Chapter 10: Configuring Out-of-Band

Cisco Press

1 2 3 4 5 6 Page 3
Page 3 of 6

Of course, before users are bridged, they are stopped by NAC Appliance Server for authentication and posture assessment. By default, the one exception is that the users' DNS and DHCP requests are let through prior to authentication. In this example, traffic from untrusted VLAN 110 is mapped to trusted VLAN 10 (see Figure 10-1). Figure 10-7 shows the VLAN mapping configuration page found by navigating to Device Management > Clean Access Servers > > Advanced > VLAN Mapping.

Enable VLAN mapping and click the Update button. Configure the untrusted VLAN to be VLAN 110 and the trusted VLAN to be VLAN 10. After you enable and configure VLAN mapping, you can enable interface Fa1/0/4 also. When VLAN mapping is configured, NAC Appliance Server drops all Layer 2 control traffic, including bridge protocol data units, Cisco Discovery Protocol, and so on.

Figure 10.7

Figure 10-7

VLAN Mapping Configuration Page

Step 8: Configuring Managed Subnets

It is extremely important to understand the concept of Managed Subnets when NAC Appliance Server is configured to be in Virtual Gateway mode. Figure 10-8 shows the sample network topology.

Figure 10.8

Figure 10-8

Sample Network Topology

The untrusted interface IP is of no relevance. When the user connects to the network and moves to the untrusted VLAN, the NAC Appliance Agent on the user's machine starts sending discovery packets to the IP address of NAC Appliance Manager. On their way to NAC Appliance Manager, the packets pass through and are intercepted by NAC Appliance Server. NAC Appliance Server has to respond to these packets, but to be able to do so, it must have an Address Resolution Protocol (ARP) entry for the sending client. Therefore, it has to send out an ARP request first. However, it cannot use the untrusted interface's IP as the source for the ARP request. In addition, NAC Appliance Server has to send the ARP request out the correct untrusted VLAN.

This is achieved by configuring managed subnets on NAC Appliance Server. Think of managed subnets as you would think of subinterfaces on routers. Figure 10-9 shows a sample managed subnet configuration page.

Figure 10.9

Figure 10-9

Managed Subnet Page

In this example, users on the untrusted network will be on VLAN 110. Because VLAN 110 is mapped to VLAN 10 on the trusted network, the users on VLAN 110 will actually get an IP address from the DHCP server on VLAN 10. The managed subnet that you configure here will be in the VLAN 10 subnet scope; however, it will have a VLAN ID of VLAN 110 because you want the ARP request to go out the untrusted side VLAN 110.

The term managed subnet is a little misleading. It really should be managed subnet interface. When you configure a managed subnet, make sure that you configure an IP address and not a subnet address. This is so that the ARP request that the NAC Appliance Server sends out has a valid source IP address. In this example, managed subnet 110 has an IP address of You can see from Figure 10-9 that VLAN –1, which is the management VLAN 20, has an IP address of –1 is a variable that maps to the VLAN configured on the eth0 trusted interface. All managed subnet IP addresses must be excluded from your DHCP server's address scopes.

Step 9: Configuring a Switch Group

This step is optional. A preconfigured Default group is already present. When you add switches to be managed by NAC Appliance Manager, they are added to the Default group. You can configure additional groups and then add the switches to a particular group. By doing so, when you list the switches, you can list them by group. This step is useful if you have a large number of switches to be managed by NAC Appliance. In this example, you will configure a group called cat3750. This is done by navigating to Switch Management > Profiles > Group, as shown in Figure 10-10.

Figure 10.10

Figure 10-10

Adding a Switch Group

Step 10: Configuring a Switch Profile

A switch profile is configured to define how NAC Appliance Manager communicates with the switches. When you add switches to be managed by NAC Appliance Manager, you configure which profile the switch belongs to. You must add a switch profile for each Cisco switch model you want to support. Figure 10-11 shows a profile for the sample switch, a 3750. This page can be accessed by navigating to Switch Management > Profiles > Switch > New.

Figure 10.11

Figure 10-11

Creating Switch Profiles

Make sure that you configure the switch model, SNMP port, and the SNMP read/write community strings to match the configuration on the switch.

Step 11: Configuring a Port Profile

A port profile is applied to a port to determine whether and how the port is controlled by NAC Appliance. You can configure the authentication VLAN, the default access VLAN, and the VLAN assignment method using a port profile. In the configuration shown in Figure 10-12, for the Access VLAN field, User Role VLAN has been chosen from the drop-down menu. This means that when a user is authenticated and healthy, the VLAN to which the user is moved will be decided by user role. The page shown in Figure 10-12 can be accessed by navigating to Switch Management > Profiles > Port > New.

Figure 10.12

Figure 10-12

Port Profile Configuration Page

The Generate Event Logs When There Are Multiple MAC Addresses Detected on the Same Switch Port option has been enabled so that you will know whether an end user has connected a hub or an unmanaged switch behind the NAC-controlled switch.

