Unanswered Question
Jul 2nd, 2008

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to get an update on the new Cisco NAC Guest Server which works with either Cisco NAC Appliance or Cisco wireless LAN controllers to manage the entire lifecycle of guest access with Cisco expert Syed Ghayur. Syed is a technical marketing engineer in the product marketing team for the Cisco Network Access Control (NAC) Appliance. He also works on global scalability of the product, documentation, partner training, and system engineer trainings. In addition, he works closely with the Cisco Technical Assistance Center (TAC) to resolve complex issues and product related bugs. Early this year, he joined the Security Technology Group (STG) as technical marketing engineer for NAC Appliance.

Remember to use the rating system to let Syed know if you have received an adequate response.

Syed might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event.  This event lasts through July 25, 2008. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
jessedls01 Fri, 07/11/2008 - 13:18


I am trying to generate a list of users from our Radius primary server. The steps I have is to:

net stop csauth

Type cd\ and press enter

Type cd program*\cisco*\utils and press enter

Type csutil -u

net start csauth

The csutil -u commnad is not generating the users.txt file that I am needing. Do you have any suggestiong on what I can do to get this file?

All I get back is a prompt:

C:\Program Files\CiscoSecure ACS v3.0\Utils>csutil -u

CSUtil v3.0(3.6), Copyright 1997-2002, Cisco Systems Inc

C:\Program Files\CiscoSecure ACS v3.0\Utils>

Thank you

gghayur Tue, 07/15/2008 - 21:44

This forum is for NAC Guest Server Solution. Please post your question to ACS forum.



wowferhat Fri, 07/11/2008 - 13:46

Hi Syed,

I have a cisco router 2821 ready to be connected to a Siemens OTLE8 NT 4x2 Mbit/s Optical network termination Series in both end of point of a lease line, could you please which the right card should I use it

could you please explain the difference


VWIC2-2MFT-G703= Port 2nd Gen Multiflex Trunk Voice/WAN Int. Card - G.7032


HWIC-1CE1T1-PRI= port channelized T1/E1 and PRI HWIC

Many thanks

gghayur Sun, 07/13/2008 - 08:37

This forum is for Cisco NAC Guest Server. You may want to contact your sales teeam OR TAC to get this information.


hemen.goradia Sun, 07/13/2008 - 00:38


I have NAC 3310 CAM & CAS installed and configured am trying to test one pc with agent and getting error "Login failed! OOB can not find MAC address contact network administrator". I checked SNMP configs on edge and core switches it look fine. SNMP community strings also are same on CAM and switches.

Please let me know incase you have come across such situation...


gghayur Sun, 07/13/2008 - 08:33

"Login failed! OOB can not find MAC address contact network administrator".

SNMP Mac notification is not reaching to the CAM. Please check the SNMP trap config on the switch and corresponding SNMP receiver configuration on the CAM.

To verify, The mac address of the client machine should appear under

Switch Management > Devices > Discovered Clients

hemen.goradia Sun, 07/13/2008 - 21:15

Thanks for reply i did same and it worked. SNMP receiver config need to be RW community string, i kept it earlier RO.

Now MAC address it's showing in Discovered clients and certified list.


gghayur Tue, 07/15/2008 - 21:45

Hi Hermen,

Good to know that you were able to resolve the SNMP issue.



hemen.goradia Wed, 07/16/2008 - 21:07

Hi Syed,

I am using OOB VG for NAC implementation and integrated with AD. I want to apply requirements as per Active directory OU currently if i apply any requirements it is for everyone in AD how can i apply to group of users.

eg. if i want to apply Games check for finance group and google earth rule for sales.


kwtseng Mon, 07/14/2008 - 01:03


I have a question that when I use web to login NAC then switch vlan will change to role base vlan but if I use CCA to login, I could see the CAM online user log that show the current user is in access vlan, but switch vlan still in auth vlan, where I should notice?

hemen.goradia Mon, 07/14/2008 - 01:39

you need to check Clean access agent default vlan option in CAM, you must have selected unauthenticated role. And when using web login NAC after successful authentication what is switch vlan status for that port?


