NAC Guest Server custom HTML redirect and custom login

Unanswered Question
Mar 12th, 2010
User Badges:

Hi all,


Looking for more help here all please, anchor controller doing its job in the DMZ, Guest NAC server doing nothing currently. I want to be able to hand off to the guest NAC server and show some custom pages for guest logins. I've followed the guides for webauth and have successfully uploaded a new front login page we want to use under the sites tab of the guest server.


I can't seem to get the redirect to work, after I connect to the guest, I get the http://1.1.1.1 url and click to accept the cert, then it wont give the authentication page back, any ideas


Has anyone got a custom page to be redirected to the guest NAC server and had a successful trip, if show can I have some example please.


I would also like a descent guest sample login page to work with, include the encoded URL if anyone is willing to give one up.


Thanks all

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dennischolmes Fri, 03/12/2010 - 14:40
User Badges:
  • Gold, 750 points or more

How are you handling DNS resolution for the redirect? If DNS does not function properly

you will be at a standstill.

kevin.woodhouse Sat, 03/13/2010 - 02:20
User Badges:

DNS is good I think, what I see is the URL I want followed by a ?switch_url, I think from I've read that I need the second half of the URL to be the same as the original redirect, I'll try that on Monday and let you know. I assume from the documentation I can do this, I want to redirect the user portal traffic so they get a nice front end similar to what they get on the wired network, the documentation for NAC guest server 2.0.2 isn't great and does'nt explain things that well.


Hence turn to the community for support, i could do with an example of a page with all the hidden submit information in if anyone is willing to share one. I also assume I don't have to do anything on the DMZ controller except point the user traffic to an external URL on the guest NAC.


Thanks for you're help.

kevin.woodhouse Tue, 03/16/2010 - 02:02
User Badges:

Done, downloaded the webauth bundle from Cisco downloads and used the waaext example. used SCP to load the pages into the correct sites folder, I had to do a pre-auth ACL to allow DHCP, DNS, HTTP and HTTPS, otherwise the page just loops around constantly.

Scott Fella Tue, 03/16/2010 - 05:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Do you have a CAS in the DMZ also or is it just a WLC and NGS?  Are you planning to do any type of login or just an accept button?

kevin.woodhouse Wed, 03/17/2010 - 08:58
User Badges:

There isn't currently a CAS in the DMZ. What will the CAS give me different from the NAC server, we can't currently use RADIUS for guest authentication, it says you can, but I've had it confrmed from Cisco that the only guest authentication on the NAC guest server is local, setup by sponsors.


Webauth is working great now, redirect works a treat and we have custom pages on the guest portal, just need to get past the cert issue, RADIUS issue and the proxy issue


Thanks all

Scott Fella Wed, 03/17/2010 - 09:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Well the NGS was a waste of money then:)  For the certificate issue, see the link: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml


Since this is for guest, usually it is best to keep the guest accounts on the WLC or the Guest WLC in the DMZ.  Proxy is another whole different beast and if you do a search on the wireless forum, you will get an answer to what works and what doesn't.

kevin.woodhouse Wed, 03/17/2010 - 12:13
User Badges:

I assume if we get a NAC appliance, these issues kinda go away...the RADIUS issue, I think the NAC appliance allows us to do RADIUS guest authentication, could I proxy / filter through the NAC appliance too??

Scott Fella Wed, 03/17/2010 - 12:16
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Okay... so you are going to keep guest user accounts on the NGS local DB then?  Does it do proxy.... no.  Are you trying to push guest traffic through websense?

kevin.woodhouse Thu, 03/18/2010 - 03:13
User Badges:

Hi,


Yeah, websense would be good, wccp could now be an option, depends on what system the security team has, you can get a Websense appliance that has a dedicated WCCP port, I can place a pretty sure bet we don't have that one. So I'm trying to find out if Websense will accept the redirect withouit this dedicated port.

Scott Fella Fri, 04/29/2011 - 04:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

No, you don't need a NAC appliance to redirect to a web proxy.

vancamt76 Thu, 01/06/2011 - 12:29
User Badges:

Hello, do you happen to recall where you found the "webauth bundle" on Cisco's site? I have a cco account, but I couldn't seem to locate this download.


Thanks

Actions

This Discussion

 

 

Trending Topics - Security & Network