01-04-2011 11:26 AM - edited 03-09-2019 11:20 PM
Hello Experts,
I have setup a NAC in L2 Inband Virtual Mode, I m concern for users who are guest coming in corporate for meeting and another for hourly purpose, I don't want them to access Internet and network by bypassing NAC,
The requirements for Corporate users is Antivirus update and WSUS update ,but this is not possible for them becz it is their company laptop with their corporate policy,
How i can handle such users??????
Thanks.
Solved! Go to Solution.
01-05-2011 12:26 PM
Hi Mathew,
Instead of typing the CAS IP address in the specific, do you get redirected when you try to browse even to a bogus IP?
Something like http://2.2.2.2/
If positive, then there may be an issue in the DNS configuration of the client, or in the DNS traffic allowed by the CAS for the unauthenticated role.
For example, under
User Management > User Roles > Unauthenticated Role [policies] > Traffic Control > Host
please verify that the table "Trusted DNS Server" at the bottom of the page contains the default " * Any DNS Server " entry.
Back to the guest login button, you'd need to verify that you went through the 4 steps listed under the section "Configure Guest User Registration":
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_pages.html#wp1098738
In particular, step #3 covers how to enable the guest option on the login redirection page:
- Go to Administration > User Pages > Login Page > List | Edit > Content page
– Enable the Provider Label and click the checkbox corresponding to the Guest authentication provider type you have configured under Available Providers to ensure it appears in the list of available authentication sources in the Providers options users see on the login page.
– Enable both the Guest Label and Guest Registration Required options to ensure users see the Guest login option on the login page.
If you do not enable all of these options on the Administration > User Pages > Login Page, Guest User Registration users do not see the option to log in as a guest.
All the 4 steps are necessary for the final guest login feature to work, so I'd strongly recommend to verify that the full procedure is covered.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-06-2011 01:31 AM
Hi Mathew,
It would look as if there is definitely something going on with DNS, if your client (even if unauthenticated) cannot resolve addresses.
To allow internet access to your guests, you'd need to configure the traffic policies accordingly.
In case your guests are simply using a proxy, then just the proxy IP and ports should be enough.
Regarding the provider label and the guest access button, we enable both of them in case a guest user with already created credentials would like to login.
In such a situation, already existing guest users are not required to create new credentials each time, but they can simploy choose the guest authentication provider and use some previously created username/password.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-06-2011 11:35 PM
Hi Mathew,
Following from your latest points:
1. OK
2. OK
The default guest user's credentials guest/guest will be used when clicking the Guest Access button only if under the user login page settings, in the Content tab, we tick "Guest Label" but not "Guest Registration Required".
This will allow the user to send the credentials guest/guest directly, without being redirected to the page where to create his/her own credentials.
3. Guest users will be exempted from downloading the agent or using the web agent as long as these options are disabled under
Device Management > Clean Access > General Setup > Agent Login > User Role = your_guest_user_role
Require use of Agent = unchecked
Require use of Cisco NAC Web Agent = unchecked
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-04-2011 11:31 AM
Hi Mathew,
You may want to look into the guest access feature, to still provide visitors with network access, but maybe with some bandwidth or traffic restrictions:
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-04-2011 01:09 PM
Hello Federico,
What i understand by Enable the Preset "Guest" User Account
We should specify a different role for the guest user and configure that role with login redirection, traffic control, and timeout policies as appropriate for guest users on your network.
I did'nt get what login redirection ???
With this method, the Guest Access button is enabled on the user login page. When a visitor clicks the button, the username and password guest/guest are sent to the CAM for authentication, and the guest user can be immediately redirected to the desired web page
How the user login page will popup
Steps are not clear for me ,pls help step by step.
Thanks
01-05-2011 01:07 AM
Hi Mathew,
The guest login redirection will be triggered when a user will open a web browser and try to HTTP to any IP.
The HTTP GET will hit the CAS and the redirection to the login page will start.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-05-2011 12:14 PM
Hello Federico,
Happy to recive mail from such experts
This is the big problem i m facing when i did the installation and configuration of NAC, As i have read in book that when we open a browser and try to access any website it should hit to CAS and login page should be displayed,as this is not happenning with me.Instead of hitting to any website i m manually typing CAS ip address https://10.10.10.10 and the it redirects to me login page. BUT on this page i dont see any Guest Access button as mentioned in User guide statement below Do i have customize the GUEST ACCESS button in user login page?????
