Cisco Cisco Clean Access 3.5
4-4
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 4 Switch Management and Cisco Clean Access Out-of-Band (OOB)
Deployment Modes
Deployment Modes
This section describes out-of-band deployment for Virtual Gateway and Real-IP/NAT Gateway. For all
gateway modes, to incorporate Cisco Clean Access Out-of-Band in your network, you must add an
Authentication VLAN to your network and trunk all Auth VLANs to the untrusted interface of the Clean
Access Server.
gateway modes, to incorporate Cisco Clean Access Out-of-Band in your network, you must add an
Authentication VLAN to your network and trunk all Auth VLANs to the untrusted interface of the Clean
Access Server.
•
•
•
Basic Connection
The following diagrams show basic “before” and “after” VLAN settings for a client attached to an
out-of-band deployment.
out-of-band deployment.
illustrates the in-band client and
illustrates the client
when out-of-band.
Figure 4-1
Before — Client is In-Band for Authentication / Certification
When an unauthenticated client first connects to a managed port on a managed switch (
), the
switch assigns the client the authentication VLAN specified in the Port Profile configured for this
managed port. The switch then sends all traffic from the Auth VLAN client to the untrusted interface of
the Clean Access Server (CAS). The client authenticates through the Clean Access Server, and if Clean
Access is enabled, goes through the Clean Access certification process. Because the client is on the
authentication VLAN, all the client’s traffic must go through the Clean Access Server and the client is
considered to be in-band.
managed port. The switch then sends all traffic from the Auth VLAN client to the untrusted interface of
the Clean Access Server (CAS). The client authenticates through the Clean Access Server, and if Clean
Access is enabled, goes through the Clean Access certification process. Because the client is on the
authentication VLAN, all the client’s traffic must go through the Clean Access Server and the client is
considered to be in-band.
Clean Access
Server
Managed Switch
Untrusted
(eth1)
Internet
Unauthenticated Client
Uncontrolled
port
Auth VLAN
Access VLAN
Controlled
port
1
30782