Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

151

152

153

154

155

156

157

158

159

160

3-68

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 3 Switch Management: Configuring Out-of-Band Deployment

Out-of-Band Users

If the Agent detects a change, the client machine automatically refreshes its IP address via DHCP

release/renew. By default, the Agent automatically polls for the VLAN assignment on the switch every

5 seconds. If you want to increase or decrease that interval, users can adjust the “VlanDetectInterval”

client setting.

For OOB deployments that require a client IP change, when the user is logged out and the client port

changes from the Access VLAN to the Authentication VLAN, the IP address for the client machine also

needs to change to come from the Authentication VLAN. In OOB, when the user is in the Access VLAN,

the Agent no longer communicates with the CAM or CAS, so the Agent is not aware when the CAM

changes the VLAN for the client port. Although the CAM can bounce the port to change the IP address

on the client, this solution is not recommended for IP Phone environments, as it can disrupt voice

services.

To enable and specify settings to support Access to Authentication VLAN Change Detection on a

Windows client with the Cisco NAC Agent installed:

Step 1 Determine what settings you want to specify for the “RetryDetection,” “PingArp,” “PingMaxTimeout,”

or “VlanDetectInterval” parameters to enable the Access to Authentication VLAN Change Detection

feature within your network and the NACAgentCFG.xml Agent configuration file accordingly. (See

Cisco NAC Agent XML Configuration File Settings, page 9-23.)

Note VLAN Detect may fail when using ARP as discovery method in situations with high network

utilization. Use ICMP as an alternative method.

Step 2 After you have specified the settings you want to use to guide Windows Cisco NAC Agent behavior, save

the NACAgentCFG.xml Agent configuration file locally, upload it to the CAM, and make this new

version available to Windows client machine users when they next authenticate with Cisco NAC

Appliance (see Installation Page, page 9-20 for more information).

Note The Cisco NAC Agent only requires administrative privileges on the client machine during initial

installation. Once successfully installed on the client machine, the Cisco NAC Agent does not require

the user to have the administrative privileges to perform functions like Access to Authentication VLAN

Change Detection.

Note For details on configuring the “VlanDetectInterval” setting on Windows and Mac OS X Cisco NAC

Agent client machines, refer to the Cisco NAC Appliance - Clean Access Manager Installation and

Configuration Guide, Release 4.5(1) and Release Notes for Cisco NAC Appliance, Version 4.5(1).

Out-of-Band Users

OOB User Sessions

The following triggers detect when an OOB user has logged off and will force revalidation:

• Linkdown SNMP traps (when user unplugs or reboot)