Cisco Cisco Clean Access 3.5

4-4

Cisco Clean Access Manager Installation and Administration Guide

OL-7044-01

Chapter 4 Switch Management and Cisco Clean Access Out-of-Band (OOB)

Deployment Modes

This section describes out-of-band deployment for Virtual Gateway and Real-IP/NAT Gateway. For all
gateway modes, to incorporate Cisco Clean Access Out-of-Band in your network, you must add an
Authentication VLAN to your network and trunk all Auth VLANs to the untrusted interface of the Clean
Access Server.

•

Basic Connection, page 4-4

•

Out-of-Band Virtual Gateway Deployment, page 4-6

•

OOB Network Setup / Configuration Worksheet, page 4-15

Basic Connection

The following diagrams show basic “before” and “after” VLAN settings for a client attached to an
out-of-band deployment.

Figure 4-1

illustrates the in-band client and

Figure 4-2

illustrates the client

when out-of-band.

Figure 4-1

Before — Client is In-Band for Authentication / Certification

When an unauthenticated client first connects to a managed port on a managed switch (

Figure 4-1

), the

switch assigns the client the authentication VLAN specified in the Port Profile configured for this
managed port. The switch then sends all traffic from the Auth VLAN client to the untrusted interface of
the Clean Access Server (CAS). The client authenticates through the Clean Access Server, and if Clean
Access is enabled, goes through the Clean Access certification process. Because the client is on the
authentication VLAN, all the client’s traffic must go through the Clean Access Server and the client is
considered to be in-band.

Clean Access

Server

Managed Switch

Untrusted

(eth1)

Internet

Unauthenticated Client

Uncontrolled

port

Auth VLAN

Access VLAN

Controlled

port

30782