Looking for more help here all please, anchor controller doing its job in the DMZ, Guest NAC server doing nothing currently. I want to be able to hand off to the guest NAC server and show some custom pages for guest logins. I've followed the guides for webauth and have successfully uploaded a new front login page we want to use under the sites tab of the guest server.
I can't seem to get the redirect to work, after I connect to the guest, I get the http://22.214.171.124 url and click to accept the cert, then it wont give the authentication page back, any ideas
Has anyone got a custom page to be redirected to the guest NAC server and had a successful trip, if show can I have some example please.
I would also like a descent guest sample login page to work with, include the encoded URL if anyone is willing to give one up.
How are you handling DNS resolution for the redirect? If DNS does not function properly
you will be at a standstill.
DNS is good I think, what I see is the URL I want followed by a ?switch_url, I think from I've read that I need the second half of the URL to be the same as the original redirect, I'll try that on Monday and let you know. I assume from the documentation I can do this, I want to redirect the user portal traffic so they get a nice front end similar to what they get on the wired network, the documentation for NAC guest server 2.0.2 isn't great and does'nt explain things that well.
Hence turn to the community for support, i could do with an example of a page with all the hidden submit information in if anyone is willing to share one. I also assume I don't have to do anything on the DMZ controller except point the user traffic to an external URL on the guest NAC.
Thanks for you're help.
Done, downloaded the webauth bundle from Cisco downloads and used the waaext example. used SCP to load the pages into the correct sites folder, I had to do a pre-auth ACL to allow DHCP, DNS, HTTP and HTTPS, otherwise the page just loops around constantly.
Do you have a CAS in the DMZ also or is it just a WLC and NGS? Are you planning to do any type of login or just an accept button?
There isn't currently a CAS in the DMZ. What will the CAS give me different from the NAC server, we can't currently use RADIUS for guest authentication, it says you can, but I've had it confrmed from Cisco that the only guest authentication on the NAC guest server is local, setup by sponsors.
Webauth is working great now, redirect works a treat and we have custom pages on the guest portal, just need to get past the cert issue, RADIUS issue and the proxy issue
Well the NGS was a waste of money then:) For the certificate issue, see the link: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
Since this is for guest, usually it is best to keep the guest accounts on the WLC or the Guest WLC in the DMZ. Proxy is another whole different beast and if you do a search on the wireless forum, you will get an answer to what works and what doesn't.
I assume if we get a NAC appliance, these issues kinda go away...the RADIUS issue, I think the NAC appliance allows us to do RADIUS guest authentication, could I proxy / filter through the NAC appliance too??
Okay... so you are going to keep guest user accounts on the NGS local DB then? Does it do proxy.... no. Are you trying to push guest traffic through websense?
Yeah, websense would be good, wccp could now be an option, depends on what system the security team has, you can get a Websense appliance that has a dedicated WCCP port, I can place a pretty sure bet we don't have that one. So I'm trying to find out if Websense will accept the redirect withouit this dedicated port.
No, you don't need a NAC appliance to redirect to a web proxy.
So with the NAC Guest Server authenticating clients, how is traffic redirected through a a proxy? do you need to use WCCP or is it a feature of the NGS?
Hello, do you happen to recall where you found the "webauth bundle" on Cisco's site? I have a cco account, but I couldn't seem to locate this download.