Local Authentication Settings
This chapter describes Authentication tab settings in the CAS management pages (other than VPN Auth settings which are described in Chapter 6 "Integrating with Cisco VPN Concentrators"). Topics include:
•Local Heartbeat Timer
•Local Login Page
•Enable Active Directory SSO Login
•Enable Windows NetBIOS SSO Login
Most user-related configuration settings, such as roles, authentication sources, and local users, are configured for all Clean Access Servers in the global forms of the CAM web console. However, several aspects of user management can be configured locally for an individual CAS. These include:
•User presence scanning - Checks online users to see if their connections are still active. If not, the user session is terminated after a configurable period of time. This setting can be set globally or locally.
•Login pages - Prompts users accessing the network for their login credentials.
•Transparent Windows login - Allows single sign-on in Windows domains.
Local Heartbeat Timer
The heartbeat timer checks the connection status of online users by attempting to contact the client. If the client fails to respond, the user session can be timed out after a configurable amount of time. You can configure how long Cisco NAC Appliance waits to time out disconnected users, as well as how often it attempts to contact users. The actual connection check is performed by an ARP message rather than by pinging. This allow the heartbeat check to function even if ICMP traffic is blocked.
Note The CAS checks the connection of all users at once, regardless of when an individual user's session started.
The timer is configurable globally when accessed from User Management > User Roles > Schedule > Heartbeat Timer. By configuring a local setting in the Clean Access Server, you can override the global setting in the Clean Access Manager for that particular CAS.
To configure timeout properties based on connection status:
Step 1 Go to Device Management > CCA Servers > Manage [CAS_IP] > Misc > Heartbeat Timer.
Figure 9-1 Local Heartbeat Timer
Step 2 To override the global setting configured using the User Management > User Roles > Schedule > Heartbeat Timer web console page, click the Override Global Settings checkbox. The global heartbeat timer setting is overridden for user sessions established using this specific CAS.
Step 3 Click the Enable Heartbeat Timer checkbox.
Note If the CAS enters Fallback mode and this option is enabled, user sessions are still terminated and cleared from the Online Users List and Certified Devices List after the specified time period has passed. For more information, see CAS Fallback Policy.
Step 4 Specify a value for the Log Out Disconnected Users After field. After the system detects a disconnected user, this field sets the period of time after which the disconnected user is logged off the network.
Step 5 Click Update.
For complete details on user session timeouts, see the "User Management: Traffic Control, Bandwidth, Schedule" chapter in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5).
Local Login Page
A login page configured locally for a CAS takes precedence over the global login pages configured for all Clean Access Servers. If creating login pages local to a Clean Access Server, you can customize pages for particular VLANs, operating systems, and subnets.
Add Local Login Page
1. Go to the CAS management pages under Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Login Page.
2. Select the Override Global Settings option and Update.
Figure 9-2 Override Global Login Page
3. Click the Add link that appears. Leave asterisks as default values for the VLAN and Subnet field to set the page for any VLAN/subnet or enter values to specify a VLAN/subnet. Likewise, leave the Operating System field as ALL, or specify an OS for which the login page will apply.
4. Click the Add button to add the page to the login page list.
5. In the login page list, click Edit next to the page to modify page contents and properties.
6. The General options page appears. Select a Page Type: Frameless, Frame-based, or Small Screen (frameless).
7. Optionally enter a Description for the page.
8. Click Update to commit the changes made on the General page, then click View to see the login page with the updated changes.
9. Click the Content link. Specify the following content to appear on the login page:
–Image: Use the dropdown menu to choose the logo to appear on the login page.
–Title: Type the title of the login page.
–Username Label, Password Label, Login Label, Provider Label, Guest Label, Help Label, Root CA Label: Use the checkboxes to specify the fields/buttons to appear on the login screen. Enter a label for each of the fields selected.
–Default Provider: Use the dropdown menu to choose the default provider for the login page.
–Available Providers: The authentication sources you want to appear in the providers dropdown menu on the login page.
–Instructions: Type the instructions to be shown on the login page.
–Root CA File: The root CA certificate file to use, if the Root CA Label is enabled.
–Help Contents: Type help text to be presented to users on the login page. Note that only HTML content can be entered in this field (URLs cannot be referenced).
10. Click Update to commit the changes made on the Content page, then click View to see the login page with the updated changes.
11. Click the Style link. You can change the background (BG) and foreground (FG) colors and properties. Note that Form properties apply to the portion of the page containing the login fields.
12. Click Update to commit the changes made on the Style page, then click View to see the login page with the updated changes.
