the hotspot as shown in Figure 12-16. When guests create their account, they choose from these access plans.
Figure 12-16 Access Plans
Step 3
Step 4
To include the Self Service widget on a page, add the following script:
<html> <head> </head> <body>
12-16
OL-18371-01
Chapter 12
Step 5 Step 6
Save the file as wlc_selfservice.html and copy it to the NAC Guest Server. Browse to https://<ngsip>/sites/hotspot/wlc_selfservice.html and the Self Service form is displayed as shown in Figure 12-17.
Figure 12-17 Self Service Form
To use the Self Service widget, the site should be configured using the Self Service Operation mode as shown in Figure 12-15. Add one or more access plans to the hotspot as shown in Figure 12-16. When guests create their account, they choose from these access plans. Start with a blank HTML page as follows:
<html> <head> </head> <body> </body> </html>
Step 4
To include the Self Service widget on a page, add the following script:
<html> <head> <script type="text/javascript"> ngsOptions = {}; ngsOptions.actionUrl = "https://1.1.1.1/"; </script> </head> <body> <script type="text/javascript" src="/sites/js/ngs_switch_self_service.js"></script> </body> </html>
Step 5
Save the file as switch_selfservice.html' and copy it to the NAC Guest Server.
12-17
Configuring Hotspots
Step 6
Browse to https://<ngsip>/sites/hotspot/switch_selfservice.html and the Self Service form is displayed as shown in Figure 12-17.
You can re-use the CSS created for the Login page. To re-use, include the CSS file in the HTML page. The script appears as follows:
<html> <head> <link rel=stylesheet type=text/css href=/sites/hotspot/style.css/> </head> <body> <script type=text/javascript src=/sites/js/ngs_self_service.js></script> </body> </html>
Step 2
The Self Service page appears as shown in Figure 12-18 with alignment issues. You need to make minor changes in the CSS file to fix the alignment.
Figure 12-18 Alignment Issues
Step 3
To fix the alignment, add the following code to the style.css file:
#mobile{ width:125px; margin-left:0px; padding-left:0px; } #phoneCode{ width:55px; margin-right:0px; padding-right:0px; }
Step 4
After adding the above code, the Self Service page appears as shown in Figure 12-19.
12-18
OL-18371-01
Chapter 12
Figure 12-19
Alignment Resolved
Note
The text for this component is available in the default user interface template. For more details on editing the default user interface template, see User Interface Templates, page 11-1.
Note
The details that are required for the guest to enter are determined by the Guest Details Policy (Guest Policy > Guest Details). See Setting Guest Details Policy, page 6-4 for more details.
Auto Login
You can configure a hotspot site to allow the guests to login immediately after they create the account. They can click a button to login without entering the guest account credentials.
Note
If you use auto login then you should make sure the accounts are created with "From First Login" or "Time Used" time profiles. Other time profiles do not work with Auto Login. To activate this feature, check the Auto Login checkbox in the Site Settings tab as shown in Figure 12-20.
Step 1
12-19
Configuring Hotspots
Figure 12-20
Auto Login
Step 2
Display accounts details - If checked, the guest account details are displayed on the screen. Send account details by SMS - If checked, the guest account details are sent to the mobile number provided. If you check this option, ensure that the mobile phone number field is set as required. Send account details by Email - If checked, the guest account details are sent to the email address provided. If you check this option, ensure that the email address field is set as required.
12-20
OL-18371-01
Chapter 12
Figure 12-21
To use the billing widget, you need to configure a payment account as shown in Figure 12-22. Authorize.net is the only payment provider supported currently. You need to have a merchant account with this provider.
12-21
Configuring Hotspots
Figure 12-22
Step 2
You need to add one or more access plans to the hotspot as shown in Figure 12-23. These access plans are available to the guests when they create the account.
Figure 12-23 Adding Access Plans
Step 3
Set the site Operation Mode to Payment Provider as shown in Figure 12-24.
12-22
OL-18371-01
Chapter 12
Figure 12-24
Operation Mode
Step 4
Step 5
Step 6 Step 7
Save the file as wlc_payment.html and copy the file to the NAC Guest Server. Browse to https://<ngsip>/sites/hotspot/wlc_payment.html and the payment form is displayed as shown in Figure 12-25.
12-23
Configuring Hotspots
Figure 12-25
Payment Form
To use the billing widget, you need to configure a payment account as shown in Figure 12-22. Authorize.net is the only payment provider supported currently. You need to have a merchant account with this provider. You need to add one or more access plans to the hotspot as shown in Figure 12-23 These access plans are available to the guests when they create the account. Set the site Operation Mode to Payment Provider as shown in Figure 12-24. Start with a blank HTML page:
<html> <head> </head> <body> </body> </html>
Step 5
Step 6 Step 7
Save the file as switch_payment.html and copy the file to the NAC Guest Server. Browse to https://<ngsip>/sites/hotspot/switch_payment.html and the payment form is displayed as shown in Figure 12-25.
12-24
OL-18371-01
Chapter 12
Re-use the CSS created for the login page. To re-use, include the CSS file in the HTML page. The script appears as follows:
<html> <head> <link rel=stylesheet type=text/css href=/sites/hotspot/style.css/> </head> <body> <script type=text/javascript src=/sites/js/ngs_self_service.js></script> </body> </html>
Step 2
The Billing page appears as shown in Figure 12-26 with alignment issues. You need to make minor changes in the CSS file to fix the alignment.
Figure 12-26 Alignment Issues
Step 3
To fix the alignment, add the following code to the style.css file:
#holderMobilePhone{ width:125px; margin-left:0px; padding-left:0px; } #holderPhoneCode{ width:55px; margin-right:0px; padding-right:0px; } #expirationYear, #expirationMonth{ width:90px; }
Step 4
After adding the above code, the Billing page appears as shown in Figure 12-27.
12-25
Configuring Hotspots
Figure 12-27
Alignment Resolved
The Password Change widget can be used in any operation mode. The ability to change password depends on the guest role to which the account is connected as shown in Figure 12-28.
Figure 12-28 Allow Password Change
Step 2
The Require Password Change option applies to all widgets that allow guest login (Login, Self Service, Billing), and forces the guest to change the password before logging in to the Guest Server. To create the Password Change widget, start with a blank HTML page as follows:
<html> <head> </head>
12-26
OL-18371-01
Chapter 12
Step 3
Step 4 Step 5
Save the file as password.html and copy the file to the NAC Guest Server. Browse to https://<ngsip>/sites/hotspot/password.html and the Password Change form appears as shown in Figure 12-29.
Figure 12-29 Password Change Form
Step 6
You can use the CSS file created for the Login page to customize the Password Change form.
Note
Password changes are not supported on the Clean Access Manager and supported only when accessed through RADIUS.
Authentication Options
You can set various authentication options through the guest role.
Step 1 Step 2
Click the Guest Policy > Guest Roles and then the Authentication Settings tab as shown in Figure 12-28. You can set the following options:
Maximum Concurrent Connections - Sets the maximum number of concurrent connections to which a guest account is allowed to be associated. Maximum Failed Authentications - Sets the maximum number of failed authentication attempts a guest is allowed to have before the account is suspended. Allow Password Change - If checked, the guest is allowed to change the password. Check this option to use the Password Change widget. Require Password Change - If checked, the guest is forced to change the password when logging in for the first time.
12-27
Configuring Hotspots
Note
Password changes are not supported on the Clean Access Manager and supported only when accessed through RADIUS. For example, if you want to force a password change for all users with credentials purchased through a site, you can create a new guest role named Password Change as shown in Figure 12-30.
Figure 12-30 Password Change
Step 3
Step 4
After creating the guest role, you can check the Require Password Change option under the Authentication Settings tab Figure 12-31.
Figure 12-31 Require Password Change
Step 5
Associate the newly created guest role to the access plans available for the site as shown in Figure 12-32.
