Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
919293949596979899100
3-10
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 3 Switch Management: Configuring Out-of-Band Deployment
Deployment Modes
12. For certified clients, the Port Profile form (OOB Management > Profiles > Port > New or Edit)
provides the following options (see Add Port Profile, page 3-34 for details). You can switch the
client to:
The Access VLAN specified in the Port Profile form.
The Access VLAN specified for the user role of the client, if you choose to use a role-based port
profile (see Figure 3-9 on page 3-27 for details).
The initial VLAN of the port. For this configuration, the client port is switched to the Auth VLAN
for authentication/certification, then when the client is certified, the port is switched back to the
initial VLAN of the port saved by the CAM when the switch was added.
Note also that:
If the client’s MAC address is on the Certified Devices List, but not on the Out-of-Band Online
Users list (in other words, the client is certified but logged off the network), you can keep the client
on the Access VLAN at the next login (allowing trusted network access), or you can put the client
on the Authentication VLAN at the next login to force the user to re-authenticate through the CAS.
Because the client is already certified, the client does not go through Nessus Scanning, only posture
assessment.
Removing an OOB client from the Certified Devices List removes the Out-of-Band user from the
Out-of-Band Online Users list. You can optionally configure the port also to be bounced.
Client machine shutdown/reboot will trigger a linkdown trap (if set up on the switch) sent from the
switch to the CAM. The behavior of the client (Agent or web login) depends on the Port Profile
setting for that specific port.
If the CAM is down and the CAS is performing VLAN mapping in “fail open” state, do not reboot
the CAS because the VLAN mapping capability will be lost until the CAM comes back online.
For additional configuration information, see the “Understanding VLAN Settings” and “VLAN Mapping
in Virtual Gateway Mode” sections of the Cisco NAC Appliance - Clean Access Server Configuration
Guide, Release 4.9(x).
Out-of-Band Real-IP Gateway Deployment
In Out-of-Band Real-IP gateway deployment, the client IP address has to change when the port is
changed from the Auth VLAN to the Access VLAN.
Figure 3-4 illustrates the sequence described below. In this example, the Authentication VLAN is 100,
and the Access VLAN is 10.