Specifications
3-5
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 3 Switch Management: Configuring Out-of-Band Deployment
Deployment Modes
Deployment Modes
This section describes Out-of-Band deployment for Virtual Gateway and Real-IP. For all gateway modes,
to incorporate Cisco NAC Appliance Out-of-Band in your network, you must add an Authentication
VLAN to your network and trunk all Auth VLANs to the untrusted interface of the Clean Access Server.
• Basic Connection, page 3-5
• Out-of-Band Virtual Gateway Deployment, page 3-6
• Out-of-Band Real-IP Gateway Deployment, page 3-10
• L3 Out-of-Band Deployment, page 3-13
Basic Connection
The following diagrams show basic “before” and “after” VLAN settings for a client attached to an
Out-of-Band deployment. Figure 3-1 illustrates the In-Band client and Figure 3-2 illustrates the client
when Out-of-Band.
Figure 3-1 Before — Client is In-Band for Authentication/Certification
When an unauthenticated client first connects to a managed port on a managed switch (Figure 3-1), the
CAM instructs the switch to change the client port from the authentication (quarantine) VLAN specified
in the Port Profile for the port. The switch then sends all traffic from the Auth VLAN client to the
untrusted interface of the Clean Access Server (CAS). The client authenticates through the CAS, and/or
goes through Nessus Scanning/posture assessment as configured for the role or device. Because the
client is on the authentication VLAN, all the client’s traffic must go through the CAS and the client is
considered to be In-Band.
Clean Access
Server
Managed Switch
Untrusted
(eth1)
Internet
Unauthenticated Client
Unmanaged
port
Auth (quarantine)
VLAN Access VLAN
Managed port
183457