12-28
OL-18371-01
Chapter 12
Figure 12-32
For each message you want to override, add a line with the following syntax:
ngsOptions.messages[<key>] = <custom text>;
For each message you want to override, add a line with the following syntax:
ngsOptions.formElements[<key>] = <custom text>;
12-29
Configuring Hotspots
12-30
OL-18371-01
Chapter 12
12-31
Configuring Hotspots
12-32
OL-18371-01
CH A P T E R
13
Configuring Backup
This section describes the following
13-1
From the administration home page, select Server > Backup as shown in Figure 13-1.
Figure 13-1 Backup Settings
Step 2
To perform the backup to a remote FTP server, click the Backup Settings tab:
Enter the Remote Server Address for the FTP server. Enter the TCP Port to be used (usually port 21). Enter the Directory to store the backup. Enter a Username and Password (confirming the password) that allows access to the FTP server. Selecting the Mode is Passive box activates passive for the FTP Mode. Leaving it unchecked keeps this inactive.
Step 3
Note
If you choose to only store backups locally on the Cisco NAC Guest Server, they are placed in the /guest/backups directory. Cisco recommends backing up this directory remotely using SFTP and logging in with the root username and password. This ensures that you have an external copy, if there is a hardware failure to the disk in the appliance.
13-2
OL-18371-01
Chapter 13
Taking Snapshots
You can save a point-in-time snapshot to allow you to download a backup of the Cisco NAC Guest Server at an exact moment.
Step 1 Step 2 Step 3
From the administration home page, select Server > Backup and select the Backup Settings tab as shown in Figure 13-1. To save a snapshot backup, click the Snapshot button at the bottom of the form. You are prompted by your web browser to save the backup file to disk.
Scheduling Backups
You can schedule backups to occur every day, week, or month at 1:00 AM. Scheduled backups are stored in either the /guest/backup directory of the Cisco NAC Guest Server or on a remote FTP server.
Step 1
From the administration home page, select Server > Backup and select the Backup Schedule tab as shown in Figure 13-2.
Figure 13-2 Backup Schedule
Step 2
Enter the Maximum number of backups that you want to save. The Cisco NAC Guest Server removes old backups that exceed this amount by discarding the oldest backup when new ones are created.
Note
If you do not want to limit the number of files, you can specify a number less than 1, for example, 0 or -1.
13-3
Specify how often you want the Cisco NAC Guest Server to perform backups in the Frequency dropdown menu. You can specify Daily, Weekly, or Monthly. If you select Weekly you must also specify which day of the week. If you select Monthly, you must specify which day of the month.
Note
Cisco recommends specifying a date between the 1st and 28th day of the month to ensure that you automatically back up your system every month of the year.
Step 3
Restoring Backups
You can restore a backup to the Cisco NAC Guest Server from the administration interface.
Note
You can only restore a backup to the same version of Cisco NAC Guest Server software with which the backup was performed. If you need to determine which version was used to perform the backup, open the backup archive file directory and view the version.html file in the backup archive.
Warning
If you are running a resilient pair of Cisco NAC Guest Servers and want to restore a backup, you must turn off replication on both servers and only restore the backup to one of the servers. Then you must re-synchronize the other server. Failure to follow this procedure may result in data loss on one of the servers. Refer to Chapter 14, Replication and High Availability for details.
Step 1
From the administration home page, select Server > Backup and click the Restore a Backup File tab as shown in Figure 13-3.
Figure 13-3 Restore Backup
Click the Browse button and select the backup archive you want to restore. Click the Restore button. The backup is uploaded to the Cisco NAC Guest Server and the data is restored. Once the data has been restored, the server will reboot so that the database is correctly loaded.
13-4
OL-18371-01
CH A P T E R
14
Note
Not all system settings are replicated. Refer to Data Replication, page 14-6 to review which settings are not replicated.
Note
For load balancing, external load balancers must be used to load balance the web interface. RADIUS requests can also be load balanced via external load balancers or by configuration. This chapter includes the following sections:
Configuring Replication Configuring Provisioning Replication Status Recovering from Failures Deployment Considerations
Configuring Replication
Initial replication is configured by setting one of the Cisco NAC Guest Servers to copy all of the data from the other Guest Server. The Guest Server that is configured to copy the data from the other device is first set to delete all of its own data. This ensures that no conflicts exist. Cisco recommends setting up replication at initial installation of Cisco NAC Guest Server, or when adding a new Guest Server to an existing implementation.
14-1
Note
If one of the Guest Servers is not active, the replication configuration pages can take up to 60 seconds to load. This is because the Guest Server checks the other box multiple times to verify that it can be reached.
Warning
During initial replication, all data on one of the Guest Servers is overwritten. If you have data that is needed on both of the Guest Servers, then do not configure replication as data will be lost.
Once one of the Guest Servers has received a copy of the data from the other device, they are synchronized and replication is turned on. Any data that is updated on one Guest Server is then automatically replicated to the other Guest Server. All communication between the Cisco NAC Guest Servers is encrypted using SSL and runs over TCP destination port 5432.
Step 1 Step 2
Before starting, create a backup of the Cisco NAC Guest Server by following the instructions in Configuring Backup, page 13-1 and Taking Snapshots, page 13-3. From the administration interface, select Server > Replication Settings as shown in Figure 14-1.
Figure 14-1 Replication Settings
Step 3 Step 4
Enter the Remote Guest Server address. This is the address of the Cisco NAC Guest Server with which you want to enable replication. Enter a Shared Secret and confirm it. The shared secret is used to authenticate with the other Cisco NAC Guest Server. The shared secret must be identical on both Guest Servers.
14-2
OL-18371-01
Chapter 14
Step 5
Note
Setting a servers Replication Mode to Off removes it from the replication process. There is no method of re-synchronizing a Server without starting the process from the beginning and by doing this you will lose non-replicated data on one of the servers. Only turn Replication off if you are making a standalone system. Turning on replication enables you to specify whether this server is the one that contains the current data or copies data from the other server:
a. b.
Step 6
Choose This node contains the data if you want to keep the data from this server. Choose This node will copy data from other node if you want to erase all data on this server and copy the data from the other server.
Warning
Make sure you set these correctly on each server, otherwise you will lose data. Cisco strongly recommends to create a backup before running this procedure.
Step 7 Step 8
Click Save Settings to save the settings and turn on the replication process. Access the administration interface of the other Guest Server, and repeat Step 1 through Step 7 to set up replication on the other server.
Configuring Provisioning
When the Cisco NAC Guest Server provisions accounts in other systems, such as the Clean Access Manager, only one of the Guest Servers should be performing the provisioning at a time. One Cisco NAC Guest Server should be defined as the primary and the other as the secondary. The server set to primary performs the provisioning by default. If a server is set to secondary, it checks the status of the primary server. If it fails to contact the primary server three times, then it performs the provisioning. This process happens every minute when the provisioning service runs.
Step 1 Step 2
From the administration interface, select Server > Replication Settings as shown in Figure 14-1. Select the Provisioning to be Primary if you want this server to perform the provisioning under normal conditions. Select Secondary if you want this server to only perform provisioning if the primary server cannot be contacted. Click the Save button.
Step 3
Note
Only one of the servers should be set to Primary, otherwise you may get errors when creating or deleting accounts twice.
14-3
Replication Status
At any time, you can check the replication status of the Cisco NAC Guest Servers. This is useful to make sure replication is happening as set.
Step 1
From the administration interface, select Server > Replication Settings as shown in Figure 14-1. At the bottom of the page is the Replication Status. You can check the status of replication and the number of changes need to be replicated between each device.
Device Failure
If one of the Cisco NAC Guest Servers in a replication pair fails and needs to be replaced, you should set up replication with the working server and the data will be re-synchronized to the device.
Warning
Do not restore the failed unit from a backup. Restoring from a backup onto one unit in a replication pair will result in not having an exact replica of the data on both servers. Refer to Restoring Backups, page 13-4 for additional details.
Step 1
From the administration interface, select Server > Replication Settings as shown in Figure 14-2.
