Add Local Login Page
1. Go to the CAS management pages under Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Login Page.
2. Select the Override Global Settings option and Update.
Figure 9-2 Override Global Login Page
3. Click the Add link that appears. Leave asterisks as default values for the VLAN and Subnet field to set the page for any VLAN/subnet or enter values to specify a VLAN/subnet. Likewise, leave the Operating System field as ALL, or specify an OS for which the login page will apply.
4. Click the Add button to add the page to the login page list.
5. In the login page list, click Edit next to the page to modify page contents and properties.
6. The General options page appears. Select a Page Type : Frameless, Frame-based, or Small Screen (frameless).
7. Optionally enter a Description for the page.
8. Click Update to commit the changes made on the General page, then click View to see the login page with the updated changes.
9. Click the Content link. Specify the following content to appear on the login page:
– Image: Use the dropdown menu to choose the logo to appear on the login page.
– Title: Type the title of the login page.
– Username Label, Password Label, Login Label, Provider Label, Guest Label, Help Label, Root CA Label: Use the checkboxes to specify the fields/buttons to appear on the login screen. Enter a label for each of the fields selected.
– Default Provider: Use the dropdown menu to choose the default provider for the login page.
– Available Providers: The authentication sources you want to appear in the providers dropdown menu on the login page.
– Instructions: Type the instructions to be shown on the login page.
– Root CA File: The root CA certificate file to use, if the Root CA Label is enabled.
– Help Contents: Type help text to be presented to users on the login page. Note that only HTML content can be entered in this field (URLs cannot be referenced).
10. Click Update to commit the changes made on the Content page, then click View to see the login page with the updated changes.
11. Click the Style link. You can change the background (BG) and foreground (FG) colors and properties. Note that Form properties apply to the portion of the page containing the login fields.
12. Click Update to commit the changes made on the Style page, then click View to see the login page with the updated changes.
13. If frames are enabled in the Login Page > General settings, click the Right Frame link. You can enter either URL or HTML content for the right frame as described below:
a. Enter URLs: (for a single webpage to appear in the right frame)
For an external URL, use the format
For a URL on the Clean Access Manager use the format:
<CAM_IP_address> is the domain name or IP listed on the certificate.
If you enter an external URL or Clean Access Manager URL, make sure you have created a traffic policy for the Unauthenticated role that allows the user HTTP access to the external server or Clean Access Manager.
For a URL on the local Clean Access Server use the format:
b. Enter HTML: (to add a combination of resource files, such as logos and HTML links)
Type HTML content directly into the Right Frame Content field.
To reference a link to an uploaded HTML file:
<a href=”file_name.html”> file_name.html </a>
To reference an image file (such as a JPEG file) enter:
14. Click Update to commit the changes made on the Right Frame page, then click View to see the login page with the updated changes.
Enabling Web Client for Local Login Page
The web client option can be enabled for all deployments, but is required for L3 OOB.
To set up the Cisco NAC Appliance for L3 out-of-band (OOB) deployment, you must enable the login page to distribute either an ActiveX control or Java Applet to web login users who are multiple L3 hops away from the CAS. The ActiveX control/Java Applet is downloaded when the user performs web login and is used to obtain the correct MAC address of the client. In an OOB deployment, the CAM needs the correct client MAC address to control the port according to Certified List and/or device filter settings of the Port Profile.
DHCP IP addresses can be refreshed for client machines using the Agent or ActiveX Control/Java Applet without requiring port bouncing after authentication and posture assessment. This feature is intended to facilitate NAC Appliance OOB deployment in VoIP environments.
Note For complete details, refer to “Configuring User Login Page and Guest Access” in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(x).
For detailed information on Access to Authentication VLAN change detection, refer to the “Configuring Access to Authentication VLAN Change Detection” section in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(x).
To enable the web client:
Step 1 Go to Administration > User Pages > Login Page > Edit | General.
Figure 9-3 Enable ActiveX/Java Applet for L3 OOB
Step 2 From the Web Client (ActiveX/Applet) dropdown menu, choose one of the following options. For “Preferred” options, the preferred option is loaded first, and if it fails, the other option is loaded. With Internet Explorer, ActiveX is preferred because it runs faster than the Java Applet.
- ActiveX Only —Only runs ActiveX. If ActiveX fails, does not attempt to run Java Applet.
- Java Applet Only —Only runs Java Applet. If Java Applet fails, does not attempt to run ActiveX.
- ActiveX Preferred —Runs ActiveX first. If ActiveX fails, attempts to run Java Applet.
- Java Applet Preferred —Runs Java Applet first. If Java Applet fails, attempts to run ActiveX.
- ActiveX on IE, Java Applet on non-IE Browser (Default)—Runs ActiveX if Internet Explorer is detected, and runs Java Applet if another (non-IE) browser is detected. If ActiveX fails on IE, the CAS attempts to run a Java Applet. For non-IE browsers, only the Java Applet is run.
Step 3 Two options need to be checked to use the ActiveX/Applet web client to refresh the client’s IP address:
a. Click the checkbox for Use web client to detect client MAC address and Operating System.
b. Click the checkbox for Use web client to release and renew IP address when necessary (OOB) to release/renew the IP address for the OOB client after authentication without bouncing the switch port.
Note This option can introduce unpredictable results for OOB clients if not configured correctly for your specific network topology. For detailed information on Access to Authentication VLAN change detection, refer to the “Configuring Access to Authentication VLAN Change Detection” section in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(x).
Step 4 When you enable web client use for IP address release/renew, for Linux/Mac OS X clients, you can optionally click the Install DHCP Refresh tool into Linux/Mac OS system directory checkbox. This will install a DHCP refresh tool on the client to avoid the root/admin password prompt when IP address is refreshed.
Step 5 Click Update to save settings.
Note To use this feature. “Enable L3 support” must be enabled under Device Management > CCA Servers > Manage [CAS_IP] > Network > IP.
See Chapter 3, “Configuring Layer 3 Out-of-Band (L3 OOB)” and the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(x) for details.