- About This Guide
- Welcome to Cisco NAC Guest Server
- Installing Cisco NAC Guest Server
- System Setup
- Configuring Sponsor Authentication
- Configuring Guest Policies
- Configuring Sponsor User Groups
- Integrating with Cisco NAC Appliance
- Configuring RADIUS Clients
- Guest Activity Logging
- Guest Account Notification
- Customizing the Application
- Configuring Hotspots
- Backup and Restore
- Replication and High Availability
- Management, Logging and Troubleshooting
- Licensing
- Sponsor Documentation
- API Support
- Open Source License Acknowledgements
Cisco NAC Guest Server Installation and Configuration Guide, Release 2.1
Chapter: Configuring Sponsor User Groups
Configuring Sponsor User Groups
Sponsor user groups are the method by which you assign permissions to the sponsors. You can set role-based permissions for sponsors to allow or restrict access to different functions, such as creating accounts, modifying accounts, generating reports, and sending account details to guests by email or SMS.
Once you have created a user group, create mapping rules to map the sponsor to a group based upon information returned from the authentication server such as Active Directory Group, LDAP Group membership, or RADIUS Class attribute.
Tip 
By default, all users are assigned to the DEFAULT group. If you only want to have a single classification of sponsors, you can edit the DEFAULT group.
This chapter describes the following:
•Specifying the Order of Sponsor User Groups
•Mapping to Active Directory Groups
Adding Sponsor User Groups
You can create a new sponsor user group using the following steps.
Step 1 From the administration interface, select Authentication > Sponsor User Groups as shown in Figure 5-1.
Figure 5-1 Sponsor User Groups
Step 2 Click the Add Sponsor Group button to add a new user group.
Step 3 From the Add a New Sponsor Group page as shown in Figure 5-2, type the name for a new user group in the Sponsor Group Name field.
Figure 5-2 Add New Sponsor Group
Step 4 Click the Add Sponsor Group button to add a user group. You can now edit the settings for the new user group by clicking the Edit Group button as shown in Figure 5-3.
Figure 5-3 Edit New Sponsor Group
Step 5 Edit and set the permissions for the new User Group as follows:
•Allow Login—Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server.
•Create Account—Select Yes to allow sponsors to create guest accounts.
•Create Bulk Accounts—Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details.
•Create Random Accounts—Select Yes to allow sponsors to be able to create multiple random accounts without initially capturing the guest's details.
•Import CSV— Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file.
•Send Email—Select Yes to allow sponsors to send account details via email from the Guest Server to the guest user.
•Send SMS—Select Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user.
•View Guest Password—Select Yes to allow sponsors to view the password that has been created for the guest.
•Allow Printing Guest Details—Select Yes to allow sponsors to print out the guest's details.
Note Select No, if you want to disable any of the above permissions.
•Edit Account—Choose one of the following permissions for editing the end date/time on guest accounts:
–No—Sponsors are not allowed to edit any guest accounts.
–Own Account—Sponsors are allowed to edit only the guest accounts they created.
–Group Accounts—Sponsors are allowed to edit guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to edit any guest accounts.
•Suspend Account—Choose one of the following options for suspending accounts:
–No—Sponsors are not allowed to suspend any guest accounts.
–Own Account—Sponsors are allowed to suspend only the guest accounts they created.
–Group Accounts—Sponsors are allowed to suspend guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to suspend any guest accounts.
•Full Reporting—Choose one of the following permissions for viewing reporting details for full reporting. See Reporting on Guest Users for additional details.
–No—Sponsors are not allowed to view reporting details on any guest accounts.
–Own Account—Sponsors are allowed to view reporting details for only the guest accounts they created.
–Group Accounts—Sponsors are allowed to view active guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to view reporting details on any active guest accounts.
•Detailed Reports-Accounting Log —Choose one of the following permissions for running a full report on accounting logs:
–No—Sponsors are not allowed to run accounting log reporting on any guest accounts.
–Own Account—Sponsors are allowed to run full accounting log reporting for only the guest accounts they created.
–Group Accounts—Sponsors are allowed to run full reporting on guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to run full accounting log reporting on any active guest accounts.
•Detailed Reports - Audit Log—Choose one of the following permissions for running a full report on audit logs:
–No—Sponsors are not allowed to run an audit log report on logs on any accounts.
