Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

121

122

123

124

125

126

127

128

129

130

3-36

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 3 Switch Management: Configuring Out-of-Band Deployment

Configure OOB Switch Management on the CAM

Note If the switch cannot find the VLAN specified (e.g. the VLAN Name is mistyped), an error also appears

on the perfigo.log (not the Event Log).

Step 7 For Access VLAN, choose one of the following options from the dropdown menu:

• Default Access VLAN—The CAM will put authenticated users with certified devices on the Default

Access VLAN specified in the Port Profile.

• User Role VLAN—The CAM will put authenticated users with certified devices on the Access

VLAN specified in the User Role (for details, see Figure 3-9: Configure User Role with Access

VLAN and Out-of-Band User Role VLAN, page 6-10).

• Initial Port VLAN—The CAM will put authenticated users with certified devices on the Initial

VLAN specified for the port in the Ports configuration page (see Ports Management Page,

page 3-54 for details). The initial VLAN is the value saved by the CAM for the port when the switch

is added. Instead of using a specified Access VLAN, the client is switched from the initial port

VLAN to an Auth VLAN for authentication and certification, then switched back to the initial port

VLAN when the client is certified.

Step 8 If you want to specify the Access VLAN using a VLAN profile definition, choose one of the VLAN

Profile names you created in Add VLAN Profile, page 3-42 or choose Default from the dropdown menu

to specify the VLAN profile to associate with this port profile.

Note If you choose Default, or if you have not yet created any custom VLAN profiles, the CAM queries only

the managed switch in question for the VLAN name-to-VLAN ID mapping to determine the user’s

Access VLAN.

Port Profile Options when Device is Connected to Port

The CAM discovers the device connected to the switch port from SNMP MAC change notification/MAC

move notification or linkup traps received. The port is assigned the Auth VLAN if the device is not

certified, or Access VLAN if the device is certified and user is authenticated. You can additionally

configure the following options:

Step 9 Click the Change VLAN according to global device filter list option if you have configured a global

Device Filter to ignore MAC addresses for IP phones in your network or if you want to use the CAM’s

global Device Filter rules to set the VLAN of the port. You must have device filters added under Device

Management > Filters > Devices for this feature to work. For OOB, the device filter rules are as

follows:

• ALLOW—bypass login and posture assessment (certification) and assign Default Access VLAN

to the port

• DENY—bypass login and posture assessment (certification) and assign Auth VLAN to the port

• ROLE—bypass login and L2 posture assessment (certification) and assign User Role VLAN to the

port (see Out-of-Band User Role VLAN, page 6-10)

• CHECK—bypass login, apply posture assessment, and assign User Role VLAN to the port (see

Out-of-Band User Role VLAN, page 6-10)

• IGNORE—ignore SNMP traps from managed switches (IP Phones)