Cisco Cisco Clean Access 3.5
4-11
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 4 Switch Management and Cisco Clean Access Out-of-Band (OOB)
Configuring Your Network for Out-of-Band
Configuring Your Network for Out-of-Band
The Clean Access Manager (CAM) manages out-of-band Clean Access Servers (CASes) and switches
through the admin network. The trusted interface of the Clean Access Server is connected to the switch
port on the admin/access VLAN or to the admin network directly, and the untrusted interface is
connected to the switch port on the Authentication VLAN. When a client connects to a controlled port
on a managed switch, the port is set to the Authentication VLAN and the traffic to/from the client goes
through the Clean Access Server. After the client is authenticated and certified through the Clean Access
Server, the port connected to the client is changed to the Access VLAN. In this way, traffic from/to
certified clients bypasses the Clean Access Server. For Real-IP/ NAT-Gateway setup, the client port is
also bounced to prompt the client to acquire a new IP address from the admin/access VLAN.
through the admin network. The trusted interface of the Clean Access Server is connected to the switch
port on the admin/access VLAN or to the admin network directly, and the untrusted interface is
connected to the switch port on the Authentication VLAN. When a client connects to a controlled port
on a managed switch, the port is set to the Authentication VLAN and the traffic to/from the client goes
through the Clean Access Server. After the client is authenticated and certified through the Clean Access
Server, the port connected to the client is changed to the Access VLAN. In this way, traffic from/to
certified clients bypasses the Clean Access Server. For Real-IP/ NAT-Gateway setup, the client port is
also bounced to prompt the client to acquire a new IP address from the admin/access VLAN.
Note
•
NAT Gateway mode (In-Band or OOB) is not recommended for production deployment.
•
If configuring the Clean Access Server as an Out-of-Band Virtual Gateway, the untrusted interface
should not be connected to the switch until VLAN mapping has been configured correctly under
Device Management > CCA Servers > Manage [CAS_IP_address] > Advanced > VLAN
Mapping. See the Cisco Clean Access Server Installation and Administration Guide for details.
should not be connected to the switch until VLAN mapping has been configured correctly under
Device Management > CCA Servers > Manage [CAS_IP_address] > Advanced > VLAN
Mapping. See the Cisco Clean Access Server Installation and Administration Guide for details.
Configure Your Switches
This section describes the steps needed to set up switches to be used with Cisco Clean Access
Out-of-Band.
Out-of-Band.
•
•
•
Configuration Notes
The following considerations should be taken into account when configuring switches for OOB:
•
Switch clusters are not supported. As a workaround, assign an IP address to each switch.
•
It is recommended to enable ifindex persistence on the switches.
•
It is recommended to turn on portfast on access ports (those directly connected to client machines).
•
It is recommended to set the mac-address aging-time to a minimum of 3600 seconds.
•
The MAC address(es) connected to a particular port may not be available after Port Security is
enabled. This occurs on some models of Cisco switches (e.g. 4507R, IOS Version 12.2(18) EW).
enabled. This occurs on some models of Cisco switches (e.g. 4507R, IOS Version 12.2(18) EW).
•
If implementing High-Availability, ensure that Port Security is not enabled on the switch interfaces
to which the CAS and CAM are connected. This can interfere with CAS HA and DHCP delivery.
to which the CAS and CAM are connected. This can interfere with CAS HA and DHCP delivery.
•
The MAC address(es) connected to a particular port may not be available when the Access VLAN
of the port does not exist in the VLAN database. This occurs on some models of Cisco switches (e.g.
6506, IOS Version 12.2(18) SXD3.
of the port does not exist in the VLAN database. This occurs on some models of Cisco switches (e.g.
6506, IOS Version 12.2(18) SXD3.
•
Only Ethernet (Fa, Gi, fiber) port types (reported by SNMP) are displayed.