Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Not applicable

ACS 5.2 NAC Guest Sponor Radius Authentication

For some reason, i can't get the lobby "sponsors" to authentication to the Guest NAC server (2.0.2) using ACS 5.2 via Radius.

I was able to figure out how to get the Guest NAC Radius Authentication for "Administrator" to work by adding custom Radius value IEFT-6 under...

  • Policy Elements
  • Authorization & permissions
  • Network Access
  • Authorization Profiles

I added a policy & under the Radius Attributes Tab... I manually entered an Attribute that looks like the following:

  • Dictionary Type: = RADIUS-IETF
  • Radius Attribute: = Service-Type
  • Attribute Type: = Enumeration
  • Attribute Value: = Static
  • Value = "Administrative" 

I then created an Access Policy... I looked for a specific AD group - Result = "Name of Custom Policy Above"...

All of that is working just fine.... the NAC Guest Docs tell you the Radius server must return a value of IETF-6...

When it gets into the Sponsor section, it doesn't tell you the value your Radius server should return... so just for grins, instead of "Name of Custom Policy Above", I tried "Permit Access"... i tried the "Name of Custom Policy above"...  Not sure what else to try to get this to work... Anyone have any ideas???

here is a like to the document i'm following:

Page 68 refers to the "Configuring Sponsor Authentication" for Radius.. it just tell you to add the Radius Server & change the authentication order...

Cisco Employee

I just tried this here in my lab and you seem to have the authorization profile set up correctly for service-type administrative.  Are you seeing a passed authentication on your ACS for the login?  If so check the authetnication details and make sure you are passing back the correct authorization profile.


Not applicable

Hey Jesse,

Can you confirm you have this working for "lobby sponsors".. i have this working correctly for the adminsitrators, but not the Lobby sponsors.  How did you tell ACS they would only get the sponsor screen?  For Admins, the documentation is clear you need to return IETF6 - administrative but it doesn't mention anything for the Lobby sponsors what value to return???

As for do i see a passed or failed attempt in the logs?  The answer is no.. it's like it's not even hitting ACS to validate the credentials for the sponsors (however, when i login with https://guestnacname/admin I do see the attempt in the logs... really strange???

On Guest NAC

  • Authentication -> Sponsors -> Radius
    • I added our ACS 5.2 server
  • Authentication -> Sponsors -> Authentication order
    • I have that ACS 5.2 server listed first

Are you using "Sponsors" or "Sponsor User Groups"....???

So on the ACS side, I have 2 authorization policies (one 1 Administrators & 1 for Lobby Sponsors)

  • Administrations -> checks for a particular AD group & the Authorization Profile = the NAC_GAS_Radius (returns IETF-6)
  • Lobby Sponsors -> checks for a diffierent AD group & the Authorization Profile = "Permit Access"

Is your ACS configured the same???

Cisco Employee

Use NAS-Prompt (7) instead of Administrative (6) for sponsor users.


Not applicable

Let's just say it helps greatly when you have the correct IP address for your ACS server in the sponsor Radius settings...:o( (i had the wrong first octet) on the sponsor side... which explains why the admin side was working...

thanks for the NAS-Prompt-7 btw.. that is not in the documentation...

The only issue i have now.. let's say i try & login with a user that is not in the authorized groups for admins... it will return a failure on the NACGAS side but the Radius logs on ACS show "success"... i would expect ACS to show a failure & report something like not in authorized group" or "access group filter".. or something to that affect... It's gonna make troubleshooting more difficult b/c i'm expecting to see a failed message rather a success in the ACS logs to match the failed attempt on the NACGAS side.. can you confirm your lab behaves the same?

Thanks for you help btw!!!!

Cisco Employee

There is no difference between a sponsor authentication request and an admin sponsor request so you are going to see the passed authentication on the ACS and depending on what service-type you pass to the NGS you will see a pass or failure.  That is the nature of Radius authorization.


Not applicable

Thanks Jesse for all of your assistance on this issue!!!

Can you tell me what you are using for the Class Attribute value under Authentication > Sponsor User Groups > (Sponsor group) > Radius Mapping?  I don't see anywhere in the docs that say what to enter.

Thanks in advance.


For Lobby Sponsors... It's NAS-Prompt - 7


Maybe late, but...

In NGS 2.0, you can still cannot tell administrators from sponsors on request, but you can differentiate when replying.

Administrators check the "Service-type" attribute in ACS replies.

- Service-type=6. if not, no admin access granted

Sponsor just check the "Class" attribute in ACS replies.

- Class is a free-form string attribute.

  You can use this to map different Sponsor User Group (see RADIUS mapping section in )

hope this may help.


Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars

Did you miss a previous ISE webinar?

CiscoISE YouTube Channel