cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1542
Views
0
Helpful
9
Replies

NAC Guest Server - Sponsor Authentication Issue

j-mccarthy
Level 1
Level 1

Hi

If anyone can help with this I'd really appreciate it. NAC Guest Server version 2.0.1

We've delpoyed the NAC Guest Server and successfully integrated it into AD. This is a large organisation and they have thousands of AD groups. The AD sponsor group was created within a specific OU and the NGS could never find this group when the Base DN: string was set to the root of the AD - because of the large number of groups - you would only ever see the last 1000 results or the first 1000 results or whatever.

The solution to this was to set the Base DN: to be the specific OU which contains the sponsor group (ie one level down from the root), now we can find the sponsor group on the NGS under Active Directory Mapping as there are fewer results and it all works. Super.

Now the problem is that it turns out that sponsors have to be a member of the OU as well of the AD group, so only people whose AD profile lives in the same OU as the sponsor group and are members of that group can log in to the NGS.

Somone who's AD account is in a different OU can be made a member of the WGA Sponsor group in AD, but the NGS will not authenticate them.

Is this a bug? Any ideas?

9 Replies 9

nelassaa
Level 1
Level 1

Hi,

The best way to solve this is to set the base DN to be the root.

You are correct that it only shows the first 1000 groups in the list (this is because by default windows only sends the first 1000 results).

However you can manually enter the groupname into the textbox and it will work correctly.

thanks,

Does the group itself also have to be in the root, or can you manually specify a group thats in an OU?

If I set the Base DN back to root, can I type something like OUNAME\GROUPNAME in the text box?

What's the syntax to tell the NGS the group is inside a particular OU?

Pretty sure I tried putting just the groupname in the textbox when the Base DN was set to root and that didn't work.

Thanks

The groups can be located anywhere, for AD authentication it just checks the memberOf attribute of the user contains the group name.

dhirajgrover
Level 4
Level 4

We had similar issues with AD authentication. Here is the fix:

- login as root on the GP

- go to /etc/httpd/conf

- modify the httpd.conf file, specific entry below:

LimitRequestFieldSize 20000 (change the value from whatever it is now to something like 20000)

- restart httpd

If it works you can buy me a beer :-)

That is to fix a large number of groups when using AD SSO. If you aren't doing this its not needed.

Also this fix is included in 2.0.2.

thanks,

I have Cisco NAC Guester server 2.0.2 and have sort of similar issues.

I configured the Base DN to the OU of the sponsor groups in AD and then map that particular group in roles. Users from that group can log on fine and create guest accounts.

The problem is, it seems that other users from that OU seems to be able to log on as sponsors too. How do I restrcit this to just that sponsore group? I tried changing the Base DN to the OU of the sponsore group then enter CN=sponsorgroup to narrow it to just that group but still other users can log in as sponsors.

you need to specify the sponsor group like this

Authentication - Sponsor User Groups

Edit Sponsor Group

Active Directory Mapping

Pick the sponor group from the list and save settings.

If the group does not appear because of the too manay search results thing, you can type the group name manually in the box.

Does anyone know if you can specify an OU as well as group in that box? ie if the sponsor group is not in the root OU.

Hi all,  I have the same problems, It seem to be that all Users of Base DN coul access to the sponsor link.

Did you resolve the problems ?

I cannot find the way out, LDAP doesn't work fine, I don't understand how to configure RADIUS authentication for Sponsor, the last option is to create a local database, buet the client doesn't want it.

Someone could help us ?

Hi,

You should open a TAC case, they will be able to walk you through the configuration process.

thanks,

Review Cisco Networking for a $25 gift card