Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
151152153154155156157158159160
3-67
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 3 Switch Management: Configuring Out-of-Band Deployment
Configure Access to Authentication VLAN Change Detection
Group
This page displays all the Group Profiles configured in the Clean Access Manager, and the Group
Profiles to which the switch currently belongs. You can add the switch to other Groups, or you can
remove the switch from a Group Joined. To change the Group membership for all switches, go to OOB
Management > Profiles > Group (see Configure Group Profiles, page 3-28).
Figure 3-41 Config Group
Configure Access to Authentication VLAN Change Detection
Caution The Access to Authentication VLAN Change Detection feature should only be used for OOB
deployments that require client DHCP IP refresh/renew. DHCP refresh/renew is configured under
Administration > User Pages > Login Page > List > Edit > General | Use web client to release and
renew IP address when necessary (OOB). If your OOB deployment makes use of port bouncing, this
feature is not needed and should not be configured. Refer to DHCP Release/Renew with
Agent/ActiveX/Java Applet, page 5-6 for additional details.
For In-Band clients and Out-of-Band clients which are still assigned to the Authentication VLAN, the
Agent uses SWISS discovery packets to verify connectivity with the CAS. Once a client machine is on
the Out-of-Band network and no longer communicates directly with the CAS, additional configuration
is required for the client to determine whether it is still on the Access VLAN or moved to the
Authentication VLAN. Versions prior to the 4.1.3.0 Agent cannot identify that the client port has
switched from the Access VLAN to the Authentication VLAN and require the client machine’s DHCP
lease to run out in order to force the Agent to perform a DHCP release/renew to get a new IP address
assignment.
To ensure OOB users are able to maintain network connection when the Cisco NAC Appliance
administrator is forced to “kick” users out (and move the session back to the Authentication VLAN), you
can configure the Cisco NAC Appliance system to have the Agent renew the IP address via DHCP
release/renew.
This VLAN change detection behavior applies to the following scenarios:
L3 OOB (Real-IP or Virtual Gateway)
L2 OOB Real IP Gateway
L2 OOB Virtual Gateway with user-role based VLAN assignment