Figure 14-2 Resetting Replication
Step 2
14-4
OL-18371-01
Chapter 14
Step 3
Follow the instructions in Configuring Replication, page 14-1 and ensure that you set the working server as the one with the data.
Deployment Considerations
Connectivity
The Cisco NAC Guest Servers need to be provided with IP connectivity between the units. Cisco recommends making the network path between the devices resilient so that synchronization can always be performed. However, if the devices are disconnected, they will continue to function and store changes until they are connected back together and can re-establish communication. At this point, they will re-synchronize databases. Depending on the amount of activity that your Cisco NAC Guest Server performs, you need to make sure that there is enough bandwidth between the servers to enable synchronization to occur as rapidly as possible. You can test connectivity by creating a large number of accounts and watching how quickly the appliances synchronize by watching the status on the replication as shown in Figure 14-1.
Load Balancing
Web Interface
Sponsor and Administration sessions can be serviced by both Cisco NAC Guest Servers when configured for replication. However, the Cisco NAC Guest Server does not perform any redirection or automatic load balancing of requests. To enable requests to both Cisco NAC Guest Servers concurrently, you must implement an external load balancing mechanism. Options include:
Network based Load Balancingsuch as the Cisco CSS, GSS, CSM or ACE platforms. The only requirement for the load balancing is that clients are serviced by the same Cisco NAC Guest Server for their entire session. Individual requests cannot be load balanced between servers, as the Cisco NAC Guest Server does not replicate sponsor/admin session information to reduce bandwidth requirements. The most common method of achieving this is sticking connections to the same Cisco NAC Guest Server based upon source IP address. DNS Round robinUsing your DNS server, configure the domain name of the Cisco NAC Guest Server to return both IP addresses for the Cisco NAC Guest Server in a round-robin configuration. This method does not provide failover between appliances in the event of a failure. Publishing multiple URLsThis allows each user to choose the server they want to use.
RADIUS Interface
The RADIUS interface on either Cisco NAC Guest Server can take requests at the same time.
14-5
Cisco recommends configuring one Cisco NAC Guest Server to be the primary for some RADIUS clients and the other Cisco NAC Guest Server to be the primary for the other RADIUS clients. For failover, the RADIUS clients can have secondary RADIUS servers defined as the other Cisco NAC Guest Server, if they support configuration of two servers.
Data Replication
NAC Guest Server Replication replicates data that is stored in the database between replication pairs. The following information is not replicated and is locally defined on each NAC Guest Server.
Date/Time settings
Date Time Locale NTP server 1 NTP server 2
SSL settings
SSL Certificate Root CA Certificate Private key
14-6
OL-18371-01
CH A P T E R
15
SNMP Configuration
Cisco NAC Guest Server supports management applications monitoring the system over SNMP (Simple Network Management Protocol). SNMP Versions 1, 2c and 3 are supported. The appliance can also send SNMP traps and informs when certain settings exceed a defined value.
15-1
Figure 15-1
SNMP Configuration
Configuring SNMP Version 1 Configuring SNMP Version 2c Configuring SNMP Version 3 Configuring SNMP Allowed Addresses
To enable SNMP Version 1, check the Enable V1 checkbox. Enter an SNMP Read Community name to be used for read access. Configure the Allowed IP Addresses allowed to access the appliance using SNMP by following the instructions in Configuring SNMP Allowed Addresses, page 15-3. Click Save.
15-2
OL-18371-01
Chapter 15
To enable SNMP Version 2c, check the Enable V2c checkbox. Enter an SNMP Read Community name to be used for read access. Configure the Allowed IP Addresses allowed to access the appliance using SNMP by following the instructions in Configuring SNMP Allowed Addresses, page 15-3. Click Save.
To enable SNMP Version 3, check the Enable V3 checkbox. Enter a Username to be used for read access. Enter the Password and confirm it to make sure it has been entered correctly. Select an Authentication Protocol from the dropdown menu: MD5 (HMAC-MD5-96) or SHA (HMAC-SHA-96). Select a Privacy Protocol from the dropdown menu: DES or AES. Select the Security Type to use from the dropdown menu: Authentication or Encryption. Configure the Allowed IP Addresses allowed to access the appliance using SNMP by following the instructions in Configuring SNMP Allowed Addresses, page 15-3. Click Save.
Enter an IP Address Range made up of an IP Address and a prefix length. For example:
0.0.0.0/0 to allow any address to access the appliance by SNMP. 192.168.1.0/24 to allow any address from the 192.168.1.0-255 to access the appliance. 172.16.45.2/32 to allow only the host 172.16.45.2 to access the appliance.
Click the Add button. You can repeat Step 1 and Step 2 for as many addresses as you like. Click Save.
15-3
SNMP Traps are sent with the community string set to "traps". Cisco NAC Guest Server is not supporting authentication / warmstart traps. From the administration interface, select Server > SNMP > Traps as shown in Figure 15-2.
Figure 15-2 SNMP Trap Configuration
Step 1
Check the Enable Traps checkbox if you want to enable traps. Select the Trap Version from the dropdown: Version 1, Version 2c or Informs. The NAC Guest Server sends a trap if the disk space goes below a specified value. Enter the value you want the trap to be sent at in the Disk Space dropdown field. Specify the Load Average that you want a trap to be sent if it exceeds the value over 1 minute, 5 minutes or 15 minutes. Load Average is calculated using the standard Linux formula and can be seen from the command line with the uptime command. Enter each IP Address that you want to send a SNMP trap to and click the Add button. Click the Save button to save the changes.
Step 6 Step 7
15-4
OL-18371-01
Chapter 15
Step 1
Open an SFTP connection to the Cisco NAC Guest Server. The authentication credentials are the same as for the command line. Login with the root username and password you assigned for this account in the initial setup. Change to the /usr/share/snmp/mibs directory and download the files.
Step 2
System Logging
All actions within the Cisco NAC Guest Server are logged into the database. This enables you to:
View any action that occurred as part of the normal operating process of the application Log administrator and sponsor actions Create system logs
Note
It is important to create and constantly maintain logging levels. Refer Log Settings, page 15-9 for details.
Audit Logs
Audit logs create a record of administrator and sponsor actions and can be created using four different methods.
Step 1
To access the audit log functions from the administration interface, select Server > System Logs as shown in Figure 15-3 and click the Audit Logs tab.
15-5
Figure 15-3
System Log
Step 2
Audit log reports can be run using four different categories as shown in Figure 15-4:
Action byDisplays logs using admin/sponsor user name as its search criteria. Client IPDisplays logs using Client IP address as its search criteria. Server IPDisplays logs using Server IP as its search criteria.
You can run log reports for a single category, multiple categories, or all categories at the same time.
Step 3
Select a time duration for your search criteria using the date pickers provided, then click the Run button.
Figure 15-4 Audit Logs
15-6
OL-18371-01
Chapter 15
Application Logs
Application Logs shows the application log containing application debugs.
Step 1
To access the Application Logs function from the administration interface, select Server > System Logs and click the Application Logs tab as shown in Figure 15-5.
Figure 15-5 Application Logs
Step 2
Action byDisplays logs using admin/sponsor user name as its search criteria. Client IPDisplays logs using Client IP address as its search criteria. Server IPDisplays logs using Server IP as its search criteria.
You can run log reports for a single category, multiple categories, or all categories at the same time.
Step 3
Select a time duration for your search criteria using the date pickers provided then click the Run button.
Note
Cisco recommends disabling debugging immediately after use so as not to potentially disrupt any other NAC Guest Server functionality.
15-7
Support Logs
Support Logs provide an area that stores:
Step 1
HTTP error logs RADIUS logs Mail logs Twin (Replication logs only applicable if running replication between NAC Guest Servers) Debug logs Audit logs Application logs An XML file
To access the Support Logs function from the administration interface, select Server > System Logs and click the Support Logs tab as shown in Figure 15-6.
Figure 15-6 Support Logs
Step 2
You can view or download the logs listed by clicking the underlined Action links.
