Specifications
9-7
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 9 Configuring Cisco NAC Appliance for Agent Login and Client Posture Assessment
Require Agent Login for Client Machines
• In order for Agent Out-of-Band Logoff to function correctly in a deployment requiring VLAN
change based on user role (in both Layer 3 Out-of-Band deployments and Layer 2 Out-of-Band en-
vironments where the client machine IP address is refreshed following login), you must enable the
VLAN change detection option as per the guidelines in Configure Access to Authentication VLAN
Change Detection, page 3-67.
Ensure that the VLANdetectWithoutUI parameter is enabled in the NACAgentCFG.xml Agent
configuration file accordingly. (See Cisco NAC Agent XML Configuration File Settings,
page 9-23.) This is enabled for refreshing the IP address in the Authentication VLAN after CAM
clears the user and moves the user from Access VLAN to Authentication VLAN. This is used when
OOB logoff feature is used with Windows logoff.
• If you want to enforce Agent Passive Re-assessment (PRA) for your Cisco NAC Appliance
Out-of-Band deployment, you must enable the Out-of-Band Logoff function. For more information
on Agent Passive Reassessment, see Adding a New User Role, page 6-7 and Modifying an Existing
Temporary, Quarantine, or Login Role, page 6-14.
Note Passive Re-Assessment can be enabled only for Cisco NAC Agent. The Mac OS X Agent does
not support PRA.
• Prior to Release 4.8, deployments using Access Control Lists (ACLs), Layer 3 Out-of-Band Real-IP
Gateway mode, and CAS certificates based on the untrusted network IP address need to block UDP
ports 8905/8906 to ensure that the access VLAN clients could not communicate with the untrusted
side of the CAS and attempt another login. Policy Based Routing can be used to ensure that all
non-NAC Authentication VLAN traffic is sent to the trusted side IP address of the CAS.
In Cisco NAC Appliance Release 4.8 and later, if ACLs block access to the CAS, then the OOB
Logoff feature will not function as designed. Cisco NAC Appliance network administrators must
leave UDP ports 8905/8906 open on network switches to ensure the CAS trusted interface can
communicate during the following OOB scenarios: OOB Heartbeat Timers, OOB Logout, and
Passive Re-assessment. Use Policy Based Routing to ensure that all non-Authentication client
network traffic is forced to the CAS trusted interface.
• Verify that the port profile(s) to which reconnecting users are assigned specify the Authentication
VLAN for the Change to [Auth VLAN | Access VLAN] if the device is certified, but not in the
Out-of-Band user list option as described in Add Port Profile, page 3-34.
• If using third party certificates or self-signed certificates for CAS, ensure that the CA certificate is
installed in the root store for every Windows domain user. This is important for OOB Logoff to work
in a multi-user environment while logging out from Windows.
In Internet Explorer, click Tools > Internet Options. Go to the Content tab and click Certificates.
Go to the Trusted Root Certificate Authorities tab and check whether the CA certificate is
installed.
Note It is not recommended to use self-signed certificates for enterprise deployment.
Network Requirements
• While using self-signed certificates for CAS, ensure that the certificates are installed in the
certificate root store of the client machine.
• In Layer 3 Out-of-Band Real-IP Gateway mode using Virtual Routing and Forwarding (VRF),
Policy Based Routing (PBR), or Access Control Lists (ACLs) on the network, Cisco recommends
that the CAS certificate should use the untrusted IP or FQDN of the CAS.