13. If frames are enabled in the Login Page > General settings, click the Right Frame link. You can enter either URL or HTML content for the right frame as described below:
a. Enter URLs: (for a single webpage to appear in the right frame)
For an external URL, use the format
For a URL on the Clean Access Manager use the format:
<CAM_IP_address> is the domain name or IP listed on the certificate.
If you enter an external URL or Clean Access Manager URL, make sure you have created a traffic policy for the Unauthenticated role that allows the user HTTP access to the external server or Clean Access Manager.
For a URL on the local Clean Access Server use the format:
b. Enter HTML: (to add a combination of resource files, such as logos and HTML links)
Type HTML content directly into the Right Frame Content field.
To reference a link to an uploaded HTML file:
<a href="file_name.html"> file_name.html </a>
To reference an image file (such as a JPEG file) enter:
14. Click Update to commit the changes made on the Right Frame page, then click View to see the login page with the updated changes.
Enabling Web Client for Local Login Page
The web client option can be enabled for all deployments, but is required for L3 OOB.
To set up the Cisco NAC Appliance for L3 out-of-band (OOB) deployment, you must enable the login page to distribute either an ActiveX control or Java Applet to web login users who are multiple L3 hops away from the CAS. The ActiveX control/Java Applet is downloaded when the user performs web login and is used to obtain the correct MAC address of the client. In an OOB deployment, the CAM needs the correct client MAC address to control the port according to Certified List and/or device filter settings of the Port Profile.
DHCP IP addresses can be refreshed for client machines using the Agent or ActiveX Control/Java Applet without requiring port bouncing after authentication and posture assessment. This feature is intended to facilitate NAC Appliance OOB deployment in VoIP environments.
To enable the web client:
Step 1 Go to Administration > User Pages > Login Page > Edit | General.
Figure 9-3 Enable ActiveX/Java Applet for L3 OOB
Step 2 From the Web Client (ActiveX/Applet) dropdown menu, choose one of the following options. For "Preferred" options, the preferred option is loaded first, and if it fails, the other option is loaded. With Internet Explorer, ActiveX is preferred because it runs faster than the Java Applet.
•ActiveX Only—Only runs ActiveX. If ActiveX fails, does not attempt to run Java Applet.
•Java Applet Only—Only runs Java Applet. If Java Applet fails, does not attempt to run ActiveX.
•ActiveX Preferred—Runs ActiveX first. If ActiveX fails, attempts to run Java Applet.
•Java Applet Preferred—Runs Java Applet first. If Java Applet fails, attempts to run ActiveX.
•ActiveX on IE, Java Applet on non-IE Browser (Default)—Runs ActiveX if Internet Explorer is detected, and runs Java Applet if another (non-IE) browser is detected. If ActiveX fails on IE, the CAS attempts to run a Java Applet. For non-IE browsers, only the Java Applet is run.
Step 3 Two options need to be checked to use the ActiveX/Applet web client to refresh the client's IP address:
a. Click the checkbox for Use web client to detect client MAC address and Operating System.
b. Click the checkbox for Use web client to release and renew IP address when necessary (OOB) to release/renew the IP address for the OOB client after authentication without bouncing the switch port.
Step 4 When you enable web client use for IP address release/renew, for Linux/Mac OS X clients, you can optionally click the Install DHCP Refresh tool into Linux/Mac OS system directory checkbox. This will install a DHCP refresh tool on the client to avoid the root/admin password prompt when IP address is refreshed.
Step 5 Click Update to save settings.
Note To use this feature. "Enable L3 support" must be enabled under Device Management > CCA Servers > Manage [CAS_IP] > Network > IP.
See Chapter 3 "Configuring Layer 3 Out-of-Band (L3 OOB)" and the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5) for details.
Local File Upload
1. Go to Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Login Page.
2. Make sure the Override Global Settings option is enabled.
3. Click File Upload.
Figure 9-4 Upload Local File to CAS
4. Browse to a logo image file or other resource file on your workstation and select it in the Filename field.
5. Optionally enter text in the Description field.
6. Click Upload. The file should appear in the resources list.
Note•Files uploaded to a specific Clean Access Server using Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Login Page > File Upload are available to the Clean Access Manager and the local Clean Access Server only. On the Clean Access Server, uploaded files are located under /perfigo/access/tomcat/webapps/auth.
•Files uploaded to the CAM using Administration > User Pages > File Upload are available to the Clean Access Manager and all Clean Access Servers. These files are located under /perfigo/control/data/upload in the CAM.