Note
The Support Logs page only displays the latest details of each available log. However, clicking View or Download retrieves and displays ALL logs for that category.
15-8
OL-18371-01
Chapter 15
Log Settings
The Log Settings page allows an administrator to set the level of logging and administer syslog settings.
Step 1
To access the Log Settings page from the administration interface, select Server > System Logs and click the Log Settings tab as shown in Figure 15-7.
Figure 15-7 Log Settings Page
Step 2
Logging Levels allow an administrator to choose the level of logging for multiple criteria:
GeneralAllows an administrator to set logging of Errors and Notices only, Errors Notices and Info, or Errors Notices Info and Debugs. Sponsor AuthenticationAllows an administrator to set logging of Errors and Notices only, Errors Notices and Info, or Errors Notices Info and Debugs. Admin AuthenticationAllows an administrator to set logging of Errors and Notices only, Errors Notices and Info, or Errors Notices Info and Debugs. Account CreationAllows an administrator to set logging of Errors and Notices only, Errors Notices and Info, or Errors Notices Info and Debugs. Account ManagementAllows an administrator to set logging of Errors and Notices only, Errors Notices and Info, or Errors Notices Info and Debugs. Admin OperationsAllows an administrator to set logging of Errors and Notices only, Errors Notices and Info, or Errors Notices Info and Debugs.
15-9
Step 3
Radius User AuthenticationAllows an administrator to set logging of Errors and Notices only, Errors Notices and Info, or Errors Notices Info and Debugs. NAC ManagerAllows an administrator to set logging of Errors and Notices only, Errors Notices and Info, or Errors Notices Info and Debugs.
Syslog Settings allows an administrator to determine what log events are sent to a predefined syslog server.
Send Application Log Events to Remote ServerThis determines what type of application errors are logged and sent to the server. The administrator can decide on none, Audit, Errors or Audit and Errors. Send System Log Events to Remote ServerThis determines what type of system errors are logged and sent to the server. The administrator can decide on Emergency, Emergency and Alerts, Emergency Alerts and Critical, or Emergency Alerts Critical and Errors. Syslog ServerEnter the DNS or IP Address of the syslog server to which the logs to be sent. Syslog ProtocolChoose between UDP and TCP protocols. Syslog PortDefine a port for your syslog server.
Step 4
Note
To test basic syslog functionality, go to the Log Settings page and click Save. This sends a test message to the syslog server with priority info (6).
15-10
OL-18371-01
CH A P T E R
16
Licensing
The Cisco NAC Guest is licensed via a file associated with the MAC address of the appliance. The file can be obtained from Cisco.com and instructions are included in the licensing pack. The Cisco NAC Guest Server only supports one license at a time, so any additional licenses you import automatically overwrite the previous license on the Guest Server.
Note
For detailed information on Cisco NAC Guest Server licenses, refer to Cisco NAC Appliance Service Contract/Licensing Support.
Licensing
To view or upload a license from the administration interface:
Step 1
Step 2
16-1
Chapter 16 Licensing
Licensing
Step 3
Note
If you have uploaded an evaluation license, the Guest Server License Status will indicate the license expiration date.
16-2
OL-18371-01
CH A P T E R
17
Sponsor Documentation
This chapter provides user documentation for sponsor users who create guest accounts. It contains the following sections:
Introduction to Cisco NAC Guest Server Connecting to the Cisco NAC Guest Server Creating Guest User Accounts Multiple Guest Accounts Suspending Guest Accounts Viewing Active Accounts and Resending Details Reporting on Guest Users Sponsor Reporting
Enter the address of the Cisco NAC Guest Server into the URL or Address field of a web browser, for example, http://<nac-guest-server>. In the Cisco NAC Guest Server login page (Figure 17-1), enter your Username and Password, and click the Login button. Use the login credentials specified by your network administrator.
17-1
Sponsor Documentation
Figure 17-1
Step 3
When you first log in, the Getting Started page is displayed as shown in Figure 17-2.
Figure 17-2 Sponsor Dashboard
Step 4
From this page, you can navigate to Home > My Settings to:
17-2
OL-18371-01
Chapter 17
Navigate to Home > My Settings Click the Preferences tab as shown in Figure 17-3, to modify the following Preferences:
Language TemplateIf your administrator has added additional templates, you can select a language template from this dropdown menu to change the language of the application interface or the guest printout/email/SMS notification. Default TimezoneThis timezone is the default selected in the list on the account creation pages. Default Telephone Country CodeSpecify the default for the telephone country code. This is used when sending the guest details by SMS, or for recording the guests phone number. Default LocationSpecify the default guest role you want to use for creating accounts. Email AddressEnter your email address here. This is required if you want to receive a copy of the guests account details by email. Receive Email ConfirmationCheck this checkbox if you want the Cisco NAC Guest Server to send you a copy of the guests account details by email, when you click the Send Email Notification button to notify the users of their guest account details. Default Login PageUsing the dropdown menu, select the page that you want the Cisco NAC Guest Server to display immediately after you login.
17-3
Sponsor Documentation
Figure 17-3
Preferences Page
Step 3
Change Password
The Change Password option is enabled if your account is locally defined on the NAC Guest Server by your administrator. If you authenticate with a username/password from an external server such as Active Directory, you cannot view this option.
Step 1 Step 2
Navigate to Home > My Settings. Click the Password tab as shown in Figure 17-4.
17-4
OL-18371-01
Chapter 17
Figure 17-4
Change Password
Step 3 Step 4
Enter your new password in the Change Password and Confirm fields. Click the Save button to save your new password.
Report Settings
Note
The Report Settings function is only available starting from version 2.0.1 and later. You can select and deselect options you want to view in the Manage Accounts page or when exporting details from the Manage Accounts page.
Step 1 Step 2
Navigate to Home > My Settings Click the Reports tab as shown in Figure 17-5
Figure 17-5 Reports
17-5
Sponsor Documentation
Step 3 Step 4
Check or uncheck the check boxes based on the options to be displayed in the Manage Accounts page on downloading a report. Click the Save button when finished.
Log into the Cisco NAC Guest Server as described in Connecting to the Cisco NAC Guest Server, page 17-1. Navigate to Create Accounts > Create Guest Account. The Create Guest Account page appears as shown in Figure 17-6.
Note
Figure 17-6 shows the default template for creating a Guest User Account. Your administrator has the option to add or remove other fields.
Figure 17-6 Create a Guest User Account
Enter the First Name of your guest. Enter the Last Name of your guest. Enter the Company or organization of your guest. Enter the Email Address of your guest. Enter the Mobile Phone Number of your guest.
17-6
OL-18371-01
Chapter 17
Select the Guest Role from the dropdown menu. This dropdown appears automatically if your administrator has defined guest roles and more than one role is available. Choose the Timezone relevant to the time and date. From the Account Start field, choose the Time and Date from which you want the account to be valid. From the Account End field, choose the Time and Date at which you want the account to end. If the administrator for Cisco NAC Guest Server has configured any additional required account attributes, specify the appropriate information for those settings in this form. Click the Add User button. The account is created and the details are displayed as shown in Figure 17-7.
Figure 17-7 Guest User Created
Step 15
Depending on your permissions, you can perform one or all of the following actions on the same page where the new account details are displayed:
Clicking the Print Account button allows you to print the account details to your printer to hand to the guest. These details commonly include guest access instructions and usage policies. See Print Account Details, page 17-8. Clicking the Email Account button sends the account details to the email address you entered for the guest. See Email Account Details, page 17-8. Clicking the Send SMS Message button sends the account details to the guests mobile phone via SMS text message. See Text Message Account Details (SMS), page 17-8.
Step 16
You can also create another account immediately by clicking the Create another Guest account button.
17-7
Sponsor Documentation
Click the Print Account button from the Create Guest Account page shown in Figure 17-7.
Figure 17-8 Print Account Details
Step 2
A new Printer window opens and you can print out the guest user details.
