Chapter 10: Configuring Out-of-Band

Cisco Press

1 2 3 4 5 6 Page 2
Page 2 of 6
interface FastEthernet1/0/4
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport trunk allowed vlan 110
 switchport mode trunk

When configuring the switch port connecting the trusted and untrusted ports of the NAC Appliance Server, please note the following:

  • Always ensure that no common VLANs are being forwarded between the trusted and untrusted ports. A common VLAN between the ports can cause a Layer 2 loop to occur.

  • Configure different black hole native VLANs for the untrusted and trusted ports. Make sure that these VLANs are not used for user traffic. Prune these black hole native VLANs from the other trunk ports throughout your network. The goal is to not propagate these VLANs beyond the switch they are configured on.

  • Allow the relevant VLANs to be forwarded only on the trunk trusted and untrusted ports. Prune the remaining VLANs off from these ports.

Configuring Fa1/0/5—The Interface Connecting the Host

A best practice is to assign all client switch ports to an initial VLAN equal to the auth VLAN for that switch. In the sample topology, the auth VLAN is VLAN 110. Example 10-7 shows the switch configuration for this.

Example 10-7 Cisco Switch Configuration for Client Switch Ports

interface FastEthernet1/0/5
 switchport access vlan 110
 switchport mode access
 spanning-tree portfast

Configuring Simple Network Management Protocol

The switch and NAC Appliance communicate via Simple Network Management Protocol (SNMP). For this to work, the switch must be set up for SNMP. Example 10-8 configures the switch with SNMP MAC-notification traps and linkdown traps. The MAC-notification trap detects a new user on the network and triggers the NAC process. The linkdown trap detects that the user is disconnected from the network. The read-only community string public is used with an access list 10, which allows access only by NAC Appliance Manager. The read-write community string private is used with access list 10. It is always a security best practice to configure an access list on SNMP communities to protect against unwanted access. The switch is configured to send these traps to NAC Appliance Manager at 10.10.30.5. Example 10-8 shows the configuration of SNMPv2c, but NAC Appliance supports v1 and v3 as well.

Example 10-8 Cisco Switch SNMP Configuration

snmp-server community public RO 10
snmp-server community private RW 10
snmp-server enable traps snmp linkdown
snmp-server enable traps MAC-Notification
snmp-server host 10.10.30.5 version 2c public
access-list 10 permit ip 10.10.30.5

Step 2: Configuring NAC Appliance Manager

Now that the network is configured, move on to configuring NAC Appliance Manager. On NAC Appliance Manager, you have to do some basic configuration using the configuration script. From the NAC Appliance Manager command-line interface (CLI), you must type in service perfigo config. Before NAC Appliance Manager has an IP address configured, you can access the CLI either by attaching a monitor and keyboard or by using a serial cable to port 1. The serial speed and setup is 38400, N, 8, 1. Example 10-9 shows the configuration setup script.

Example 10-9 Configuring NAM via CLI

Fedora Core release 4 (Stentz)
Kernel 2.6.11-perfigo on an i686

cam login: root
Password:
[root@cam ~]# service perfigo config

Welcome to the Cisco Clean Access Manager quick configuration utility.

Note that you need to be root to execute this utility.

The utility will now ask you a series of configuration questions.
Please answer them carefully.

Cisco Clean Access Manager, (C) 2006 Cisco Systems, Inc.

Configuring the network interface:

Please enter the IP address for the interface eth0 [10.2.0.15]: 10.10.30.5
You entered 10.10.30.5. Is this correct? (y/n)? [y]

Please enter the netmask for the interface eth0 [255.255.255.0]:
You entered 255.255.255.0. Is this correct? (y/n)? [y]

Please enter the IP address for the default gateway [10.2.0.1]: 10.10.30.1
You entered 10.10.30.1. Is this correct? (y/n)? [y]

Please enter the hostname [cam1]: nam
You entered nam. Is this correct? (y/n)? [y]

Please enter the IP address for the name server: [192.168.10.1]: 10.10.30.6
You entered 10.10.30.6. Is this correct? (y/n)? [y]

Would you like to change shared secret? (y/n)? [y]
Please remember to configure the Clean Access Server with the same string. Please enter the shared
secret between Clean Access Server
You entered: cisco123
Is this correct? (y/n)? [y]

>>> Configuring date and time:

The timezone is currently set to:America/Los_Angeles
Would you like to change this setting? (y/n)? [y] n

Current date and time hh:mm:ss mm/dd/yy [01:01:01 01/01/07]: 01:20:00 01/01/07
You entered 01:20:00 01/01/07 Is this correct? (y/n)? [y]
Mon Jan 01 01:20:00 PST 2007

You must generate a valid SSL certificate in order to use the Clean Access Manager's secure web console.
Please answer the following questions correctly.
Information for a new SSL certificate:
Enter fully qualified domain name or IP: 10.10.30.5
Enter organization unit name: nacapp
Enter organization name: cisco
Enter city name: san jose
Enter state code: ca
Enter 2 letter country code: us


You entered the following:
Domain: 10.10.30.5
Organization unit: nacapp
Organization name: cisco
City name: san jose
State code: ca
Country code: us
Is this correct? (y/n)? [y]
Generating SSL Certificate...
CA signing: /root/.tomcat.csr -> /root/.tomcat.crt:
CA verifying: /root/.tomcat.crt <-> CA cert
/root/.tomcat.crt: OK
Done

For security reasons, it is highly recommended that you change the default passwords for the root user.
User: root
Changing password for user root.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Changes require a RESTART of Clean Access Manager.
Configuration is complete.
[root@cam1 ~]# service perfigo reboot

Step 3: Configuring NAC Appliance Server

On NAC Appliance Server, you have to do some basic configuration using the configuration script. From the NAC Appliance Server CLI, you must type in service perfigo config. Example 10-10 shows the configuration setup script.

Example 10-10 Configuring NAS via CLI

[root@cas ~]# service perfigo config

Welcome to the Cisco Clean Access Server quick configuration utility.

Note that you need to be root to execute this utility.

The utility will now ask you a series of configuration questions.
Please answer them carefully.

Cisco Clean Access Server, (C) 2006 Cisco Systems, Inc.

Configuring the network interfaces:

Please enter the IP address for the interface eth0 [10.2.0.15]: 10.10.20.5
You entered 10.10.20.5. Is this correct? (y/n)? [y]

Please enter the netmask for the interface eth0 [255.255.255.0]:
You entered 255.255.255.0. Is this correct? (y/n)? [y]

Please enter the IP address for the default gateway [10.2.0.1]: 10.10.20.1
You entered 10.10.20.1. Is this correct? (y/n)? [y]

[Vlan Id Passthrough] for packets from eth0 to eth1 is disabled.
Would you like to enable it? (y/n)? [n]

[Management Vlan Tagging] for egress packets of eth0 is disabled.
Would you like to enable it? (y/n)? [n]

Please enter the IP address for the untrusted interface eth1 [10.2.0.15]: 10.10.20.5
You entered 10.10.20.5. Is this correct? (y/n)? [y]

Please enter the netmask for the interface eth1 [255.255.255.0]:
You entered 255.255.255.0. Is this correct? (y/n)? [y]

Please enter the IP address for the default gateway [10.2.0.1]: 10.10.20.1
You entered 10.10.20.1. Is this correct? (y/n)? [y]

[Vlan Id Passthrough] for packets from eth1 to eth0 is disabled.
Would you like to enable it? (y/n)? [n]

[Management Vlan Tagging] for egress packets of eth1 is disabled.
Would you like to enable it? (y/n)? [n]

Please enter the hostname [cas1]: nas
You entered NAS1. Is this correct? (y/n)? [y]

Please enter the IP address for the name server: [192.168.10.1]: 10.10.30.6
You entered 10.10.30.6. Is this correct? (y/n)? [y] 

Would you like to change shared secret? (y/n)? [y]
Please enter the shared secret: cisco123
You entered: cisco123
Is this correct? (y/n)? [y]

>>> Configuring date and time:


The timezone is currently set to:America/Los_Angeles
Would you like to change this setting? (y/n)? [y] n

Current date and time hh:mm:ss mm/dd/yy [01:01:01 01/01/07]: 01:40:00 01/01/07
You entered 01:40:00 01/01/07 Is this correct? (y/n)? [y]
Mon Jan 01 01:40:00 PST 2007

You must generate a valid SSL certificate in order to use the Clean Access Server's secure web console.
Please answer the following questions correctly.
Information for a new SSL certificate:
Enter fully qualified domain name or IP: 10.10.20.5
Enter organization unit name: nacapp
Enter organization name: cisco
Enter city name: san jose
Enter state code: ca
Enter 2 letter country code: us

You entered the following:
Domain: 10.10.20.5
Organization unit: nacapp
Organization name: cisco
City name: san jose
State code: ca
Country code: us
Is this correct? (y/n)? [y]
Generating SSL Certificate...
CA signing: /root/.tomcat.csr -> /root/.tomcat.crt:
CA verifying: /root/.tomcat.crt <-> CA cert
/root/.tomcat.crt: OK
Done

For security reasons, it is highly recommended that you change the default password for the root user.
User: root
Changing password for user root.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.


