Integrating with Cisco NAC Appliance
This chapter describes the following:
•
Adding Clean Access Manager Entries
•
Editing Clean Access Manager Entries
•
Deleting Clean Access Manager Entries
•
Configuring the CAM for Reporting
Guest users commonly authenticate to networks via a captive portal through which they provide their authentication details using a web browser. Cisco NAC Appliance provides a secure guest user access portal which administrators can customize.
The Cisco NAC Guest Server integrates with the Clean Access Manager through the use of the Cisco NAC Appliance API. This is an HTTPS-based API that requires the Guest Server to communicate with the Cisco NAC Appliance Manager, also known as the Clean Access Manager (CAM).
The Cisco NAC Guest Server creates the guest user accounts on the CAM as Local User accounts assigned to a specific role that you define for guest users. The Guest Server creates new accounts that are valid every minute. Every minute it also removes accounts that have expired. When accounts are suspended, the Guest Server removes both the accounts from the CAM and the guest users from the network if they are logged in.
The Clean Access Manager can also send accounting information to the Cisco NAC Guest Server via RADIUS accounting. This information is used for reporting and tracking of guests by access time and IP address.
You can add multiple Clean Access Managers to the Cisco NAC Guest Server. When accounts are provisioned they are created on all active Clean Access Managers that are defined.
Adding Clean Access Manager Entries
The following steps describe how to configure the Cisco NAC Guest Server and Cisco NAC Appliance Manager so that they can communicate with one another. You must add API information to the Cisco NAC Guest Server for each Clean Access Manager on which you want the Guest Server to create accounts.
Step 1
From the Guest Server administration interface, select Devices > NAC Appliances from the left hand menu as shown in Figure 7-1.
Figure 7-1 Cisco NAC Appliances
Step 2
Click the Add NAC Appliance button.
Step 3
Enter the following settings in the NAC Appliance Details page as shown in Figure 7-2:
Figure 7-2 Add Clean Access Manager
•
Name—Type a descriptive name for the Clean Access Manager.
•
Server—Type the DNS name or IP address for the CAM.
•
Admin Username—Enter an admin username which has Full-Control API permission to the CAM.
•
Password—Type the password for the account.
•
Confirm Password—Retype the password to ensure it matches correctly.
•
Default Role—Type the name of the User Role on the CAM to which you will assign guest users. This should match exactly with the User Role name configured on the CAM, including correct case.
•
Server Active—Check this checkbox to set the Cisco NAC Guest Server to Active status so that it provisions accounts on the CAM. Leaving this field unchecked disables the provisioning of Guest Server.
Step 4
Click the Add NAC Appliance button.
Step 5
Click the Test Connection button to ensure that the settings are working correctly.
Step 6
In the Clean Access Manager admin console, navigate to Monitoring > Event Logs and verify that the account nacguest_test was successfully created and then deleted.
Note
Clean Access Managers are automatically added to the Default guest role, and set to provision using the role name specified here. If you do not want the Clean Access Manager to be added to the role, you must manually remove the entry.
Editing Clean Access Manager Entries
The following steps describe how to edit an existing entry for a Clean Access Manager.
Step 1
From the Guest Server administration interface, select Devices > NAC Appliances from the left hand menu as shown in Figure 7-3.
Figure 7-3 List of Cisco NAC Appliances
Step 2
Click the underlined name of the NAC appliance from the list to edit it.
Step 3
In the NAC Appliance Settings page as shown in Figure 7-4, enter the following settings:
Figure 7-4 Edit Clean Access Manager
•
Server—Type the DNS name or IP address for the CAM.
•
Admin Username—Enter an admin username which has API permission to the CAM.
•
Password—Type the password for the account.
•
Confirm Password—Retype the password to ensure it matches correctly.
•
Default Role—Type the name of the User Role on the CAM to which you will assign guest users. This should match exactly with the User Role name configured on the CAM, including correct case.
•
Server Active—Check this checkbox to set the Cisco NAC Guest Server to Active status so that it provisions accounts on the CAM. Leaving this field unchecked disables the provisioning of Guest Server.
Step 4
Click the Save Settings button.
Step 5
Click the Test Connection button to ensure that the settings are working correctly.
Step 6
In the Clean Access Manager admin console, navigate to Monitoring > Event Logs and verify that the account nacguest_test was successfully created and then deleted.