With this method, the Guest Access button is enabled on the user login page. When a visitor clicks the button, the username and password guest/guest are sent to the CAM for authentication, and the guest user can be immediately redirected to the desired web page. Note that you must configure a new user role to which to associate the guest user.
01-05-2011 12:26 PM
Hi Mathew,
Instead of typing the CAS IP address in the specific, do you get redirected when you try to browse even to a bogus IP?
Something like http://2.2.2.2/
If positive, then there may be an issue in the DNS configuration of the client, or in the DNS traffic allowed by the CAS for the unauthenticated role.
For example, under
User Management > User Roles > Unauthenticated Role [policies] > Traffic Control > Host
please verify that the table "Trusted DNS Server" at the bottom of the page contains the default " * Any DNS Server " entry.
Back to the guest login button, you'd need to verify that you went through the 4 steps listed under the section "Configure Guest User Registration":
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_pages.html#wp1098738
In particular, step #3 covers how to enable the guest option on the login redirection page:
- Go to Administration > User Pages > Login Page > List | Edit > Content page
– Enable the Provider Label and click the checkbox corresponding to the Guest authentication provider type you have configured under Available Providers to ensure it appears in the list of available authentication sources in the Providers options users see on the login page.
– Enable both the Guest Label and Guest Registration Required options to ensure users see the Guest login option on the login page.
If you do not enable all of these options on the Administration > User Pages > Login Page, Guest User Registration users do not see the option to log in as a guest.
All the 4 steps are necessary for the final guest login feature to work, so I'd strongly recommend to verify that the full procedure is covered.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-05-2011 02:59 PM
Hello Federico,
I think the problem is in the DNS server ??? when i do nslookup it does'nt resolve's,How i can solve such problems??
Policies are perfect.
Steps For Guest User to login please correct me if i m wrong i have configured each and every step as per the instruction. (assuming the redirection is working)
Why do we need provider label in option #3 instead of clicking on Guest access button which routes to guest registration page.
(Enable the Provider Label and click the checkbox corresponding to the Guest authentication provider type you have configured under Available Providers to ensure it appears in the list of available authentication sources in the Providers options users see on the login page) ??????????
Thanks
01-06-2011 01:31 AM
Hi Mathew,
It would look as if there is definitely something going on with DNS, if your client (even if unauthenticated) cannot resolve addresses.
To allow internet access to your guests, you'd need to configure the traffic policies accordingly.
In case your guests are simply using a proxy, then just the proxy IP and ports should be enough.
Regarding the provider label and the guest access button, we enable both of them in case a guest user with already created credentials would like to login.
In such a situation, already existing guest users are not required to create new credentials each time, but they can simploy choose the guest authentication provider and use some previously created username/password.
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-06-2011 01:02 PM
From Ur mail what i understand is:
From Ur mail what i understand is:
2) Enable the Preset “Guest” User Account.
I hope the Guest Access Button is much fast acess in Preset “Guest” User Account method
3) All my users are configured with NAC Agent,i hope it should'nt prompt Guest to download the agent and do host posture assesment and then it will allow to browse the internet ???? I hope Guest users are exempted by host posture assessment and Agent installation procedure, they are allowed directly after applying username and password
Thanks
01-06-2011 11:35 PM
Hi Mathew,
Following from your latest points:
1. OK
2. OK
The default guest user's credentials guest/guest will be used when clicking the Guest Access button only if under the user login page settings, in the Content tab, we tick "Guest Label" but not "Guest Registration Required".
This will allow the user to send the credentials guest/guest directly, without being redirected to the page where to create his/her own credentials.
3. Guest users will be exempted from downloading the agent or using the web agent as long as these options are disabled under
Device Management > Clean Access > General Setup > Agent Login > User Role = your_guest_user_role
Require use of Agent = unchecked
Require use of Cisco NAC Web Agent = unchecked
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
01-07-2011 01:22 AM
Hello, Federico,
U deserve the ratings on each and every reply, Thanks dear to clear the proper understanding of Guest user. login access.
Dear Federico
I have seen ur replies IN AAA section also if u can help me for the below query.
I m facing the same issue as with this thread below if u can help me to get success it will be more appreciate.
https://supportforums.cisco.com/message/3263448#3263448
Thanks,
01-07-2011 02:55 AM
Thank you again, glad to be of help.
Regarding the other post you mentioned, it looks like there are several issuea going on there...
Would you mind re-stating your issue with your own words?
Some times it helps a lot to hear it directly from the person experiencing the problem ;-)
Regards,
Fede
--
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide