Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

221

222

223

224

225

226

227

228

229

230

6-10

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 6 User Management: Configuring User Roles and Local Users

Create User Roles

Out-of-Band User

Role VLAN

Out-of-Band (OOB) Configuration —Retag Trusted-side Traffic with Role VLAN

Once a user has finished posture assessment and remediation, if needed, and the

client device is deemed to be “certified,” the switch port to which the client is

connected can be assigned to a different Access VLAN based on the value

specified in the Out-of-Band User Role VLAN field. Hence, users connecting to

the same port (at different times) can be assigned to different Access VLANs

based on this setting in their user role.

For OOB deployment, if configuring role-based VLAN switching for a controlled

port, you must specify an Access VLAN ID when you create the user role. When

an Out-of-Band user logs in from a managed switch port, the CAM will:

• Determine the role of the user based on the user's login credentials.

• Check if role-based VLAN switching is specified for the port in the Port

Profile.

• Switch the user to the Access VLAN, once the client is certified, according

to the value specified in the Out-of-Band User Role VLAN field for the

user's role.

Admins can specify VLAN Name or VLAN ID on the New/Edit User Role

form. VLAN Name is case-sensitive. If specifying wildcards for VLAN Name,

you can use: abc, *abc, abc*, *abc*. The switch will use the first match for

wildcard VLAN Name. You can only specify numbers for VLAN ID If the switch

cannot find the VLAN specified (e.g. VLAN Name is mistyped), the error will

appear on the perfigo.log (not the Event Log).

For additional details, see Global Device and Subnet Filtering, page 2-10 and

Chapter 3, “Switch Management: Configuring Out-of-Band Deployment.”

Bounce Switch

Port After Login

(OOB)

If you have first enabled the Bounce the port based on role settings after VLAN

is changed option on the OOB Management > Profiles > Port > New/Edit page,

the Agent does not renew the IP address on the client machine after login and

posture assessment.

Note This option only applies when a port profile is configured to use it.

Refresh IP After

When enabled, the switch port through which the user is accessing the network is

not bounced when the VLAN changes from the Authentication VLAN to the

Access VLAN. Instead, the Agent renews/refreshes the IP address on the client

machine following login and posture assessment. This option only applies when

the Port profile is configured to Bounce the port based on role settings after

VLAN is changed under OOB Management > Profiles > Port > New/Edit (see

Add Port Profile, page 3-34).

See DHCP Release/Renew with Agent/ActiveX/Java Applet, page 5-6 for

additional information on configuring client IP refresh/renew.

Note For information on Access to Authentication VLAN change detection for

an OOB client machine, see Configure Access to Authentication VLAN

Change Detection, page 3-67.

Table 6-1 Role Properties (continued)

Control Description