Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
161162163164165166167168169170
4-6
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Wireless Out-of-Band Virtual Gateway Deployment
Figure 4-2 Wireless Out-of-Band Layer 2 VGW Mode
Login and Authentication Flow in Wireless OOB Virtual Gateway Mode
1. The unauthenticated wireless user connects to a Wireless LAN Controller through an associated
wireless access point.
2. The WLC sends an association trap informing the CAM that a wireless user is logging in with Cisco
NAC Appliance network access credentials.
Note For Layer 3 Wireless OOB network, the MAC address of the device is added to the
discovered clients list, when the WLC sends an association trap. When the user is logging
in with the browser, the MAC address is detected. The MAC address detection is done using
Java applet or ActiveX control.
If the device cannot run Java applet or ActiveX, then the MAC address is not detected and
this leads to error.
3. When the wireless client first logs into the Wireless OOB network, the user profile is assigned to
Authentication (Quarantine) VLAN 110.
4. The CAS assigns the client machine an IP address from the access VLAN 10 and the WLC
authenticates the client.
Note If Single-Sign On (SSO) is configured for the Wireless OOB network, the WLC also sends
the appropriate RADIUS accounting packets to the CAS.
Cisco WLCs do not support IPSec communication with the Cisco NAC Appliance network,
so you cannot provide RADIUS SSO capability to users in your FIPS 140-2 compliant
environment.
5. Cisco NAC Appliance performs posture assessment and remediation on the client machine and, if
the client machine meets security requirements, authenticates the client and sends an SNMP SET
command to the WLC granting access to the internal network.
6. The WLC switches the client IP address from the Authentication (Quarantine) VLAN 110 to the
Access VLAN 10 and (now that the client machine has authenticated with Cisco NAC Appliance)
traffic between the wireless client machine and the internal network moves Out-of-Band, bypassing
the CAS.
Wireless
client
Wireless
LAN controller
Layer 2
switch
Layer 3
switch
Clean Access
Server
Clean Access
Manager
Tr un k
VLAN 10, 110
VLAN 10
VLAN
110
VLAN
10
188734