Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
5
Helpful
9
Replies

Unable to access NAC using http

Vinayaka Raman
Level 1
Level 1

‎07-31-2012 09:54 AM - edited ‎03-10-2019 07:22 PM

    Some how there is an access restitction to my NAC box thorugh http. I can access this box via ssh. Please suggest me how do i configure the device using ssh for http accesss.

https://10.48.252.65/admin

the error message when i access through http is Access not allowed from your IP address [100.9.254.27]              

Regards Vinayak
Labels:
0 Helpful
9 Replies 9

Tarik Admani
VIP Alumni
VIP Alumni

‎07-31-2012 09:57 AM

Looks like someone may have turned on IP Access Restriction on your device. What you can try to do is see if you can remote into a server that is on the same subnet as the manager and see if you can either add or turn this feature off.

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cam/m_admin.html#wp1274044

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Vinayaka Raman
Level 1
Level 1
In response to Tarik Admani

‎07-31-2012 10:08 AM

this is in dmz and we do no have any servers in the same subnet..

I wanted to try this option you listed in the URL

Step 1 Delete the contents of the /perfigo/control/apache/conf/sslacc.conf file in CAM.

Step 2 Run the command /perfigo/control/bin/startapache_g in CAM.

Step 3 This will unlock CAM web console.

Step 4 Login to the CAM web console, edit the access restriction list, and click Update

But can you help me locating these files on my box..here is the structure of my file system

[root@grvguestconnectauth /]# ls

bin   dev  guest  lib         media  opt   root  selinux  sys  usr

boot  etc  home   lost+found  mnt    proc  sbin  srv     

Regards Vinayak
0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Vinayaka Raman

‎07-31-2012 10:10 AM

Is this a guest server? I may have jumped the gun on this one. If so what version or device are you trying to connect to?

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Vinayaka Raman
Level 1
Level 1
In response to Tarik Admani

‎07-31-2012 10:16 AM

yes it is a guest server...version 2.0.2

Regards Vinayak
0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Vinayaka Raman

‎07-31-2012 10:32 AM

The steps above will not work since those are for the CAM (clean access manager). However here is the feature that someone may have turned on - http://www.cisco.com/en/US/docs/security/nac/guestserver/configuration_guide/20/g_setup.html#wp1074918

The safest option at this point is to take a backup of your database and open a TAC case and see if they can unlock this for you.

thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Vinayaka Raman
Level 1
Level 1
In response to Tarik Admani

‎08-11-2012 10:39 PM

I got it from TAC

1. Connect to the NGS CLI (either with SSH or console cable) and login

as root.

2. Enter the SQL command line with:

   psql -h 127.0.0.1 gapdb -U postgres

3. List the contents of the access restrictions table with the command

below and send me the output for verification:

   select * from allowed_ip_addresses;

The output should look like this (in my case only one line is entered, customer may have more values):

  aip_id |    app    |     range      |            created            |

ended

--------+-----------+----------------+-------------------------------+-------

       5 | NGS_ADMIN | 144.254.7.0/24 | 2011-10-11 15:03:37.173076+02 |

(1 row)

4. If there are values in the table, you can delete them with the command:

   truncate allowed_ip_addresses;

Regards Vinayak

Tarik Admani
VIP Alumni
VIP Alumni
In response to Vinayaka Raman

‎08-11-2012 10:41 PM

Glad to hear that they got you squared away and that you posted this on the thread it will help anyone in the future that runs across this issue.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Vinayaka Raman
Level 1
Level 1
In response to Tarik Admani

‎08-11-2012 10:51 PM

You are welcome..

Can you help me locating the doc or support thread that decribes how gues traffic web-redirection happens between Anchor controller and NAC ?

Regards Vinayak
0 Helpful

Tarik Admani
VIP Alumni
VIP Alumni
In response to Vinayaka Raman

‎08-11-2012 10:58 PM

Hi,

The guides are a little dated, as long as you have the anchor controller configured for the guest network then all the radius configuration is done on the wlan settings on the anchor controller only.

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809d6b9a.shtml

Here is a guide that will help you understand how to configure external web authentication:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076f974.shtml#c5

Once again these guides are a little dated but so is the NGS product and this should help you get started in the right directions.

Also keep in mind that when you make any changes to NGS radius config that you always have to hit the restart button in the NGS config for the changes to take affect.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents