Cisco Cisco NAC Appliance 4.1.0
11-7
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 11 Distributing the Clean Access Agent
Enable Network Access (L3 or L2)
Enable Network Access (L3 or L2)
By default, Cisco NAC Appliance supports in-band Clean Access Agent users within L2 proximity of
the Clean Access Server.
the Clean Access Server.
If deploying for VPN/L3, you must enable L3 support for web login or Clean Access Agent users that
are multiple L3 hops away from the CAS.
are multiple L3 hops away from the CAS.
You can optionally restrict L2/L3 access so that Agent users cannot use home-based wireless routers or
NAT devices to connect to the network.
NAT devices to connect to the network.
The CAS can be configured with the following network access options:
•
Enable L3 support: When this option is enabled, the CAS allows all users from any hops away. For
multi-hop L3 in-band deployments, this setting enables/disables L3 discovery of the CAS for web
login users and Clean Access Agent users at the CAS level. When set, the CAS will be forced to use
the routing table to send packets.
multi-hop L3 in-band deployments, this setting enables/disables L3 discovery of the CAS for web
login users and Clean Access Agent users at the CAS level. When set, the CAS will be forced to use
the routing table to send packets.
•
Enable L3 strict mode to block NAT devices with Clean Access Agent — When this option is
checked (in conjunction with “Enable L3 support”), the CAS verifies the source IP address of user
packets against the IP address sent by the Clean Access Agent and blocks all L3 Agent users with
NAT devices between those users and the CAS.
checked (in conjunction with “Enable L3 support”), the CAS verifies the source IP address of user
packets against the IP address sent by the Clean Access Agent and blocks all L3 Agent users with
NAT devices between those users and the CAS.
•
Enable L2 strict mode to block L3 devices with Clean Access Agent — When this option is
enabled, the CAS verifies the source MAC address of user packets against the MAC address sent by
the Clean Access Agent and blocks all L3 Agent users (those more than one hop away from the
CAS). The user will be forced to remove any router between the CAS and the user’s client machine
to gain access to the network.
enabled, the CAS verifies the source MAC address of user packets against the MAC address sent by
the Clean Access Agent and blocks all L3 Agent users (those more than one hop away from the
CAS). The user will be forced to remove any router between the CAS and the user’s client machine
to gain access to the network.
•
All options left unchecked (Default setting)— The CAS performs in L2 mode and expects that all
clients are one hop away. The CAS will not be able to distinguish if a router is between the CAS and
the client and will allow the MAC address of router as the machine of the first user who logs in and
any subsequent users. Checks will not be performed on the actual client machines passing through
the router as a result, as their MAC addresses will not be seen.
clients are one hop away. The CAS will not be able to distinguish if a router is between the CAS and
the client and will allow the MAC address of router as the machine of the first user who logs in and
any subsequent users. Checks will not be performed on the actual client machines passing through
the router as a result, as their MAC addresses will not be seen.
Note
•
If using L2 deployment only, make sure the Enable L3 support option is not checked.
•
L3 and L2 strict options are mutually exclusive. Enabling one option will disable the other option.
•
Enabling or disabling L3 or L2 strict mode ALWAYS requires an Update and Reboot of the CAS
to take effect. Update causes the web console to retain the changed setting until the next reboot.
Reboot causes the process to start in the CAS.
to take effect. Update causes the web console to retain the changed setting until the next reboot.
Reboot causes the process to start in the CAS.
For further details on L2/L3 strict mode, refer to the Cisco NAC Appliance - Clean Access Server
Installation and Administration Guide.
Installation and Administration Guide.
CAS/Agent Discovery
For L2 discovery, the Agent sends discovery packets to all the default gateways of all the adapters on the
machine on which the Agent is running. If a CAS is present either as the default gateway (Real-IP/NAT
Gateway) or as a bridge before the default gateway (Virtual Gateway), the CAS will respond.
machine on which the Agent is running. If a CAS is present either as the default gateway (Real-IP/NAT
Gateway) or as a bridge before the default gateway (Virtual Gateway), the CAS will respond.
If the CAS does not respond via L2 discovery, the Agent will perform L3 discovery (if enabled). The
Agent attempts to send packets to the Discovery Host, an IP address on the trusted side of the CAS. This
IP address is set in the Discovery Host field of the Device Management > Clean Access > Clean
Access Agent > Installation page and is typically set by default to the IP address of the CAM. The Clean
Agent attempts to send packets to the Discovery Host, an IP address on the trusted side of the CAS. This
IP address is set in the Discovery Host field of the Device Management > Clean Access > Clean
Access Agent > Installation page and is typically set by default to the IP address of the CAM. The Clean