Cisco Cisco NAC Appliance 4.1.0
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 5 Configuring User Login Page and Guest Access
Enable Web Client for Login Page
Enable Web Client for Login Page
The web client option can be enabled for all deployments, but is required for L3 OOB.
To set up the Cisco NAC Appliance for L3 out-of-band (OOB) deployment, you must enable the login
page to distribute either an ActiveX control or Java Applet to web login users who are multiple L3 hops
away from the CAS. The ActiveX control/Java Applet is downloaded when the user performs web login
and is used to obtain the correct MAC address of the client. In OOB deployment, the CAM needs the
correct client MAC address to control the port according to Certified List and/or device filter settings of
the Port Profile.
page to distribute either an ActiveX control or Java Applet to web login users who are multiple L3 hops
away from the CAS. The ActiveX control/Java Applet is downloaded when the user performs web login
and is used to obtain the correct MAC address of the client. In OOB deployment, the CAM needs the
correct client MAC address to control the port according to Certified List and/or device filter settings of
the Port Profile.
Note
When the Clean Access Agent is installed, the Agent automatically sends the MAC address of all
network adapters on the client to the CAS. See
network adapters on the client to the CAS. See
DHCP Release/Renew with Clean Access Agent/ActiveX/Applet
With release 4.1, DHCP IP addresses can be refreshed for client machines using the 4.1.0.0+ Clean
Access Agent, or ActiveX Control/Java Applet without requiring port bouncing after authentication and
posture assessment. This feature is intended to facilitate NAC Appliance OOB deployment in VoIP
environments.
Access Agent, or ActiveX Control/Java Applet without requiring port bouncing after authentication and
posture assessment. This feature is intended to facilitate NAC Appliance OOB deployment in VoIP
environments.
In most OOB deployments (except L2 OOB Virtual Gateway where the Default Access VLAN is the
Access VLAN in Port profile), the client, after posture assessment, needs to acquire a different IP
address from the Access VLAN.
Access VLAN in Port profile), the client, after posture assessment, needs to acquire a different IP
address from the Access VLAN.
There are two approaches to enable the client to get the new IP address:
•
Enabling the “Bounce the port after VLAN is changed” Port profile option (required for releases
prior to 4.1). In this case, the switch port connected to the client is bounced after it is assigned to
the Access VLAN, and the client using DHCP will try to refresh the IP address. This approach has
the following limitations:
prior to 4.1). In this case, the switch port connected to the client is bounced after it is assigned to
the Access VLAN, and the client using DHCP will try to refresh the IP address. This approach has
the following limitations:
In VoIP deployments, because the port bouncing will disconnect and reconnect the IP Phone
connected to the same switch port, any ongoing communication is interrupted.
connected to the same switch port, any ongoing communication is interrupted.
Some client operating systems do not automatically refresh their DHCP IP addresses even if the
switch port is bounced.
switch port is bounced.
The process of shutting down and bringing back the switch port, and of client operating systems
detecting the port bounce and refreshing their IP addresses can take time.
detecting the port bounce and refreshing their IP addresses can take time.
•
Using the 4.1.0.0 Clean Access Agent, ActiveX Control, or Java Applet to refresh client DHCP IP
addresses without port bouncing. This allows clients to acquire a new IP address in the Access
VLAN and the Bounce the switch port after VLAN is changed option in the Port profile can be
left disabled.
addresses without port bouncing. This allows clients to acquire a new IP address in the Access
VLAN and the Bounce the switch port after VLAN is changed option in the Port profile can be
left disabled.
Agent Login
If the client uses Clean Access Agent (from 4.1.0.0) to login, the Agent will automatically refresh the
DHCP IP address if the client needs a new IP address in the Access VLAN.
DHCP IP address if the client needs a new IP address in the Access VLAN.
Web Login
In order for the ActiveX/Applet to refresh the IP address for the client when necessary, use of the web
client must be enabled in the User Login Page configuration under:
client must be enabled in the User Login Page configuration under: