Cisco Cisco NAC Appliance 4.1.0
3-3
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 3 Configuring Layer 3 Out-of-Band (L3 OOB)
Overview
Layer 3 Out-of-Band L2 vs L3 OOB Implementation
In L2 OOB:
•
Users are Layer 2 adjacent to the CAS
•
User device connects to switch, switch sends SNMP trap to CAM
•
CAM gets device mac and port information from switch
•
CAS receives packets and sends source IP/MAC info to CAM
•
CAM now has complete mapping IP/MAC/Port
•
Once device is certified to be compliant, CAM knows which port to change VLAN
In L3 OOB
•
Users are one or more hops away from the CAS
•
CAM still gets device MAC and port information from switch
•
CAS receives packets with user’s IP
•
CAS gets MAC information from either Agent or web-login page enabled for ActiveX/Java Applet
to determine device MAC address and report it back to CAS
to determine device MAC address and report it back to CAS
•
CAS informs CAM of IP/MAC of device
•
CAM has complete IP-MAC-Port mapping
Layer 3 Out-of-Band L3 OOB Details
Using the CCA Agent
The Agent will inform CAS of the device MAC address.
Without the CCA Agent (using weblogin)
•
Web-login page will download Active-X Control or Java Applet to determine device MAC address
and report it back to CAS
and report it back to CAS
•
CAS informs CAM of IP/MAC of device
•
CAM has complete IP-MAC-Port mapping
Layer 3 OOB: Configuration
With CCA Agent
•
CCA Agent will inform CAS of MAC address
•
No additional configuration is needed
Without CCA Agent (using Web Login)
Configure the Login Page
•
On CAM: Administration > User Pages > Login Page > Add/Edit
•
Or CAS: Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Login
Page | [Override Global Settings]
Page | [Override Global Settings]