Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
998
Views
25
Helpful
11
Replies

Guest Users

Go to solution
estelamathew
Level 2
Level 2

‎01-04-2011 11:26 AM - edited ‎03-09-2019 11:20 PM

Hello Experts,

I have setup a NAC in L2 Inband Virtual Mode, I m concern for users who are guest coming in corporate for meeting and another for hourly purpose, I don't want them to access Internet and network by bypassing NAC,

The requirements for Corporate users is Antivirus update and WSUS update ,but this is not possible for them becz it is their company laptop with their corporate policy,

How i can handle such  users??????

Thanks.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-05-2011 12:26 PM

Hi Mathew,

Instead of typing the CAS IP address in the specific, do you get redirected when you try to browse even to a bogus IP?
Something like http://2.2.2.2/
If positive, then there may be an issue in the DNS configuration of the client, or in the DNS traffic allowed by the CAS for the unauthenticated role.
For example, under

User Management > User Roles > Unauthenticated Role [policies] > Traffic Control > Host

please verify that the table "Trusted DNS Server" at the bottom of the page contains the default " * Any DNS Server " entry.

Back to the guest login button, you'd need to verify that you went through the 4 steps listed under the section "Configure Guest User Registration":
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_pages.html#wp1098738

In particular, step #3 covers how to enable the guest option on the login redirection page:
- Go to Administration > User Pages > Login Page > List | Edit > Content page
– Enable the Provider Label and click the checkbox corresponding to the Guest authentication provider type you have configured under Available Providers to ensure it appears in the list of available authentication sources in the Providers options users see on the login page.
– Enable both the Guest Label and Guest Registration Required options to ensure users see the Guest login option on the login page.
If you do not enable all of these options on the Administration > User Pages > Login Page, Guest User Registration users do not see the option to log in as a guest.

All the 4 steps are necessary for the final guest login feature to work, so I'd strongly recommend to verify that the full procedure is covered.

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

0 Helpful

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-06-2011 01:31 AM

Hi Mathew,

It would look as if there is definitely something going on with DNS, if your client (even if unauthenticated) cannot resolve addresses.

To allow internet access to your guests, you'd need to configure the traffic policies accordingly.

In case your guests are simply using a proxy, then just the proxy IP and ports should be enough.

Regarding the provider label and the guest access button, we enable both of them in case a guest user with already created credentials would like to login.

In such a situation, already existing guest users are not required to create new credentials each time, but they can simploy choose the guest authentication provider and use some previously created username/password.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

0 Helpful

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-06-2011 11:35 PM

Hi Mathew,

Following from your latest points:

1. OK

2. OK
The default guest user's credentials guest/guest will be used when clicking the Guest Access button only if under the user login page settings, in the Content tab, we tick "Guest Label" but not "Guest Registration Required".
This will allow the user to send the credentials guest/guest directly, without being redirected to the page where to create his/her own credentials.

3. Guest users will be exempted from downloading the agent or using the web agent as long as these options are disabled under

Device Management > Clean Access > General Setup > Agent Login > User Role = your_guest_user_role

Require use of Agent = unchecked
Require use of Cisco NAC Web Agent = unchecked

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee

‎01-04-2011 11:31 AM

Hi Mathew,

You may want to look into the guest access feature, to still provide visitors with network access, but maybe with some bandwidth or traffic restrictions:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_pages.html#wp1040933

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Federico Ziliotto

‎01-04-2011 01:09 PM

Hello Federico,

What i understand by Enable the Preset "Guest" User Account

We should specify a different role for the guest  user and configure that role with login redirection, traffic control,  and timeout policies as appropriate for guest users on your network.

I did'nt get what login redirection ???

With this method, the Guest Access button is enabled on the user login page. When a visitor clicks the button, the username and password guest/guest are sent to the CAM for authentication, and the guest user can be immediately redirected to the desired web page

How the user login page will popup

Steps are not clear for me ,pls help step by step.

Thanks

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-05-2011 01:07 AM

Hi Mathew,

The guest login redirection will be triggered when a user will open a web browser and try to HTTP to any IP.

The HTTP GET will hit the CAS and the redirection to the login page will start.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Federico Ziliotto

‎01-05-2011 12:14 PM

Hello Federico,

Happy to recive mail from such experts

This is the big problem i m facing when i did the installation and configuration of NAC, As i have read in book that when we open a browser and try to access  any website it should hit to CAS and login page should be displayed,as this is not happenning  with me.Instead of hitting to any website i m manually typing CAS ip address https://10.10.10.10  and the it redirects to me login page. BUT on this page i dont see any Guest Access button as mentioned in User guide statement below  Do i have customize the GUEST ACCESS button in user login page?????

With this method, the Guest Access button is enabled on the user login page. When a visitor clicks the button, the username and password guest/guest are sent to the CAM for authentication, and the guest user can be immediately redirected to the desired web page. Note that you must configure a new user role to which to associate the guest user.

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-05-2011 12:26 PM

Hi Mathew,

Instead of typing the CAS IP address in the specific, do you get redirected when you try to browse even to a bogus IP?
Something like http://2.2.2.2/
If positive, then there may be an issue in the DNS configuration of the client, or in the DNS traffic allowed by the CAS for the unauthenticated role.
For example, under

User Management > User Roles > Unauthenticated Role [policies] > Traffic Control > Host

please verify that the table "Trusted DNS Server" at the bottom of the page contains the default " * Any DNS Server " entry.