Note
After a guest account is created, you can also access this feature by navigating to Account Management > Manage Accounts and clicking the Print icon at the right of the guest user entry in the list.
Click the Email Account button from the Create Guest Account page shown in Figure 17-7. The Cisco NAC Guest Server sends an email to the email address specified when you created the account.
Note
After a guest account is created, you can also access this feature by navigating to Account Management > Manage Accounts and clicking the Envelope icon to the far right of the guest user entry in the list.
Click the Send SMS Message button from the Create Guest Account page shown in Figure 17-7. The Cisco NAC Guest Server sends a text message to the phone number specified in the account creation.
17-8
OL-18371-01
Chapter 17
Note
After a guest account is created, you can also access this feature by navigating to Account Management > Manage Accounts and clicking the Phone icon to the far right of the guest user entry in the list.
Creating Multiple Accounts from Text Entry Creating Multiple Accounts from CSV File Creating Multiple Random Accounts
You can create multiple accounts by pasting the details into the interface, importing a Comma Separated Values (CSV) file, or creating random accounts to be assigned to guest users (with the details recorded on paper) for input at a later time.
Step 2 Step 3
Enter the details in the text field as required with a comma separating the values. Select the Guest Role from the dropdown menu. This dropdown appears automatically if your administrator has defined guest roles and more than one role is available.
17-9
Sponsor Documentation
Select the relevant Timezone for the account. Choose the Account Start time, and then the Account End time. Click the Create Bulk Accounts button.
Step 2 Step 3
Download the CSV file by clicking the Download CSV Template File button and save this file locally. Fill out the fields in the CSV Template file using a program such as Microsoft Excel:
First Name The guests first name. Last Name The guests last name Company The guests company Email Address The guests email address Country Code The country code of the mobile phone number, for example 1 for the US, 44 for the UK. Mobile Phone Number The guests mobile phone number.
Note Step 4
Do not enter hyphens in the number. Other details Other details may be configured by your administrator and the names and descriptions are decided by them.
17-10
OL-18371-01
Chapter 17
Click the Browse button to select your edited CSV file. Select the Guest Role from the dropdown menu. This dropdown appears automatically if your administrator has defined guest roles and more than one role is available. Select the relevant Timezone for the account. Choose the Account Start time, and then the Account End time. Click the Upload CSV button.
Enter the number of accounts that you want to generate. Select the Guest Role from the dropdown menu. This dropdown appears automatically if your administrator has defined guest roles and more than one role is available. Select the relevant Timezone for the account. Choose the Account Start time, and then the Account End time. Click the Submit button. The random accounts are created and displayed as shown in Figure 17-12.
17-11
Sponsor Documentation
Figure 17-12
Note
For random accounts, it is useful to print out the table that displays so that you can write down the corresponding guests details for later input in to the Cisco NAC Guest Server.
Navigate to Account Management > Manage Bulk Accounts as shown in Figure 17-13.
Figure 17-13 Manage Bulk Accounts (Text/CSV Creation Methods)
Step 2
Determine the batch of accounts you have created by the Time/Date Created column or by checking the Created By column. Click the bulk account ID link you have created to view the Bulk Details page as shown in Figure 17-14.
17-12
OL-18371-01
Chapter 17
Figure 17-14
Step 3
Print All Click to print out the account details created for each guest. Email All Click to email the account details created to each guest. SMS All Click to SMS the account details created to all guest. Suspend All Click to suspend all the bulk accounts you have created. Download CSVClick to download a CSV file of the bulk accounts created. Suspend an accountClick the hazard icon. Edit an accountClick the pencil icon to edit the individual account selected. View an account in detailClick the notepad icon to view the individual account details. Print account detailsClick the printer icon to print the individual account details.
Note
When creating accounts with preset details (by either importing text or creating a CSV file), you can print, email, or transmit via SMS the guest account details. However, when you create random accounts, you can only use the print option.
Viewing Bulk Account Groups Finding Bulk Account Groups by Username Finding Bulk Account Groups on the Active Accounts Report
17-13
Sponsor Documentation
Navigate to Account Management > Manage Bulk Accounts as shown in Figure 17-13. Click the underlined link of the Bulk account ID you have created to bring up the Bulk Details page as shown in Figure 17-15.
Figure 17-15 Bulk Account Groups
Step 3
Navigate to Account Management > Manage Bulk Accounts as shown in Figure 17-13. Enter a username that belongs to a batch of accounts in the Username field and click the Submit button. If found, the batch of accounts, that were created in the same operation as the username submitted, is displayed.
17-14
OL-18371-01
Chapter 17
Step 2
Click the underlined link of the Bulk account ID you have created to go to the Manage Accounts page for the bulk-created accounts as shown in Figure 17-16. You can edit individual accounts in this page.
Figure 17-16 Bulk Accounts on the Active Accounts Report
From the Main page select Account Management > Manage Accounts. On the Manage Accounts page, you can view the list of accounts that have been created as shown in Figure 17-17. The fields displayed on this page can be customized using Report Settings as shown in Figure 17-5.
17-15
Sponsor Documentation
Figure 17-17
Manage Accounts
From the Main page select Account Management > Manage Accounts. In the Account Management page you can view a list of the accounts that you can edit as shown in Figure 17-18.
Figure 17-18 Edit Guest User Accounts in Account Management
Step 3
Click the pencil icon next to the account you want to change to go to the Edit User Accounts page Guest Self Service as shown in Figure 17-19.
17-16
OL-18371-01
Chapter 17
Figure 17-19
Step 4 Step 5
Change the Account details. Click the Submit button to update the account with the new details.
Advanced Search
Step 1
If your Account Management page returns a large number of users, you can perform an advanced search by clicking the Advanced Search button as shown in Figure 17-16.
Figure 17-20 Advanced Search
17-17
Sponsor Documentation
Step 2
In the Advanced Search page that is displayed as shown in Figure 17-20, you can enter the following criteria to make your search:
Created bySponsor who created the account. First NameFirst Name of guest. Last NameLast name of guest. CompanyCompany or Organization of guest. EmailEmail address of guest. IP AddressIP Address of guest users workstation. Start Time BetweenStart Time from which the search to start. End Time BetweenEnd Time at which the search to end. LocaleFrom the dropdown menu select a timezone to be searched. InactiveSelect this option to include search for Inactive accounts. ActiveSelect this option to include search for Active accounts. ExpiredSelect this option to include search for Expired accounts. SuspendedSelect this option to include search for Suspended accounts.
Step 3
Click the Submit button to search based on the given criteria. If your search criteria matches any accounts in the database, they are displayed.
Step 2
Click the suspend icon next to the account you want to terminate. The account is removed from the list and the guest will not be able to login anymore.
17-18
OL-18371-01
Chapter 17
Select Account Management > Manage Accounts to display a list of active accounts as shown in Figure 17-18. Click the username of the guest to which you wish to resend details as shown in Figure 17-22.
Figure 17-22 Guest Account Details
Step 3
Print AccountPrints the account. Email AccountSends email the account to the guest. Send SMS MessageSends an SMS message of the account details to the guest. Create another Guest accountCreates another guest account.
From the Main page, select Account Management > Manage Accounts to display a list of active accounts as shown in Figure 17-18. Select the user for which you wish to view reporting, and click the notepad icon to view the detailed report for that user. Click the Accounting Log tab as shown in Figure 17-23 for the RADIUS accounting information for that guest including:
NAS IP AddressNAS IP address the guest user was specified. Users IP AddressIP Address assigned to the guest. Logged InTime at which the guest logged in.
17-19
Sponsor Documentation
Logged OutTime at which the guest logged out. DurationDuration of time the guest remained logged in the account.
Accounting Log
Figure 17-23
Step 4
Click the Audit Log tab as shown in Figure 17-24 to view the audit entries for that guest account including:
SponsorSponsor ID. ActionAudit entry action. Date/TimeDate and Time of audit entry action.
Audit Log
Figure 17-24
Step 5
Click the Activity Log tab as shown in Figure 17-25 to view the activities performed by the guest for that account, including firewall information if your administrator has allowed that functionality.
17-20
OL-18371-01
Chapter 17
Figure 17-25
Activity Log
Network Device IPIP address of any network device you wish to search. Message ContainsEnter any text you wish to search for within the logs. Use regular expressionCheck this checkbox to search for the specified text that matches with regular expression. You can use Perl compatible regular expressions in the search. BetweenEnter Date and Time from which you want to start your search. AndEnter Date and Time at which you want to end your search.
Click the Run button once you have completed selecting your criteria. Once the search is completed, you can click the Download button to save your results to a file. Returned information includes:
Date/Time fieldDisplays the date and time of the guests actions. DeviceThe device on which the guests actions took place. MessageDisplays the guests actions.
Sponsor Reporting
Sponsors can view reports under the Account Management section to view the summary, activity and access details for their own account and other sponsor accounts.
17-21
Sponsor Documentation
Summary Reports
Step 1
From the main page select Account Management > Summary Reports to bring up the summary reports page as shown in Figure 17-26.
Figure 17-26 Summary Report
Step 2 Step 3
Select a search criteria using the date pickers provided and click the Show button. The screen displays:
Total Guest Accounts Created. Total Authenticated Guests. Total Cumulative Connect Time.
From the main page, select Account Management > Sponsors Activity Report to display the Sponsors Activity Report page as shown in Figure 17-27.
Figure 17-27 Sponsors Activity Report
Step 2 Step 3
Select a search criteria using the date pickers provided. You can also select a minimum number of guests created by sponsor. When completed, click the Show button. The screen displays:
UsernameUsername of sponsor.
17-22
OL-18371-01
Chapter 17
Total Accounts CreatedAccounts created by sponsor. EmailEmail address of sponsor. PhonePhone number of sponsor.
A pie chart of the top ten sponsors, who created the accounts, is also displayed.
Access Reports
Step 1
Navigate to Account Management > Access Report to go to the Access Report page as shown in Figure 17-28.
Figure 17-28 Access Report
Step 2 Step 3
Select a search criteria using the date pickers provided and click the Show button. The screen displays the number of logins made by sponsors.
17-23
Sponsor Documentation
17-24
OL-18371-01
A P P E N D I X
API Support
This appendix discusses API support for the Cisco NAC Guest Server. It describes the following:
Overview, page A-1 Authentication Requirements, page A-1 Time Format, page A-2 API Operations, page A-2 Status Codes, page A-13 Error Codes, page A-13 Valid Timezones, page A-13
Overview
Cisco NAC Guest Server provides an API that allows you to perform certain operations using HTTP or HTTPS via POST or GET operations. The NAC Guest Server API is accessed via https://serveripaddress/sponsor/api/GuestAccount.php or http://serveripaddress//sponsor/api/GuestAccount.php. To use this API, note the following:
Competency with a programming language (e.g. C, Java, Perl, PHP) is required and you must install the relevant software on the machine that runs these programs to call this API. Cisco TAC does not support debugging of custom programs using the API. It only supports running API calls.
Authentication Requirements
Access over HTTP or HTTPS for the API is based upon the SSL settings for the web Administration interface as defined in Accessing the Guest Server Using HTTP or HTTPS, page 3-9. A valid username and password is also required to authenticate as a sponsor against the following components:
A-1
API Support
For example, the following call uses the username sponsor with password mypass:
http://1.1.1.1/sponsor/api/GuestAccount.php?username=sponsor&password=mypass&method=create &firstName=John&surname=Carter&email=test@cisco.com&role=DEFAULT&company=Cisco&mobileNumbe r=1234548434532&phoneCode=123&startTime=20100210T10%3A45%3A00&endTime=20100211T13%3A15%3A0 0&timezone=Europe%2FLondon&timeProfile=default
Note
All fields must be URL encoded. For example, date/time fields have been encoded so that the colon is replaced with %3A.
Time Format
All dates/times must be specified in a particular ISO 8601 format: YYYYMMDDTHH:MM:SS where:
YYYY is the 4-digit year MM is the 2-digit month DD is the 2-digit day of the month T is a literal T HH is the 2-digit hour (24 hour format) MM is the 2-digit minute SS is the 2-dogit second
API Operations
You can use the API by passing the details either through a POST or GET operation to the Cisco NAC Guest Server API. The following example shows a GET operation to obtain the version of the API and Cisco NAC Guest Server.
https://1.1.1.1/sponsor/api/GuestAccount.php?username=sponsor&password=mypass&method=getVe rsion
XML Response
All responses are provided in the following XML format:
<?xml version="1.0"?> <response> <status> <code>0</code>
A-2
OL-18371-01
Appendix A
In the case of an error, the code and message elements are set with the error code and error text. Internal errors also return a <details> element that contains developer information to help address the issue.
create
The create method creates a guest user account in accordance with the sponsors permissions.
Required In Parameters
method (required): create username (required): Sponsor account username password (required): Sponsor account password firstName (based on policy): Guest user first name surname (based on policy): Guest user surname email (based on policy): Guest user email address role (required): The role in which the guest user is created company (based on policy): Guest user company name phonecode (based on policy): Telephone code for the Guest user mobile telephone (e.g. +44) mobilenumber (based on policy): Mobile telephone number for the Guest user timezone (required): The timezone in which the guest account is created (as detailed in Valid Timezones, page A-13) option1 (based on policy): Optional data field 1 option2 (based on policy): Optional data field 2 option3 (based on policy): Optional data field 3 option4 (based on policy): Optional data field 4 option5 (based on policy): Optional data field 5 startTime (required): The time the account is due to start endTime (required): The time the account should end timeProfile (required): The time profile to use when creating the account
The following example creates an account with the following guest details: First Name: John Surname: Carter Email: johncart@cisco.com Role: DEFAULT (as created in the user role interface)
A-3
API Support
Company: Cisco Mobile Number (cellphone): 12345 48434532 Phone Code: 123 Start Time: 29th November 2008 (midnight) EndTime: 30th November 2008 (midnight) Timezone: Europe/London Time Profile: StartEnd (as created in the time profile user interface)
Step 2
Step 3
A-4
OL-18371-01
Appendix A
</restriction> <restriction> <id>45</id> <weekDay>3</weekDay> <startTime>00:00</startTime> <endTime>08:59</endTime> </restriction> <restriction> <id>50</id> <weekDay>3</weekDay> <startTime>17:00</startTime> <endTime>23:59</endTime> </restriction> <restriction> <id>51</id> <weekDay>4</weekDay> <startTime>17:00</startTime> <endTime>23:59</endTime> </restriction> <restriction> <id>47</id> <weekDay>5</weekDay> <startTime>00:00</startTime> <endTime>08:59</endTime> </restriction> <restriction> <id>54</id> <weekDay>7</weekDay> <startTime>00:00</startTime> <endTime>23:59</endTime> </restriction> </timeProfile> </account> </response>
edit
The edit method edits an existing user account in accordance with sponsors permissions. You may edit any of the fields associated with an existing account with the following exceptions:
To edit an account, you must supply the account ID as returned by the create, page A-3 method.
Required In Parameters
method (required): edit id (required): The database ID of the account to be edited username (required): Sponsor account username password (required): Sponsor account password firstName (optional): Guest user first name
A-5
API Support
surname (optional): Guest user surname email (optional): Guest user email address group (optional): The role in which the guest user is created company (optional): Guest user company name phonecode (optional): Telephone code for the Guest user mobile telephone (e.g. +44) cellnumber (optional): Cell telephone number for the Guest user timezone (optional): The timezone in which the guest account is created (as detailed in Valid Timezones, page A-13) option1 (optional): Optional data field 1 option2 (optional): Optional data field 2 option3 (optional): Optional data field 3 option4 (optional): Optional data field 4 option5 (optional): Optional data field 5 startTime (optional): The time the account is due to start endTime (optional): The time the account should end timeProfile (optional): The time profiler to use when creating the account
The full account detail is returned as with the getDetails, page A-8 method.
