Specifications
3-13
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 3 Switch Management: Configuring Out-of-Band Deployment
Configure Your Network for Out-of-Band
• The initial VLAN of the port. For this configuration, the client port is switched to the Authentication
VLAN for authentication/certification, then when the client is certified, the port is switched back to
the initial VLAN of the port saved by the CAM when the switch was added.
Note • If the client’s MAC address is on the Certified Devices List, but not on the Out-of-Band Online
Users list (in other words, the client is certified but logged off the network), you can keep the client
on the Access VLAN at the next login (allowing trusted network access), or you can put the client
on the Authentication VLAN at the next login to force the user to re-authenticate through the CAS.
Because the client is already certified, the client does not go through Nessus Scanning, only posture
assessment.
• Removing an OOB client from the Certified Devices List removes the Out-of-Band user from the
Out-of-Band Online Users list and bounces the port. You can optionally configure the Port Profile
not to bounce the port.
L3 Out-of-Band Deployment
For details on L3 OOB, refer to the following sections:
• Enable Web Client for Login Page, page 5-5
• “Configuring Layer 3 Out-of-Band (L3 OOB)” in the Cisco NAC Appliance - Clean Access Server
Configuration Guide, Release 4.9(x).
Configure Your Network for Out-of-Band
The Clean Access Manager (CAM) manages Out-of-Band Clean Access Servers (CASs) and switches
through the admin network. The trusted interface of the CAS connects to the admin/management
network, and the untrusted interface of the CAS connects to the managed client network.
When a client connects to a managed port on a managed switch, the port is set to the authentication
VLAN and the traffic to/from the client goes through the Clean Access Server. After the client is
authenticated and certified through the Clean Access Server, the port connected to the client is changed
to the access VLAN. Once on the access VLAN, traffic to and from certified clients bypasses the Clean
Access Server.
In most OOB deployments (except L2 OOB Virtual Gateway where the Default Access VLAN is the
Access VLAN in the Port profile), the client needs to acquire a different IP address from the Access
VLAN after posture assessment.
For Real-IP Gateway setup, the client port is bounced to prompt the client to acquire a new IP address
from the admin/access VLAN.
The next sections describe the configuration steps needed to set up your OOB deployment:
• Configure Your Switches, page 3-14
• Configure OOB Switch Management on the CAM, page 3-25
• Configure Access to Authentication VLAN Change Detection, page 3-67