Would you like to change the default password for the web console admin user password? (y/n)? [y]
Please enter an appropriately secure password for the web console admin user.

New password for web console admin:
Confirm new password for web console admin:
Web console admin password changed successfully.

Configuration is complete.
[root@cas1 ~]# service perfigo reboot

Step 4: Logging In to NAC Appliance Manager

Open a browser and connect to NAM through an SSL connection. Type in the IP of the NAM (https://10.10.30.5) and enter username: admin and password: cisco123. Figure 10-2 shows a sample screen shot of the NAC Appliance Manager login screen.

Figure 10.2

Figure 10-2

NAC Appliance Manager Login Screen

You can view the network configuration of NAM at Administration > CCA Manager. Figure 10-3 shows the network configuration page of NAC Appliance Manager in this sample topology (see Figure 10-1).

Figure 10.3

Figure 10-3

Manager Network Configuration Page

Step 5: Adding NAC Appliance Server to NAC Appliance Manager

You can add NAC Appliance Server by going to Device Management > CCA Servers > New Server. Figure 10-4 shows the add new server page.

Figure 10.4

Figure 10-4

Add New Server Page

Figure 10-5 shows that NAC Appliance Server has been added in OOB Virtual Gateway mode.

Figure 10.5

Figure 10-5

List of Servers Page

Step 6: Editing Network Settings on NAC Appliance Server

Go to Device Management > CCA Servers > Manage > Network > IP. You will see a check box for Set Management VLAN ID. This is usually a source of a lot of confusion. By default, this option is not enabled. With this option disabled, when the NAC Appliance Server is initiating traffic and sending out of the trusted port, it sends the packets untagged. Therefore, when those packets reach the switch, it determines that the packets were received on the native VLAN and forwards them in that VLAN toward the destination. If this option is enabled and a VLAN ID is entered, when NAC Appliance initiates traffic, it sends the packets tagged with that VLAN ID. When the switch receives those packets, it determines them to be in that tagged VLAN. Therefore, as long as the configurations on the switch and NAC Appliance Server match, you are okay. If there is a mismatch between these configurations, you could blackhole your NAS traffic and be unable to manage NAS from NAM.

In this example, the NAS trusted port (eth0) is connected to Fa1/0/3, which is an 802.1q trunk link. Therefore, the switch expects to receive traffic from the NAS management as 802.1q-tagged traffic. So, in the Network Settings page of NAS, you should enable the option Set Management VLAN ID and enter 20 because VLAN 20 is the NAS management VLAN. Figure 10-6 shows the network configuration page of NAC Appliance Server in the sample topology.

You will notice that you have configured the same IP for both the trusted and untrusted interfaces. Remember that in Virtual Gateway mode, NAC Appliance Server acts as a pure Layer 2 device. Therefore, this device can have only one IP: its management IP. NAC Appliance assumes that its management IP is the IP configured on the trusted port. The IP that you configure on the untrusted port has no relevance. You must configure the same IP on both the trusted and untrusted interfaces.

Figure 10.6

Figure 10-6

Server Network Configuration Page

Step 7: Configuring VLAN Mapping

In OOB Virtual Gateway mode Central deployment, you want the user traffic on the untrusted VLAN to go through NAC Appliance Server before hitting the user's default gateway. The untrusted VLAN is also called the authentication VLAN (auth VLAN for short) in OOB mode. To achieve this traffic flow, NAC Appliance Server performs VLAN mapping. You configure VLAN mapping on NAC Appliance Server such that the untrusted VLAN is mapped to a trusted VLAN. This allows users on the untrusted side to reach their default gateway on the trusted side through NAC Appliance Server. NAC Appliance Server is bridging the two VLANs.

Related:
1 2 3 4 5 6 Page 2
Page 2 of 6
SD-WAN buyers guide: Key questions to ask vendors (and yourself)