Integrating with Cisco NAC Appliance
This chapter describes the following:
•Configuring NAC Appliance Settings
•Testing NAC Appliance Settings
•Configuring the CAM for Reporting
Guest users commonly authenticate to networks via a captive portal through which they provide their authentication details using a web browser. Cisco NAC Appliance provides a secure guest user access portal which administrators can customize.
The Cisco NAC Guest Server integrates with the Cisco NAC Appliance through the use of the NAC Appliance API. The is an HTTPS-based API that requires the Guest Server to communicate with the Cisco NAC Manager, also known as the Clean Access Manager (CAM).
Note Refer to the "API Support" section of the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide for details on the Cisco NAC Appliance API.
The Cisco NAC Guest Server creates the guest user accounts on the CAM as Local User accounts assigned to a specific role that you define for guest users. The Guest Server creates new accounts that are valid every minute. Every minute it also removes accounts that have expired. When accounts are suspended, the Guest Server removes both the accounts from the CAM and the guest users from the network if they are logged in.
Configuring NAC Appliance Settings
The following steps describe how to configure the Cisco NAC Guest Server and Cisco NAC Appliance Manager so that they can communicate with one another.
Step 1 From the Guest Server administration interface, select Devices > NAC Appliance from the left hand menu.
Figure 7-1 Clean Access Manager Settings
Step 2 In the NAC Appliance Settings page (Figure 7-1), enter the following settings:
•Name—Type a descriptive name for the Clean Access Manager.
•Hostname of Address—Type the DNS name or IP address for the CAM.
•Admin Username—Enter admin as the Admin Username, or a CAM admin username which has API permission to the CAM.
•Password—Type the password for the CAM Admin or API account.
•Repeat Password—Retype the password to ensure it matches correctly.
•Role—Type the name of the User Role on the CAM to which you will assign guest users. This should match exactly with the User Role name configured on the CAM, including correct case.
Step 3 Click the Save Settings button.
Step 4 Click the link at the bottom of the page to test that the settings are working correctly.
Testing NAC Appliance Settings
At any time, you can test the NAC Appliance settings to make sure that they are correctly configured.
Step 1 From the Guest Server administration interface select Devices > NAC Appliance from the left hand menu.
Step 2 Click the link at the bottom of the NAC Appliance Settings page to test the settings
Figure 7-2 Test NAC Appliance Settings (Example Result Page)
Step 3 The test result page (Figure 7-2) may take a while to appear. If settings are incorrect, the page display takes even longer. The result information describes whether or not the account was successfully created.
Step 4 In the Clean Access Manager admin console, navigate to Monitoring > Event Logs and verify that the account visitornetworks_test was successfully created and then deleted.
Configuring the CAM for Reporting
In order for the Cisco NAC Guest Server to correctly display details for guest users when reporting is run, you need to configure the CAM to send RADIUS accounting information to the Guest Server. Additionally, the CAM needs to format the information correctly.
Note For detailed instructions on how to access and configure settings on the CAM, refer to the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide.
Adding a RADIUS Accounting Server
Step 1 Log into the CAM web console as an admin user with an appropriate password (default username/password is admin/cisco123).
Note Any CAM admin user with Edit privileges can perform this configuration.
Step 2 Navigate to User Management > Auth Servers > Accounting > Server Config
Figure 7-3 Configure RADIUS Accounting Server
Step 3 Click the checkbox for Enable RADIUS Accounting, and configure the following fields:
•Server Name— Type the IP address of the Cisco NAC Guest Server
•Server Port —Type 1813 as the port
•Timeout (sec)—Type a timeout value; 10 seconds is typically sufficient.
•Shared Secret—Type the shared secret used with the Cisco NAC Guest Server. This must match the shared secret configured on the Guest Server when adding the CAM as a RADIUS client to the Guest Server, as described in Adding RADIUS Clients, page 8-2. Make sure both shared secrets are the same.
•NAS-IP-Address—Type the address of the CAM itself as the NAS-IP-Address.
Step 4 Click the Update button.
Configure the CAM to Format RADIUS Accounting Data
The CAM can be configured to place many different attributes into the RADIUS accounting packets and the attributes themselves can be formatted in many different ways. You need to configure the CAM to send attribute information in a specific format so that the Cisco NAC Guest Server can understand it.
Note Refer to the "RADIUS Accounting" section of the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide for additional details.
Step 1 Log into the CAM admin console, and navigate to User Management > Auth Servers > Accounting > Shared Events (Figure 7-4).
Figure 7-4 Shared Events
Step 2 On the Shared Events page, click the Edit button to the right of the User_Name attributes entry
Figure 7-5 Edit User Name Attribute
Step 3 In the Edit User_Name attribute page (Figure 7-5), click the Reset Element button to remove the existing sample data format.
Step 4 Select User Name from the Add Data dropdown menu.
Step 5 Click the Add Data button.
Step 6 Click the Commit Changes button.
Step 7 The main Shared Events lists page reappears (Figure 7-6). Verify that the Data column lists "[User_Name]".
Figure 7-6 Shared Events with Username Changed
Step 8 Click the New Entry... link to the right of the page (Figure 7-6) to add additional attributes.
Figure 7-7 Add Calling Station Id Attribute
Step 9 In the New Shared Events attribute form (Figure 7-7), select Calling_Station_Id from the Send RADIUS Attributes dropdown menu.
Step 10 Click the Change Attribute button.
Step 11 Select User IP from the Add Data dropdown menu.
Step 12 Click the Add Data button.
Step 13 Click Commit Changes.
Note Remember to add the CAM as a RADIUS client using the instructions in Chapter 8, "Configuring RADIUS Clients."