<?xml version="1.0"?> <response> <status> <code>0</code> <message>Success</message> </status> <account/> <account> <id>794</id> <firstName>John</firstName> <surname>Carter</surname> <company>Cisco</company> <email>johncart@cisco.com</email> <mobileNumber>12345678</mobileNumber> <phoneCode>123</phoneCode> <option1>1</option1> <option2>1</option2> <option3>1</option3> <option4>1</option4> <option5>1</option5> <username>jcarter</username> <password>cisco</password> <status>1</status> <bulkId/> <timezone>Europe/London</timezone> <startTimeT>2008-10-28T00:00:00+00:00</startTimeT>
A-6
OL-18371-01
Appendix A
<endTimeT>2008-10-29T00:00:00+00:00</endTimeT> <role/> <createdTime/> <modifiedUsername/> <usage> <startTime>2008-08-07T04:06:32+01:00</startTime> <endTime>2008-08-07T04:06:33+01:00</endTime> <ipAddress>4.5.6.7</ipAddress> </usage> <usage> <startTime>2008-10-02T22:00:00+01:00</startTime> <endTime>2008-10-03T00:30:00+01:00</endTime> <ipAddress>4.5.6.7</ipAddress> </usage> <timeProfile> <id>2</id> <name>StartEnd</name> <description/> <duration>0</duration> <accountType>1</accountType> <durationUnit>Days</durationUnit> <durationInUnits>0</durationInUnits> <restriction> <id>43</id> <weekDay>1</weekDay> <startTime>00:00</startTime> <endTime>08:59</endTime> </restriction> <restriction> <id>45</id> <weekDay>3</weekDay> <startTime>00:00</startTime> <endTime>08:59</endTime> </restriction> <restriction> <id>50</id> <weekDay>3</weekDay> <startTime>17:00</startTime> <endTime>23:59</endTime> </restriction> <restriction> <id>51</id> <weekDay>4</weekDay> <startTime>17:00</startTime> <endTime>23:59</endTime> </restriction> <restriction> <id>47</id> <weekDay>5</weekDay> <startTime>00:00</startTime> <endTime>08:59</endTime> </restriction> <restriction> <id>54</id> <weekDay>7</weekDay> <startTime>00:00</startTime> <endTime>23:59</endTime> </restriction> </timeProfile> </account> </response>
A-7
API Support
getDetails
The getDetails API gets a users account details in accordance with the sponsors permissions.
Required In Parameters
method (required): getDetails username (required): Sponsor account username password (required): Sponsor account password id (one required): ID of the account to be retrieved
To get details for an existing account, use the getDetails API call, passing in the ID of the account as returned by the create, page A-3 method:
http://x.x.x.x/sponsor/api/GuestAccount.php?username=local&password=local&method=getDetail s&id=815
Step 2
A-8
OL-18371-01
Appendix A
<ipAddress>4.5.6.7</ipAddress> </usage> <timeProfile> <id>2</id> <name>StartEnd</name> <description/> <duration>0</duration> <accountType>1</accountType> <durationUnit>Days</durationUnit> <durationInUnits>0</durationInUnits> <restriction> <id>43</id> <weekDay>1</weekDay> <startTime>00:00</startTime> <endTime>08:59</endTime> </restriction> <restriction> <id>45</id> <weekDay>3</weekDay> <startTime>00:00</startTime> <endTime>08:59</endTime> </restriction> <restriction> <id>50</id> <weekDay>3</weekDay> <startTime>17:00</startTime> <endTime>23:59</endTime> </restriction> <restriction> <id>51</id> <weekDay>4</weekDay> <startTime>17:00</startTime> <endTime>23:59</endTime> </restriction> <restriction> <id>47</id> <weekDay>5</weekDay> <startTime>00:00</startTime> <endTime>08:59</endTime> </restriction> <restriction> <id>54</id> <weekDay>7</weekDay> <startTime>00:00</startTime> <endTime>23:59</endTime> </restriction> </timeProfile> </account> </response>
suspend
The suspend method suspends a user account in accordance with sponsors permissions.
Required In Parameters
A-9
API Support
password (required): Sponsor account password id (required): The database ID of the account to be suspended
notifyEmail
The notifyEmail method sends an email message to the guest's email account. It returns the same XML as getDetails, page A-8.
Required In Parameters
method (required): notifyEmail username (required): Sponsor account username password (required): Sponsor account password id (required): The database ID of the account to be emailed from (required): The email address from which to send the email to (required): the email address to send the email to
notifySms
The notifySms method sends an SMS message to the guest's mobile (cell) phone. It returns the same XML as getDetails, page A-8.
Required In Parameters
method (required): notifySms username (required): Sponsor account username password (required): Sponsor account password id (required): The database ID of the account to be emailed
A-10
OL-18371-01
Appendix A
getVersion
The getVersion method shows the current API version.
Required In Parameters
method (required): getVersion username (required): Sponsor account username password (required): Sponsor account password
search
The search API returns guest account details for reporting purposes according to the sponsors permissions and configuration, as per the Managing Guest Accounts, page 17-15 of the sponsor interface.
Note
The search API is only available from version 2.0.1 and later.
Required In Parameters
username (required): sponsor account username password (required): sponsor account password method (required): search sponsor (optional): sponsor username firstName (optional): guest user first name surname (optional): guest user surname company (optional): guest user company name email (optional): guest user email address ipAddress (optional) startTime (optional): YYYY-MM-DD endTime (optional): YYYY-MM-DD
A-11
API Support
timezone (optional): Timezone in which the account is created option1 (optional): option2 (optional): option3 (optional): option4 (optional): option5 (optional): statusInactive (optional): statusActive (optional): stautsExpired (optional): statusSuspended (optional):
A-12
OL-18371-01
Appendix A
further account details meeting the request criteria </item> <item> further account details meeting the request criteria </item> <item> further account details meeting the request criteria </item> </response>
Status Codes
The account status is returned via XML and contains the following values:
Error Codes
The following error codes are returned in the <code> element of the response. Value - Description:
Value 0No error Value 1Internal application error Value 100Incorrect sponsor username and/or password Value101Cannot access API via HTTPS (controlled by administrator) Value102Cannot access API via HTTP (controlled by administrator) Value 1000Some required fields are missing (listed in the message) Value1001Sending SMS messages disabled by administrator Value1002Sending Emails disabled by administrator Value1003The passed account ID does not exist Value1004Some fields are incorrect (listed in the message) Value 1005Some fields cannot be changed using the edit method
Valid Timezones
Africa/Abidjan Africa/Accra Africa/Addis_Ababa Africa/Algiers Africa/Asmara Africa/Bamako Africa/Bangui Africa/Banjul Africa/Bissau Africa/Blantyre Africa/Brazzaville Africa/Bujumbura Africa/Cairo Africa/Casablanca Africa/Ceuta Africa/Conakry Africa/Dakar Africa/Dar_es_Salaam Africa/Djibouti Africa/Douala Africa/El_Aaiun Africa/Freetown Africa/Gaborone Africa/Harare Africa/Johannesburg Africa/Kampala Africa/Khartoum Africa/Kigali Africa/Kinshasa Africa/Lagos Africa/Libreville Africa/Lome Africa/Luanda Africa/Lubumbashi Africa/Lusaka Africa/Malabo Africa/Maputo Africa/Maseru Africa/Mbabane Africa/Mogadishu Africa/Monrovia Africa/Nairobi