–Own Account—Sponsors are allowed to run an audit log report on logs for only the guest accounts they created.
–Group Accounts—Sponsors are allowed to run an audit log report on logs for guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to a run an audit log report on logs on any active guest accounts.
•Detailed Reports - Activity Log—Choose one of the following permissions for running a full report on activity logs.
–No—Sponsors are not allowed to run detailed reports on activity logs on any guest accounts.
–Own Account—Sponsors are allowed to run detailed reports on activity logs for only the guest accounts they created.
–Group Accounts—Sponsors are allowed to run a detailed report on activity logs for guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to run detailed reports on activity logs on any active guest accounts.
•Management Reports—Select Yes to allow the sponsors to run the management reports. If you select No, the sponsors are not allowed to run the reports.
•Number of days in the future the account can be created—This specifies the period in the future for which the guests can create accounts. Specify the maximum number of days, hours, or minutes that they are allowed to create accounts in the future.
•Maximum duration of account—This specifies the maximum duration for which the sponsor can configure an account. Specify the duration in days, hours, or minutes.
Step 6 Click the Save button to add the group with the permissions specified.
Note Until you click the Save button, the group is not created.
Step 7 Execute one of the following set of instructions to correctly map sponsor users to your group based upon group information from the authentication server:
•Mapping to Active Directory Groups
Editing Sponsor User Groups
The following steps describe how to edit sponsor user groups.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu.
Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4.
Figure 5-4 Select the Sponsor User Group to Edit
Step 3 In the Edit Permissions page as shown in Figure 5-5, change the settings for the group.
Figure 5-5 Edit User Group
Step 4 Edit Permissions for the User Group as follows:
•Allow Login—Select Yes to allow sponsors in this group to access the Cisco NAC Guest Server.
•Create Account—Select Yes to allow sponsors to create guest accounts.
•Create Bulk Accounts—Select Yes to allow sponsors to be able to create multiple accounts at a time by pasting in the details.
•Create Random Accounts—Select Yes to allow sponsors to be able to create multiple random accounts without initially capturing the guest's details.
•Import CSV— Select Yes to allow sponsors to be able to create multiple accounts at a time by importing the details from a CSV file.
•Send Email—Select Yes to allow sponsors to send account details via email from the Guest Server to the guest user.
•Send SMS—Select Yes to allow sponsors to send account details via SMS from the Guest Server to the guest user.
•View Guest Password—Select Yes to allow sponsors to view the password that has been created for the guest.
•Allow Printing Guest Details—Select Yes to allow sponsors to print out the guest's details. Otherwise, select No.
Note Select No, if you want to disable any of the above permissions.
•Edit Account—Choose one of the following permissions for editing the end date/time on guest accounts:
–No—Sponsors are not allowed to edit any guest accounts.
–Own Account—Sponsors are allowed to edit only the guest accounts they created.
–Group Accounts—Sponsors are allowed to edit guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to edit any guest accounts.
•Suspend Account—Choose one of the following options for suspending accounts:
–No—Sponsors are not allowed to suspend any guest accounts.
–Own Account—Sponsors are allowed to suspend only the guest accounts they created.
–Group Accounts—Sponsors are allowed to suspend guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to suspend any guest accounts.
•Full Reporting—Choose one of the following permissions for viewing reporting details for full reporting. See Reporting on Guest Users for additional details.
–No—Sponsors are not allowed to view reporting details on any guest accounts.
–Own Account—Sponsors are allowed to view reporting details for only the guest accounts they created.
–Group Accounts—Sponsors are allowed to view active guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to view reporting details on any active guest accounts.
•Detailed Reports-Accounting Log —Choose one of the following permissions for running a full report on accounting logs:
–No—Sponsors are not allowed to run accounting log reporting on any guest accounts.
–Own Account—Sponsors are allowed to run full accounting log reporting for only the guest accounts they created.
–Group Accounts—Sponsors are allowed to run full reporting on guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to run full accounting log reporting on any active guest accounts.
•Detailed Reports - Audit Log—Choose one of the following permissions for running a full report on audit logs:
–No—Sponsors are not allowed to run an audit log report on logs on any accounts.
–Own Account—Sponsors are allowed to run an audit log report on logs for only the guest accounts they created.
