Cisco Cisco Clean Access 3.5
3-4
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Working with Cisco Clean Access Servers
Networking Considerations for CAS
Note the following:
•
eth0 and eth1 generally correlate to the first two network cards—NIC 1 and NIC 2—on most types
of server hardware.
of server hardware.
•
If using DHCP relay, make sure the DHCP server has a route back to the managed subnets of the
CAS.
CAS.
Real-IP:
•
The trusted (eth0) and untrusted (eth1) interfaces of the CAS must be on different subnets.
•
On the L3 router in your network, you must add a static route to/from the managed subnets to the
trusted interface (eth0) of the CAS.
trusted interface (eth0) of the CAS.
NAT Gateway Mode:
•
The trusted (eth0) and untrusted (eth1) interfaces of the CAS must be on different subnets.
Virtual Gateway Mode:
•
The trusted (eth0) and untrusted interfaces (eth1) of the CAS can use the same IP address.
•
The CAM and CAS must be on different VLANs.
•
The CAS should be on a different VLAN than the user or Access VLANs.
•
The CAS should be configured for DHCP forwarding.
•
Make sure to configure managed subnets for the CAS.
Note
If intending to configure the Clean Access Server in Virtual Gateway mode (IB or OOB), you must
disable or unplug the untrusted interface (eth1) of the CAS until after you have added the CAS to the
CAM from the web admin console. Keeping the eth1 interface connected while performing initial
installation and configuration of the CAS for Virtual Gateway mode can result in network connectivity
issues.
disable or unplug the untrusted interface (eth1) of the CAS until after you have added the CAS to the
CAM from the web admin console. Keeping the eth1 interface connected while performing initial
installation and configuration of the CAS for Virtual Gateway mode can result in network connectivity
issues.
For Virtual Gateway with VLAN mapping (In-Band or OOB), the untrusted interface (eth1) of the CAS
should not be connected to the switch until VLAN mapping has been configured correctly under Device
Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping.
should not be connected to the switch until VLAN mapping has been configured correctly under Device
Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping.
See the Cisco Clean Access Server Installation and Administration Guide for details.
Troubleshooting when Adding the Clean Access Server
If the Clean Access Server cannot be added to Clean Access Manager, check the following:
•
The shared secret is the same on the Clean Access Server and Clean Access Manager. If this is the
problem, reset the shared secret with service perfigo config.
problem, reset the shared secret with service perfigo config.
•
The certificates are correct.
•
There is connectivity between the Clean Access Server and Clean Access Manager and there are no
firewall rules blocking RMI ports.
firewall rules blocking RMI ports.
•
You have the proper FlexLM license to use out-of-band Clean Access Servers (the Switch
Management module must be present in the left-hand pane of the admin console.)
Management module must be present in the left-hand pane of the admin console.)
•
The CAS is pingable. If not, the network settings may be incorrect. Reset them using the service
perfigo config CLI command. See
perfigo config CLI command. See