kwtseng Mon, 07/14/2008 - 07:36

Hi Hemen,

after web login successful, switch port vlan will change to role_base vlan(access vlan) but CCA agent will stay in auth vlan, but in CAM online log both show online user was in access vlan status and also in authenticated role.

gghayur Mon, 07/14/2008 - 08:20

You might have overlooked the Managed Subnet setting. If it is misconfigured (OR not configured), the user doesn't get into CDL (you do see him in OUL though) and the VLAN is not changed after user logs in.

kwtseng Tue, 07/15/2008 - 01:24

Hi gghayur,

seems managed subnet setting misconfigured, I am appreciated your great help!

gghayur Tue, 07/15/2008 - 21:47

Great New!. Configuring the Managed Subnet is key in the Virtual Gateway setup.

gghayur Tue, 07/15/2008 - 21:48

Hi Hemen,

Managed Subnet was configured incorrectly in this scenario.



kncomp123 Mon, 07/14/2008 - 05:13

Dear Sir,

My Name is P.Nagpal i am a CISCO Partner at Jaipur

One of my customer want to setup the wireless network between the two buildings.

The distance between these building are 600 Mtr.

So please sugest me that which product will full fill the requirement of customer

gghayur Tue, 07/15/2008 - 21:43

Hi Nagpal,

This forum is for NAC Guest Server Solution. Please post your question to Wireless- Mobility forum.



balsheikh Wed, 07/16/2008 - 05:59

Hi Syed,

I have a CAM intergrated with AD (Active directory) as external datbase, local users have limited access controled by AD and they can't run any excute file "company's policy".

here the disaster, I have enabled the wnidows update rule on the CAM but users aren't able to install the windows updates whenever required because of the privilege limitation. CAS/CAM require Administrative privilge to excute the files and this violate company's policy and unacceptable solution as well.

microsoft don't have a solution for such case to assign administrative privilege only to excute specific files.

what;s the best visible way to settle this issue from Cisco perspective!!



sushilmenon Wed, 07/16/2008 - 06:11

hi syed can u pls me what is advantage of using the nac appliance when we also have the nac framework which also has the same capabilites and much cheaper solution.

can u pls provide any document to specify the benefits of the nac appliance as compared to nac framework.



gghayur Thu, 07/24/2008 - 14:05


Sorry for not responding earlier. This forum is for NAC Guest Server. Please send me a request offlline and we can discuss on the advantages of NAC Appliance.



Dave Anthony David Thu, 07/17/2008 - 01:35

Hi there. We have a client here that is using BBSM and wanted to migrate into NAC Guest Server, my question is:

1. Would NAC Guest Server can provide hourly based restrictions just like BBSM (Access Codes)?

2. Would NAC Guest Server can provide billing just like BBSM?

3. Is there a way a guest users can auto provision itself?

Thank you

gghayur Fri, 07/18/2008 - 10:41


All the three features are in the roadmap for our next NGS 2.0 release targeting for Oct. 2008



chadiskey Thu, 07/17/2008 - 06:07

I am a Helpdesk Tech and a Cisco Academy student. I have users that sometimes are asked to provide account credentials while connected to our network over the VPN. They are using vpn client 4.8 Why is this?

gghayur Fri, 07/18/2008 - 10:37


I assume that you are doing VPN SSO with NAC. We accomplish VPN SSO with NAC via Radius accounting packet. When the user connects via VPN successfully to ASA (or VPN concentrator), ASA generates a radius accounting start packet and send it across to NAC server.

You can check the entry on CAM by going to the

Device Management > Clean Access Servers > X.X.X.X > Authentication ... VPN Auth > Active Clients

First you have to verify that the entry of the user should exist in the active client list with the Client Assigned IP address.

If your students are using Anyconnect client, then you should check out this bug CSCsi75507.

mmckalli Thu, 07/17/2008 - 12:46

I'm trying to get the NAC Applicane to manage a 4507 for a POC. The 4507 is "managed" by the NAC and it shows when the port is up and down via the web, but it never changes the VLAN membership (even to the AUTH vlan). I'm suspecting this is a SNMP write issue on the switch but all the configs look good. Any suggestions?


hemen.goradia Sun, 07/20/2008 - 23:15


Is user able to authenticate to CCA Agent?

Are you getting IP address from DHCP?

Check the vlan status in switch after CCA Agent authentication.


talha_490 Sun, 07/20/2008 - 13:31

Let me expalin first what i have done.

I have changed the IP addresses in the NAS and Nam from and

Primary Nas

Secondaru Nas

Servive IP

Primary NAM

Secondary NAM 172.15.3

Service IP

Failover is configured tested through cli and its working.

Now when i add NAS into NAM, The primary NAS lost its connectivity and is unreachable. Even after logging into the NAS through CLI, I am unable to reach its the gateway which in our case is the Ip address of core switch SVI. However the secondary NAS is reachable.

I have tried linux commands like service network restart but it does not work. I suspect that there would be some files where we have to change the IP addresses aslo. For CAS failover interface eth2, when i set the the ip address , it is effective untl i reload.

Now how to move forward.

or do we have to restore the default configuration of NAS and NAM and do it from the scrath. and how can we do that.

gghayur Sun, 07/20/2008 - 13:48

Hi Talha,

Couple of questions regarding your issue.

1) Did you regenerate the certs after changing the IP ?

2) Was the default gateway pingable before Adding the CAS to the CAM ?

3) You need to change the IP via service perfigo config and make sure the Management vlan tag on the CAS is correct.

If you have done all the above three already then I would recommend do a live troubleshooting session with a TAC engineer to quickly resolve the issue.



talha_490 Sun, 07/20/2008 - 22:02

Hello gghayur,

I have regenerated the certificate

The default gateway was not able to pinging from CAS after i tried to add the service ip address of CAS.

I have not tried to change ip addresses through service profigo config. I have changed the ip address through ifconfig command.

Management vlan is configured properly.

gghayur Sun, 07/20/2008 - 23:42

Please change the IP address through

-- Service Perfigo Config

-- You also need to reboot after changing the configuration

jwjorgensen Tue, 07/22/2008 - 06:14


I am having issues when trying to display an acceptible usage agreement during agent logon. When I try to store the document (aup.htm) locally in the CAM and point the link to http:///auth/aup.htm I get redirected to the CAS login page. How do I get past this?


uktpchowdry Wed, 07/23/2008 - 03:30


I would like to know if Cisco vpn client 4.8 is installed on a pc what are locations does it have in the registry.

Secondly i their a vbscript created for uninstallation VPN, which removes all the entries from the system.

gghayur Wed, 07/23/2008 - 06:54


This forum is for NAC Guest Server.Please post your question on VPN or General Security forum.



bashir.rabbani Tue, 06/22/2010 - 01:28

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Normal tabell"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}


After some troubleshooting I noticed in the configuration guide for NAC Guest server that:

“Cisco NAC Guest Server Version 2.0 supports only start/end and from creation profiles when used with Cisco NAC Appliances.”

My question is when will it be possible to do "From First Login" or "Timed Used" as time profiles when using NAC Guest server with the NAC Appliances?

What we look for is to do some kind of tickets that receptionist hands out to guests get witch is valid for 8hours from first login.

Sean Prudeaux Wed, 07/07/2010 - 15:59


Hopefully some one can shed some light before I go crazy.

I am unable to join the nac guest server 2.0.2 appliance to the domain.

We are running 2003 Server domain controllers with SP2.

These are some steps I have tried to troubleshoot with no luck:

Verified: PTR & A records are correct for both DC and NGS.

NTP is synched to the DC.

The DC is running DNS and is the Primary DNS for the NGS appliance.

Tryed multiple administrative accounts to join the NGS to the domain.

I have changed IPs and changed hostname on the NGS. (updated DNS/PTR accordingly)

I have re-imaged the NGS and started from scratch with the same results.

here is the error message I receive on the ADSSO configuration page:

Could not create configuration with the following errors:
Failed to create computer account for this server on the Domain Controller. See application log for details.

This is the application log:

AD Single Sign On configuration failed
adminFailed to create computer account for this server on the Domain Controller:; SASL/GSSAPI authentication started; SASL username: myadminaccount@mydomainedited.LOCAL; SASL SSF: 56; SASL installing layers

Not exactly a detailed error messages, but that's all I get.

Any thoughts/comments/ideas would be greatly appreciated!

Frank Lothar Weber Thu, 08/05/2010 - 09:18


as far as I remember, this error occures when turning on the SingleSignOn Feature,

have you added the domain controller to the NGS first ('Authentication'->'Sponsors'->'Active Directory Servers') ??

Sean Prudeaux Thu, 08/05/2010 - 15:17

Yes, I had in fact tryed with and without.  I'll try to do a tcpdump on the NGS server and see whats going on next week.

Sponsors are able to authenticate against AD, they just have to do it manually.    The server is part of the trusted intranet.

Frank Lothar Weber Thu, 08/05/2010 - 09:54


I have a problem with the Single Sign On feature of the NGS 2.0.2:

I have added one of the domain controllers successfully to the NGS config for sponsor authentication using

a dedicated AD group -> authentication of sponsors works fine.

I have successfully turned on the SSO feature (after working out some issues with kerberos/des encryption on the

domain controller running Windows Server 2008 R2 and giving the NGS AD user account the AccountAdministrator rights) ......

I have added the NGS portal site to the Intranet Local Sites in the internet explorer 8 and turned on automatic user

authentication in the internet explorer 'Intranet Local Sites" zone, but when a domain user connects via internet explorer

to the portal site, it still requires to type the username and domain password, single sign on does not work ....

The client is running Windows 7 x64 with Internet Explorer 8, the AD Domain is Windows Server 2008 R2, could this

be a Win7 issue ??

Any clues what could be missing ???

angerninta Thu, 11/04/2010 - 01:13


     I have some question about Cisco NAC Guest(NGS) Roles. This solution has 2 User Groups from WLAN(Please see at the attaching picture).  I want to mapping group from NGS and ACS 5.1 but I don't know attribute to matching with ACS 5.1.

my question.

               1. How can I separate user from group 1 and group 2 when each user from group authentication?

               2. What attributes are used for group mapping?  (WLC --> ACS --> NGS)

Thank you,


hmrsfelder Mon, 03/21/2011 - 06:34


I'm deploying NGS 2.0.1 and want to add a CA-signed certificate. The corperate security policy define for SSL certificates a 2048-bit key lengths.


1. Does NGS 2.0.1 supports 2048-bit key lengths for SSL certificates ?

2. How can I modify NGS 2.0.1 to set 2048-bit key lengths for SSL certificates for the embedded CSR flow ?

regards, Holger

eoinwhite Mon, 03/28/2011 - 06:39


We charge for our guest accounts that are provisioned on the Nac Guet Server. What we have discovered is that guest users are "sharing" their accouts. So when a user wants to give accoess to another user (with their weekly account) they log off and give the other user the credentials. Is there anyway to stop this so a guest account is tied down to only one cleint device?

We all know MAC address restriction can be done on the controller but that requires alot of manual intervention. Is there anyway for something like MAC address restriction to happen automatically within the NGS?



sinan.tekincan Tue, 04/12/2011 - 01:58


We are planning to let users create their own wireless accounts by NAC Guest Server.

We have WLC 5500 series controllers.

I created WLAN that uses web-authentication and directed to the NAC Guest Server, where I
created a hot-spot site and added the html pages to the location it states.

However, the page does not appear when I associate with the WLAN and the WLC redirects me
to the NAC Guest Server. It waits, tries to load but the html page does not appear.

What configuration can be missing?



Nitesh Saxena Wed, 06/08/2011 - 01:55


I am trying to implement cisco guest server with my current network. my Network is consisting of NAS & NAM both.

I am confused about configuring guest server.  I know i will map the user with the guest role. but when the guest connects to the switch it will be directed to CAM authentication page. for getting access to the network.

how will guest server integrate and what are the steps. please it will be great.

mhen.beetseh Fri, 06/10/2011 - 13:11


i am to prepare a quote for a 4 (10 gigabit xfp) port, 24 (Gigabit sfp) port switch

i dont know if there is a switch that supports 10 gigabit xpf ports and gigabitsfp ports. can you give me a suggestion?

thanks alot


This Discussion