Back to the guest login button, you'd need to verify that you went through the 4 steps listed under the section "Configure Guest User Registration":
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_pages.html#wp1098738

In particular, step #3 covers how to enable the guest option on the login redirection page:
- Go to Administration > User Pages > Login Page > List | Edit > Content page
– Enable the Provider Label and click the checkbox corresponding to the Guest authentication provider type you have configured under Available Providers to ensure it appears in the list of available authentication sources in the Providers options users see on the login page.
– Enable both the Guest Label and Guest Registration Required options to ensure users see the Guest login option on the login page.
If you do not enable all of these options on the Administration > User Pages > Login Page, Guest User Registration users do not see the option to log in as a guest.

All the 4 steps are necessary for the final guest login feature to work, so I'd strongly recommend to verify that the full procedure is covered.

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Federico Ziliotto

‎01-05-2011 02:59 PM

Hello Federico,

  • Instead of typing the CAS IP address in the specific, do you get redirected when you try to browse even to a bogus IP? Something like http://2.2.2.2/
    Yes i tried it does'nt work page cannot be displayed error by Internet explorer

  • If positive, then there may be an issue in the DNS configuration of the client,

     I think the problem is in the DNS server ??? when i do nslookup it does'nt resolve's,How i can solve such problems??

  • For example, under or in the DNS traffic allowed by the CAS for the unauthenticated role

      Policies are perfect.

Steps For Guest User to login please correct me if i m wrong i have configured each and every step as per the instruction. (assuming the redirection is working)

  • Create a Guest role
  • Permit DHCP and DNS traffic
  • Guest connected a laptop to a switch auth vlan port and he will get the IP address and DNS by DHCP  Server.
  • Guest tries to open a google .com and he is been redirected to login page.as attached
  • Guest clicks the guest Access Button and he is routed to Guest registration prompts  as attached
  • Finally guest feed his details and he is given access.
  • If i want to allow internet access to guest then i should only permit proxy ip address with port 8080 ?? correct me if i m wrong???

Why do we need provider label in option #3  instead of  clicking on Guest access button which routes to guest registration page.

(Enable the Provider Label and click the checkbox corresponding to the Guest authentication provider type you have configured under Available Providers to ensure it appears in the list of available authentication sources in the Providers options users see on the login page) ??????????

Thanks

Preview file
188 KB

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-06-2011 01:31 AM

Hi Mathew,

It would look as if there is definitely something going on with DNS, if your client (even if unauthenticated) cannot resolve addresses.

To allow internet access to your guests, you'd need to configure the traffic policies accordingly.

In case your guests are simply using a proxy, then just the proxy IP and ports should be enough.

Regarding the provider label and the guest access button, we enable both of them in case a guest user with already created credentials would like to login.

In such a situation, already existing guest users are not required to create new credentials each time, but they can simploy choose the guest authentication provider and use some previously created username/password.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Federico Ziliotto

‎01-06-2011 01:02 PM

From Ur mail what i understand is:

  1. In Configure Guest User Registration,
  • when guest try to  login first time he should use <

    From Ur mail what i understand is:

    1. In Configure Guest User Registration,
    • when guest try to  login first time he should use Guest Access Button then he will be routed to Guest Credential page where is feeds his name and password and affiliation.,,and he is able to access the network.
    • If he logs off and later after try to login again then he can use the same username and password to login by Guest Provider drop down menu option, please correct me if i m wrong.

    2)    Enable the Preset “Guest” User Account.

    I hope the Guest Access Button is much fast acess  in Preset “Guest” User Account method

    • With this method, the Guest Access button is enabled on the user login page. When a visitor clicks the button, the username and password guest/guest are sent to the CAM for authentication, and the guest user can be immediately redirected to the desired web page. Note that you must configure a new user role to which to associate the guest user

    3) All my users are configured with NAC Agent,i hope it should'nt prompt Guest to download the agent and do host posture assesment and then it will allow to browse the internet ????  I hope Guest users are exempted by host posture assessment and Agent installation procedure, they are allowed directly after applying username and password

    Thanks

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-06-2011 11:35 PM

Hi Mathew,

Following from your latest points:

1. OK

2. OK
The default guest user's credentials guest/guest will be used when clicking the Guest Access button only if under the user login page settings, in the Content tab, we tick "Guest Label" but not "Guest Registration Required".
This will allow the user to send the credentials guest/guest directly, without being redirected to the page where to create his/her own credentials.

3. Guest users will be exempted from downloading the agent or using the web agent as long as these options are disabled under

Device Management > Clean Access > General Setup > Agent Login > User Role = your_guest_user_role

Require use of Agent = unchecked
Require use of Cisco NAC Web Agent = unchecked

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Federico Ziliotto

‎01-07-2011 01:22 AM

Hello, Federico,

U deserve the ratings on each and every reply, Thanks dear to clear the  proper understanding of Guest user. login access.

Dear Federico

I have seen ur replies IN AAA section also if u can help me for the below query.

I m facing the same issue as with this thread below if u can help me to get success it will be more appreciate.

https://supportforums.cisco.com/message/3263448#3263448

Thanks,

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-07-2011 02:55 AM

Thank you again, glad to be of help.

Regarding the other post you mentioned, it looks like there are several issuea going on there...
Would you mind re-stating your issue with your own words?
Some times it helps a lot to hear it directly from the person experiencing the problem ;-)

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful
Customers Also Viewed These Support Documents