Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
919293949596979899100
3-6
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 3 Switch Management: Configuring Out-of-Band Deployment
Deployment Modes
Figure 3-2 After — Client is Out-of-Band After Being Certified
Once the client is authenticated and certified (i.e. on the Certified Devices List), the CAM instructs the
switch to change the VLAN of the client port to the Access VLAN specified in the Port Profile of the
port (Figure 3-2). Once the client is on the Access VLAN, the switch no longer directs the client’s traffic
to the untrusted interface of the CAS. At this point the client is on the trusted network and is considered
to be Out-of-Band.
In the event the user reboots the client machine, unplugs it from the network, or the switch port goes
down, this triggers the switch to send a linkdown trap to the CAM. Thereafter, the client port behavior
depends on the Port profile settings for the specific port (see Add Port Profile, page 3-34 for details).
If the Cisco NAC Appliance system somehow terminates the OOB client session (if the system
administrator is forced to “kick” the user out, for example) and the switch changes the VLAN assignment
for the client’s access port from the Access VLAN back to the Authentication VLAN, the client machine
discovers the VLAN change and, if configured, initiates an IP address refresh/renew to ensure the user
stays connected to the network. For details on the polling method and configuration guidelines, see
Configure Access to Authentication VLAN Change Detection, page 3-67. (In earlier releases, the client
machine would only learn of the switch after the DHCP lease for the client IP address had run out and
could not reconnect.)
Note You can configure the Initial VLAN of the port to be the Access VLAN. See Add Port Profile, page 3-34
for details.
Out-of-Band Virtual Gateway Deployment
An Out-of-Band Virtual Gateway deployment provides the following benefits:
The client never needs to change its IP address from the time it is acquired to the time the client
gains actual network access on the Access VLAN.
For L2 users, static routes are not required.
Managed Switch
Untrusted
(eth1)
Internet
Authenticated Client
Unmanaged
port
Auth (quarantine)
VLAN
Access VLAN
Managed
port
183458
Clean Access
Server