–Group Accounts—Sponsors are allowed to run an audit log report on logs for guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to a run an audit log report on logs on any active guest accounts.
•Detailed Reports - Activity Log—Choose one of the following permissions for running a full report on activity logs.
–No—Sponsors are not allowed to run detailed reports on activity logs on any guest accounts.
–Own Account—Sponsors are allowed to run detailed reports on activity logs for only the guest accounts they created.
–Group Accounts—Sponsors are allowed to run a detailed report on activity logs for guest accounts created by anyone in the same sponsor user group.
–All Accounts—Sponsors are allowed to run detailed reports on activity logs on any active guest accounts.
•Management Reports—Select Yes to allow the sponsors to run the management reports. If you select No, the sponsors are not allowed to run the reports.
•Number of days in the future the account can be created—This specifies the period in the future for which the guests can create accounts. Specify the maximum number of days, hours, or minutes that they are allowed to create accounts in the future.
•Maximum duration of account—This specifies the maximum duration for which the sponsor can configure an account. Specify the duration in days, hours, or minutes.
Step 5 Click the Save button to add the group with the permissions specified.
Note Until you click the Save button, the changes are not saved.
Step 6 Execute one of the following set of instructions to correctly map sponsor users to your group based upon group information from the authentication server:
•Mapping to Active Directory Groups
Deleting User Groups
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu.
Figure 5-6 List Groups to Delete
Step 2 Select and highlight the group you wish to delete and click the Delete Group button as shown in Figure 5-6.
Step 3 Confirm deletion at the prompt.
Note If any Local Users are part of this group, you must delete the user before deleting the user group. Alternatively, you can move Local Users to another group to "empty" the user group before deleting it.
Specifying the Order of Sponsor User Groups
When a sponsor logs in to the Cisco NAC Guest Server, the system checks each group in turn to see if the sponsor should be given the privileges of that group. The groups are processed in the order in which they appear in the Sponsor User Groups list box as shown in Figure 5-7. If a user does not match a user group, they are given the privileges of the DEFAULT group.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu.
Figure 5-7 Order User Groups
Step 2 Select the group you wish to order. Each group can be ordered by clicking the move up or move down arrow icon button until the group is in position as shown in Figure 5-7.
Step 3 Repeat for all groups until they appear in the required order.
Step 4 Click the Change Order button to save the order.
Mapping to Active Directory Groups
If a sponsor authenticates to the Cisco NAC Guest Server using Active Directory authentication, the Cisco NAC Guest Server can map the sponsors into a user group using their membership in Active Directory groups.
Note Cisco NAC Guest Server does not support recursive group lookups. You must specify a group that the user is directly a member.
If you have configured AD authentication (as described in Configuring Active Directory (AD) Authentication), then the Guest Server automatically retrieves a list of all the groups configured within all the AD servers.
Selecting an Active Directory Group from the dropdown provides all sponsor users in this AD group and the permissions of this group.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1.
Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4.
Step 3 Click the Active Directory Mapping tab to bring up the Edit Active Directory Mapping tab as shown in Figure 5-8.
Figure 5-8 Active Directory Group Mapping
Step 4 Select the group you wish to match from the dropdown menu and then click the Save button.
Note By default, Active Directory only returns a maximum of 1000 groups in response to a Cisco NAC Guest Server search. If you have more than 1000 groups and have not increased the LDAP search size, it is possible that the group you want to match does not appear. In this situation, you can manually enter the group name in the Active Directory Group combo box.
Mapping to LDAP Groups
If a sponsor authenticates to the Cisco NAC Guest Server using LDAP authentication, the Cisco NAC Guest Server can map the sponsor into a user group by their membership of LDAP groups.
Note Cisco NAC Guest Server does not support recursive group lookups. You must specify a group that the user is directly a member of.
Based on the settings of the LDAP server that you authenticate against, the Cisco NAC Guest Server uses one of the following methods for mapping the sponsor using group information.
There are two main methods that LDAP servers use for assigning users to groups:
1. Storing the group membership in an attribute of the user object. With this method, the user object has one or more attributes that list the groups to which the user belongs. If your LDAP server uses this method of storing group membership, you need to enter the name of the attribute which holds the groups for which the user is a member.
2. Storing the user membership in an attribute of the group object. With this method, there is a group object that contains a list of the users who are members of the group. If your LDAP server uses this method, you need to specify the group to check under the LDAP mapping section of a User Group for which you want to match the user.