A-13
API Support
Africa/Ndjamena Africa/Niamey Africa/Nouakchott Africa/Ouagadougou Africa/Porto-Novo Africa/Sao_Tome Africa/Tripoli Africa/Tunis Africa/Windhoek America/Adak America/Anchorage America/Anguilla America/Antigua America/Araguaina America/Argentina/Buenos_Aires America/Argentina/Catamarca America/Argentina/Cordoba America/Argentina/Jujuy America/Argentina/La_Rioja America/Argentina/Mendoza America/Argentina/Rio_Gallegos America/Argentina/San_Juan America/Argentina/Tucuman America/Argentina/Ushuaia America/Aruba America/Asuncion America/Atikokan America/Bahia America/Barbados America/Belem America/Belize America/Blanc-Sablon America/Boa_Vista America/Bogota America/Boise America/Cambridge_Bay America/Campo_Grande America/Cancun America/Caracas America/Cayenne America/Cayman America/Chicago America/Chihuahua America/Costa_Rica America/Cuiaba America/Curacao America/Danmarkshavn America/Dawson America/Dawson_Creek America/Denver America/Detroit America/Dominica America/Edmonton America/Eirunepe America/El_Salvador America/Fortaleza America/Glace_Bay America/Godthab America/Goose_Bay America/Grand_Turk America/Grenada America/Guadeloupe America/Guatemala America/Guayaquil America/Guyana America/Halifax America/Havana America/Hermosillo America/Indiana/Indianapolis America/Indiana/Knox America/Indiana/Marengo America/Indiana/Petersburg America/Indiana/Tell_City America/Indiana/Vevay America/Indiana/Vincennes America/Indiana/Winamac America/Inuvik America/Iqaluit America/Jamaica America/Juneau America/Kentucky/Louisville America/Kentucky/Monticello America/La_Paz America/Lima America/Los_Angeles America/Maceio America/Managua America/Manaus America/Martinique America/Mazatlan America/Menominee America/Merida America/Mexico_City America/Miquelon America/Moncton America/Monterrey America/Montevideo America/Montreal America/Montserrat America/Nassau America/New_York America/Nipigon America/Nome America/Noronha America/North_Dakota/Center America/North_Dakota/New_Salem America/Panama America/Pangnirtung America/Paramaribo America/Phoenix America/Port-au-Prince America/Port_of_Spain America/Porto_Velho America/Puerto_Rico America/Rainy_River America/Rankin_Inlet America/Recife America/Regina America/Resolute America/Rio_Branco America/Santiago America/Santo_Domingo America/Sao_Paulo America/Scoresbysund America/Shiprock America/St_Johns America/St_Kitts America/St_Lucia America/St_Thomas America/St_Vincent America/Swift_Current America/Tegucigalpa America/Thule America/Thunder_Bay America/Tijuana America/Toronto America/Tortola America/Vancouver America/Whitehorse America/Winnipeg America/Yakutat America/Yellowknife Antarctica/Casey Antarctica/Davis Antarctica/DumontDUrville Antarctica/Mawson Antarctica/McMurdo Antarctica/Palmer Antarctica/Rothera Antarctica/South_Pole Antarctica/Syowa Antarctica/Vostok Arctic/Longyearbyen Asia/Aden Asia/Almaty Asia/Amman Asia/Anadyr Asia/Aqtau Asia/Aqtobe Asia/Ashgabat Asia/Baghdad Asia/Bahrain Asia/Baku Asia/Bangkok Asia/Beirut Asia/Bishkek Asia/Brunei Asia/Calcutta Asia/Choibalsan Asia/Chongqing Asia/Colombo Asia/Damascus Asia/Dhaka Asia/Dili Asia/Dubai Asia/Dushanbe Asia/Gaza Asia/Harbin Asia/Hong_Kong Asia/Hovd Asia/Irkutsk Asia/Jakarta Asia/Jayapura Asia/Jerusalem Asia/Kabul Asia/Kamchatka Asia/Karachi Asia/Kashgar Asia/Katmandu Asia/Krasnoyarsk Asia/Kuala_Lumpur Asia/Kuching Asia/Kuwait Asia/Macau Asia/Magadan Asia/Makassar Asia/Manila Asia/Muscat Asia/Nicosia Asia/Novosibirsk Asia/Omsk Asia/Oral Asia/Phnom_Penh Asia/Pontianak Asia/Pyongyang Asia/Qatar Asia/Qyzylorda Asia/Rangoon Asia/Riyadh Asia/Saigon Asia/Sakhalin Asia/Samarkand Asia/Seoul Asia/Shanghai Asia/Singapore Asia/Taipei Asia/Tashkent Asia/Tbilisi Asia/Tehran Asia/Thimphu Asia/Tokyo Asia/Ulaanbaatar Asia/Urumqi Asia/Vientiane Asia/Vladivostok Asia/Yakutsk Asia/Yekaterinburg Asia/Yerevan Atlantic/Azores Atlantic/Bermuda Atlantic/Canary Atlantic/Cape_Verde Atlantic/Faroe Atlantic/Jan_Mayen Atlantic/Madeira Atlantic/Reykjavik Atlantic/South_Georgia Atlantic/Stanley Atlantic/St_Helena Australia/Adelaide Australia/Brisbane Australia/Broken_Hill Australia/Currie Australia/Darwin Australia/Eucla Australia/Hobart Australia/Lindeman Australia/Lord_Howe Australia/Melbourne Australia/Perth Australia/Sydney Europe/Amsterdam Europe/Andorra Europe/Athens Europe/Belgrade Europe/Berlin Europe/Bratislava Europe/Brussels Europe/Bucharest Europe/Budapest Europe/Chisinau Europe/Copenhagen Europe/Dublin Europe/Gibraltar Europe/Guernsey Europe/Helsinki Europe/Isle_of_Man Europe/Istanbul Europe/Jersey
A-14
OL-18371-01
Appendix A
Europe/Kaliningrad Europe/Kiev Europe/Lisbon Europe/Ljubljana Europe/London Europe/Luxembourg Europe/Madrid Europe/Malta Europe/Mariehamn Europe/Minsk Europe/Monaco Europe/Moscow Europe/Oslo Europe/Paris Europe/Podgorica Europe/Prague Europe/Riga Europe/Rome Europe/Samara Europe/San_Marino Europe/Sarajevo Europe/Simferopol Europe/Skopje Europe/Sofia Europe/Stockholm Europe/Tallinn Europe/Tirane Europe/Uzhgorod Europe/Vaduz Europe/Vatican Europe/Vienna Europe/Vilnius Europe/Volgograd Europe/Warsaw Europe/Zagreb Europe/Zaporozhye Europe/Zurich Indian/Antananarivo Indian/Chagos Indian/Christmas Indian/Cocos Indian/Comoro Indian/Kerguelen Indian/Mahe Indian/Maldives Indian/Mauritius Indian/Mayotte Indian/Reunion Pacific/Apia Pacific/Auckland Pacific/Chatham Pacific/Easter Pacific/Efate Pacific/Enderbury Pacific/Fakaofo Pacific/Fiji Pacific/Funafuti Pacific/Galapagos Pacific/Gambier Pacific/Guadalcanal Pacific/Guam Pacific/Honolulu Pacific/Johnston Pacific/Kiritimati Pacific/Kosrae Pacific/Kwajalein Pacific/Majuro Pacific/Marquesas Pacific/Midway Pacific/Nauru Pacific/Niue Pacific/Norfolk Pacific/Noumea Pacific/Pago_Pago Pacific/Palau Pacific/Pitcairn Pacific/Ponape Pacific/Port_Moresby Pacific/Rarotonga Pacific/Saipan Pacific/Tahiti Pacific/Tarawa Pacific/Tongatapu Pacific/Truk Pacific/Wake Pacific/Wallis
A-15
API Support
A-16
OL-18371-01
A P P E N D I X
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
OpenSSL License:
Copyright 1998-2007 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. 2. 3.
Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
4.
B-1
Appendix B Notices
5. 6.
Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project. Redistributions of any form whatsoever must retain the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:
Copyright 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com). Copyright remains Eric Youngs, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. 2. 3.
Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). The word cryptographic can be left out if the routines from the library being used are not cryptography-related.
4.
If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: This product includes software written by Tim Hudson (tjh@cryptsoft.com).
B-2
OL-18371-01
Appendix B
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License].
B-3
Appendix B
B-4
OL-18371-01