Specifications
4-7
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 4 Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Your Network for Wireless Out-of-Band
When the user logs out of the wireless OOB network, the WLC sends another SNMP update to the CAM
to ensure the CAM removes the user profile from the wireless Online Users list. Likewise, if the Cisco
NAC Appliance administrator is forced to “kick” a user out of the network, the CAM sends an SNMP
trap to the WLC and the WLC, in return, automatically moves the user back to the Authentication
(Quarantine) VLAN, thus directing the now unauthenticated client traffic to the CAS.
Configure Your Network for Wireless Out-of-Band
The CAM communicates with associated WLCs using SNMP and manages Wireless OOB CASs through
the admin network. The trusted interface of the CAS connects to the admin/management network, and
the untrusted interface of the CAS connects to the managed client network.
When a wireless client connects to a WLC, the WLC automatically assigns the client to an
Authentication (Quarantine) VLAN and the traffic to/from the client goes through the CAS. After the
client is authenticated and certified through the Clean Access Server, the WLC receives an SNMP
message from the CAM allowing the client access to the network via the Access VLAN. Once on the
access VLAN, traffic to and from certified clients moves Out-of-Band, bypassing the Clean Access
Server.
The next sections describe the configuration steps needed to set up your Wireless OOB deployment:
• Configure Your Wireless LAN Controllers, page 4-7
• Configure Wireless LAN Controller Connection on the CAM, page 4-13
Configure Your Wireless LAN Controllers
This section describes the steps needed to set up Wireless LAN Controllers (WLCs) to be used with
Cisco NAC Appliance for Wireless Out-of-Band.
• Wireless LAN Controllers Configuration Notes, page 4-7
• Example Wireless LAN Controller Configuration Steps, page 4-8
• Wireless OOB Network Setup/Configuration Worksheet, page 4-12
Wireless LAN Controllers Configuration Notes
The following considerations should be taken into account when configuring Wireless LAN Controllers
for OOB:
• Cisco NAC Appliance only supports Wireless OOB deployments with Cisco Wireless LAN
Controllers.
• WLCs must be configured to interact with the CAM using SNMP read, write, and trap functions.
• Each service set identifier (SSID)/dynamic interface on the WLC must have both an Authentication
(Quarantine) VLAN and Access VLAN configured.
• When SSID is setup to perform Wireless SSO and there is a overlapping of IP subnets over multiple
SSIDs, even after roaming from one SSID to another, the user is still listed under Online Users in
the CAM. To avoid this, create separate IP ranges for each SSID.
• Ensure that any access/aggregation switches in the network between the WLCs and the Clean Access
Server have the same Authentication (Quarantine) and Access VLANs trunked.