•Files uploaded to the CAM prior to 3.6(2)+ are not removed and continue to be located under /perfigo/control/tomcat/normal-webapps/admin.
See the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5) for further details.
Enable Active Directory SSO Login
See Chapter 8 "Configuring Active Directory Single Sign-On (AD SSO)" for complete information on configuring Active Directory Single Sign-On (SSO).
Enable Windows NetBIOS SSO Login
With Windows NetBIOS SSO login (formerly known as "Transparent Windows" login), users who are authenticated in their Windows domain can be automatically logged into the trusted network.
Implementing Windows NetBIOS SSO login involves several steps:
1. Add a Windows NetBIOS SSO authentication provider to the list of authentication servers in the CAM.
(See the "User Management: Auth Servers" chapter in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5).)
2. Modify the policy of the Unauthenticated role to allow users access to the domain controller.
(See the "User Management: Traffic Control, Bandwidth, Schedule" chapter in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5).)
3. Enable Windows NetBIOS SSO Login and specify the Windows domain controller in the CAS management pages (see steps below).
Note With Windows NetBIOS SSO, only authentication can be done— posture assessment, quarantining, remediation, do not apply. However, the user only needs to perform Ctrl-Alt-Dlt to login.
To configure the Windows domain controller:
Step 1 Go to Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Windows Auth > NetBIOS SSO the CAS for which you want to enable transparent Windows login.
Figure 9-5 Enable Transparent Windows Login
Step 2 Click the Enable Transparent Windows Single Sign-On with NetBIOS checkbox and then click Update.
Step 3 Type the IP address of your Windows domain controller in the Windows Domain Controller IP field.
Step 4 Click Add Server.
Additionally, "Current Version of OS Detection Fingerprint" updates are downloaded via the Device Management > Clean Access > Updates interface. Updates to OS Detection Fingerprints (or signatures) are made as new operating systems become available for Windows machines. See the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.7(5) for additional details.
If the client is wrongly classified as Windows OS, you can submit the client IP address under Display OS Detection Signatures to display the TCP/IP stack signature stored for the client on the CAM. When troubleshooting, the TCP/IP Stack Signature result can copied/pasted for inclusion in the customer support request when contacting Cisco TAC.
Note•The OS detection/fingerprinting feature uses both browser User-Agent string and TCP/IP stack information to try to determine the OS of the client machine. While the detection routines will attempt to find the best match, it is possible that the OS may be detected incorrectly if the end-user modifies the TCP/IP stack on the client machine and changes the User-Agent string on the browser. If there is concern regarding malicious users evading the OS fingerprinting/detection mechanisms, then administrators are advised to use network scanning in order to confirm the OS on the machine. If, for any reason, it is not possible or not desirable to use network scanning, then network administrators should consider pre-installing the Agent on client machines or requiring users to log in using the Cisco NAC Web Agent.
•The OS Detection feature supports OS fingerprinting for Windows operating systems only. For example, Cisco NAC Appliance can detect and block a Windows OS disguised as another OS (e.g. Linux, Mac OS X); however it will not support detecting a Mac OS X disguised as Linux.
•In a FIPS 140-2 compliant network where both the CAMs and CASs are configured in failover mode, Cisco NAC Appliance does not correctly report the operating system of a client machine following a failover event and subsequent synchronization. Once the CAM/CAS detect client HTTP/HTTPS traffic, the CAM/CAS are able to "rediscover" the client machine operating system following the failover event.
To Set OS Detection Settings:
Step 1 Go to Device Management > CCA Servers > Manage [CAS_IP] > Authentication > OS Detection in the CAS management pages of the web console.
Figure 9-6 OS Detection
Step 2 Click the checkbox for Set client OS to WINDOWS_ALL when Win32 platform is detected to add this as an additional detection option.
Step 3 Click the checkbox for Set client OS to WINDOWS_ALL when Windows TCP/IP stack is detected (Best Effort Match) to add this as an additional detection option.
Step 4 Click Update.
When troubleshooting, the TCP/IP Stack Signature result can copied/pasted for inclusion in the customer support request when contacting Cisco TAC.
To Troubleshoot OS Detection Signatures:
Step 1 Go to Device Management > CCA Servers > Manage [CAS_IP] > Authentication > OS Detection.
Figure 9-7 Display TCP/IP Stack Signature
Step 2 In the Client IP Address field, type the client IP address to be tested.
Step 3 Click Display Signature. The OS signature result displays in the TCP/IP Stack Signature field.
Step 4 Copy and paste the TCP/IP Stack Signature result to your support request when contacting Cisco TAC.