Deleting Clean Access Manager Entries
The following steps describe how to delete NAC Appliance (Clean Access Manager) entries.
Step 1
From the Guest Server administration interface, select Devices > NAC Appliances from the left hand menu as shown in Figure 7-5.
Figure 7-5 List of Cisco NAC Appliances
Step 2
Select the Cisco NAC Appliance that you want to delete from the list and click the bin icon to the right of the active field. Confirm the deletion when prompted.
Step 3
A further message appears prompting you whether to delete the records of accounts that were created on the NAC Appliance from the NAC Guest Server database. You may need the provisioning records if you are planning to add the NAC Appliance at a later date.
 |
Warning When deleting a NAC Appliance you need to manually manage any guest accounts created on the Clean Access Manager.
|
Configuring the CAM for Reporting
In order for the Cisco NAC Guest Server to correctly display details for guest users when reporting is run, you need to configure the CAM to send RADIUS accounting information to the Guest Server. Additionally, the CAM needs to format the information correctly.
Note
For detailed instructions on how to access and configure settings on the CAM, refer to the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide.
Adding RADIUS Accounting Server
Step 1
Log into the CAM web console as an admin user with an appropriate password (default username/password is admin/cisco123).
Note
Any CAM admin user with Edit privileges can perform this configuration.
Step 2
Navigate to User Management > Auth Servers > Accounting > Server Config
Figure 7-6 Configure RADIUS Accounting Server
Step 3
Click the checkbox for Enable RADIUS Accounting and configure the following fields:
•
Server Name— Type the IP address of the Cisco NAC Guest Server
•
Server Port —Type 1813 as the port
•
Timeout (sec)—Type a timeout value; 10 seconds is typically sufficient.
•
Shared Secret—Type the shared secret used with the Cisco NAC Guest Server. This must match the shared secret configured on the Guest Server when adding the CAM as a RADIUS client to the Guest Server, as described in Adding RADIUS Clients. Make sure both shared secrets are the same.
•
NAS-IP-Address—Type the address of the CAM itself as the NAS-IP-Address.
Step 4
Click the Update button.
Configure CAM to Format RADIUS Accounting Data
The CAM can be configured to place many different attributes into the RADIUS accounting packets and the attributes themselves can be formatted in many different ways. You need to configure the CAM to send attribute information in a specific format so that the Cisco NAC Guest Server can recognize.
Note
Refer to the "RADIUS Accounting" section of the applicable Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide for additional details.
Step 1
Log into the CAM admin console, and navigate to User Management > Auth Servers > Accounting > Shared Events as shown in Figure 7-7.
Figure 7-7 Shared Events
Step 2
On the Shared Events page, click the Edit button to the right of the User_Name attributes entry.
Step 3
In the Edit User_Name attribute page as shown in Figure 7-8, click the Reset Element button to remove the existing sample data format.
Figure 7-8 Edit User Name Attribute
Step 4
Select User Name from the Add Data dropdown menu.
Step 5
Click the Add Data button.
Step 6
Click the Commit Changes button.
Step 7
The main Shared Events lists page reappears as shown in Figure 7-9. Verify that the Data column lists "[User_Name]".
Figure 7-9 Shared Events with Username Changed
Step 8
Click the New Entry... link to the right of the page as shown in Figure 7-9 to add additional attributes.
Figure 7-10 Add Calling Station Id Attribute
Step 9
In the New Shared Events attribute form as shown in Figure 7-10, select Calling_Station_Id from the Send RADIUS Attributes dropdown menu.
Step 10
Click the Change Attribute button.
Step 11
Select User IP from the Add Data dropdown menu.
Step 12
Click the Add Data button.
Step 13
Click Commit Changes.
Step 14
Click the New Entry link to the right of the page as shown in Figure 7-9 to add additional attributes as shown in Figure 7-11.
Figure 7-11 Additional Attributes
Step 15
In the New Shared Events attribute form as shown in Figure 7-11, select Acct_Session_Id from the send RADIUS Attributes dropdown menu.
Step 16
Click the Change Attribute button.
Step 17
Select User Key from the Add Data dropdown menu.
Step 18
Click the Add Data button.
Step 19
Select Login Time from the Add Data dropdown menu.
Step 20
Click the Add Data button.
Step 21
Click Commit Changes.
Note
Remember to add the CAM as a RADIUS client using the instructions in Chapter 8 "Configuring RADIUS Clients."