When you define the LDAP server, you will have specified one of these two options.
If the LDAP server supports the first option, you need to specify to check the user attribute for a certain string.
If the LDAP server supports the second option, you need to enter the full DN of the group you want to check membership. The Cisco NAC Guest Server will then check the attribute to make sure that it contains the name of the user who has logged in.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1.
Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4.
Step 3 Click the LDAP Mapping tab in the top menu of the page to bring up the Edit LDAP Mapping as shown in Figure 5-9.
Figure 5-9 LDAP Group Mapping
Step 4 If your LDAP server uses user attributes to store group membership, type the group name to check in the Check the user attribute field and specify either "contains the string" or "equals the string" from the dropdown menu.
Note If using contains the string then the LDAP server must have wildcard searches enabled.
Step 5 If your LDAP server stores group membership in the group object, then specify the full DN of the group you want to check in the Check the group object (group DN) field and type the name of the attribute to be checked for the sponsor's username in the Membership Attribute field.
Step 6 Click the Save button to save the LDAP group mapping.
Note You can specify both options for the same group. The option that you check depends on the setting on the LDAP server with which the sponsor successfully authenticates.
Mapping to RADIUS Groups
If a sponsor authenticates to the Cisco NAC Guest Server using RADIUS authentication, the Cisco NAC Guest Server can map the sponsor into a user group by using information returned to the Cisco NAC Guest Server in the authentication request.
The information must be placed into the class attribute on the RADIUS server.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1.
Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4.
Step 3 Click the RADIUS Mapping tab to bring up the Edit RADIUS Mapping as shown in Figure 5-10.
Figure 5-10 RADIUS Group Mapping
Step 4 Enter the string you want to match against the Class Attribute that is returned in the RADIUS authentication reply. Use the dropdown to specify if you want to exactly match the string (equals the string) or match a substring (contains the string).
Step 5 Click the Save button.
Assigning Guest Roles
Guest Roles allow a sponsor to assign different levels of access to a guest account. You can choose which sponsor user groups are allowed to assign certain roles to guests.
By default, a sponsor user group has the ability to assign guests to the default role. The administrator can choose the additional groups the sponsor can assign, or can remove the default role from the user group.
Each sponsor user group must have the ability to assign guests to at least one role.
If only one role is selected for the user group, the sponsor cannot have the option to select roles. If there are more than one role, sponsors get a dropdown menu to select the role to be assigned to the account during the account creation.
Refer to Configuring Guest Roles for additional details on roles.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1.
Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4.
Step 3 Click the Guest Roles tab to bring up the Edit Roles as shown in Figure 5-11.
Figure 5-11 Edit Roles
Step 4 The roles that the sponsor user group has permission to assign are displayed in the Selected Roles list. Move the roles between the Available Roles and Selected Roles lists using the arrow buttons.
Step 5 Click the Save button to assign the permission to create guests in the specified roles to the sponsor user group.
Assigning Time Profiles
Time Profiles allow a sponsor to assign different levels of access time to a guest account. You can choose the sponsor user groups that are allowed to assign certain Time Profiles to guests.
By default, a user group has the ability to assign guests to the default time profile. The administrator can choose which additional time profiles the sponsor can be assigned, or can remove the default time profile from the user group.
Each user group must have the ability to assign guests in at least one time profile.
If a user group has only one time profile selected, the sponsor does not view an option to select the time profile. If they have the ability to choose more than one time profile, they can view a dropdown menu from which they can choose the time profile to be assigned to the account during the account creation.
Refer to Configuring Time Profiles for additional details on time profiles.
Step 1 From the administration interface, select Authentication > Sponsor User Groups from the left hand menu as shown in Figure 5-1.
Step 2 Select and highlight the group you wish to edit, then click Edit Sponsor Group button as shown in Figure 5-4.
Step 3 Click the Time Profiles tab to bring up the Edit Time Profiles as shown in Figure 5-12.
Figure 5-12 Time Profiles
Step 4 The time profiles that the sponsor user group has permission to assign are displayed in the Selected Time Profiles list. Move the roles between the Available Time Profiles and Selected Time Profiles lists using the arrow buttons.
Step 5 Click the Save button to assign the permission to create guests in the time profiles to the sponsor user group.
Feedback