Cisco Cisco NAC Appliance 4.9.5 Installation Guide

All Cisco NAC product licenses are added to the Clean Access Manager in your system. You add the 
CAM license the first time you access the CAM web console, then use the Administration > Licensing 
pages of the CAM web console to add the NAC network module or CAS licenses thereafter. 

For complete details on licensing, refer to 

This section provides a overview of Cisco NAC Network Module deployment with some configuration 
examples. If you already know how you want to deploy your NAC network module, continue to 

 for detailed initial configuration steps. 

It contains the following:

 shows the Clean Access Server deployment modes supported by the Cisco NAC Network 

Module. 

From a physical deployment perspective, all NAC network modules are Edge Deployments. This means 
each port (eth0 and eth1) of the NAC network module (CAS) is connected to a different device. 

The eth1 (untrusted) interface of the NAC network module can be connected to an external switch or to 
an EtherSwitch Service Module (NME-ESW) for 3800 series integrated services routers supporting 
multiple slots (e.g. 3845). 

Physical deployment 

CAS traffic passing

Virtual Gateway (bridged mode)

Real IP Gateway (routed mode) 

Client access

Layer 2—client is adjacent to NAC network module (CAS)

Layer 3—client is multiple hops away from NAC network module (CAS)

Traffic flow 

In-band—CAS is always inline with traffic

Out-of-Band—CAS is inline with traffic only during posture 
assessment/remediation

1.

The Cisco NAC Network Module does not support Wireless Out-of-Band deployment (Release 4.5 and later). Wireless OOB 
only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not 
support this topology.