The Remove Out-of-Band Online User When SNMP Linkdown Trap Is Received option has been enabled so that if the user machine disconnects from the switch port, the user will be logged off from NAC Appliance.

If a user connects his machine from behind an IP phone, when that user disconnects, the switch will not detect a linkdown, and therefore will not log the user off from NAC Appliance. The Remove Other Out-of-Band Online Users on the Switch Port When a New User Is Detected on the Same Port option has been enabled so that if a new user is detected on a port, NAC Appliance will automatically log off the old user.

If your clients will be plugged into IP phones, you must check the Remove Out-of-Band Online User Without Bouncing the Port option. This ensures that the IP phone is not disconnected every time a host disconnects.

Step 12: Configuring the SNMP Receiver

The SNMP receiver configuration must match the SNMP configuration on the NAC-controlled switches. The SNMP receiver receives and responds to SNMP traps sent by switches. The SNMP receiver page shown in Figure 10-13 can be accessed by navigating to Switch Management > Profiles > SNMP Receiver > SNMP Trap.

Figure 10.13

Figure 10-13

SNMP Receiver Configuration Page

Advanced settings with which you can tweak different timers are also available. They are accessed by navigating to Switch Management > Profiles > SNMP Receiver > Advanced Settings. Tweaking the timers is not usually required unless there is unexpected latency in the switch and the NAC Appliance Manager communication. Figure 10-14 shows the advanced settings configuration page.

Figure 10.14

Figure 10-14

SNMP Receiver Advanced Settings

Step 13: Adding a Switch to NAC Appliance Manager

Now you need to add the individual switches. To do this, navigate to Switch Management > Devices > Switches > New. Choose the appropriate switch profile and switch group. Most of the time it is best to set the default port profile to Uncontrolled. This instructs NAC Appliance not to control any switch port until told to. Finally, type in the IP address of the switch and click Add. Figure 10-15 shows the addition of the sample switch.

Figure 10.15

Figure 10-15

Adding a Switch to NAC Appliance

Step 14: Configuring Ports to Be Managed by NAC

To configure the control of switch ports, click the Ports icon, shown in Figure 10-16, for the switch.

Figure 10.16

Figure 10-16

List of Switches

As shown in Figure 10-17, clicking the Ports icon lists all the ports available on that switch and the configuration of each.

Figure 10.17

Figure 10-17

Ports List

Because the user PC is connected on Fa1/0/5, change the profile for port Fa1/0/5 to the NAC_controlled port profile and click Update. When you click the Update button, NAC Appliance Manager adds the command snmp trap mac-notification added to the Fa1/0/5 interface configuration. This configuration change is made to the running configuration of the switch.

Step 15: Configuring User Roles

You will configure three user roles: Guest, Consultant, and Employee. In the user role page, you will also configure the OOB user role VLAN—this is the VLAN that the switch port will be assigned to when a user belonging to that user role completes the NAC process. Note that the configuration of any IPsec, VPN, or roaming parameters is not relevant anymore. These are deprecated features soon to be removed from the solution. Figure 10-18 shows the user role creation for Guest.

Figure 10.18

Figure 10-18

New User Role Configuration Page—Guest

Figure 10-19 shows the user role creation for Consultant.

Figure 10.19

Figure 10-19

New User Role Configuration Page—Consultant

Figure 10-20 shows the user role creation for Employee.

Figure 10.20

Figure 10-20

New User Role Configuration Page—Employee

Figure 10-21 shows all the user roles.

Figure 10.21

Figure 10-21

List of Roles Page

Step 16: Configuring User Authentication on the Local Database

Add two local users to the NAC Appliance local database. One will be an employee and the second will be a consultant. These local user accounts will be used for testing purposes. In a production environment, you should configure an LDAP, Kerberos, or RADIUS server instead. Local users should generally be used only for testing and guest access. Figure 10-22 shows creation of a consultant user who is a member of the Consultant role.

Figure 10.22

Figure 10-22

New Local User Configuration Page—Consultant

Figure 10-23 shows creation of an employee user who is a member of the Employee role.

Figure 10-23

New Local User Configuration Page—Employee

Step 17: Testing Whether OOB and User Role–Based VLAN Assignment Works

If you go to Switch Management > Device > Switches > List > > Ports, you will see that interface Fa1/0/5, the client port, is currently on VLAN 10. This is shown in Figure 10-24.

Figure 10.24

Figure 10-24

List of Ports

Now go ahead and connect a laptop to interface Fa1/0/5. You see in Figure 10-25 that the port was immediately moved to the untrusted VLAN 110. This is because that port profile had the auth (untrusted) VLAN set to VLAN 110.

On the user PC, you will see that NAC Appliance Agent has popped up. Go ahead and put in the credentials for the user jane, as shown in Figure 10-26.

Figure 10.25

Figure 10-25

List of Ports After Client Linkup

Figure 10.26

Figure 10-26

Clean Access Agent Authentication Popup

After you click Login, NAC Appliance determines that the user jane belongs to the Employee user role. NAC Appliance looks at the OOB user role VLAN configured under the Employee user role and moves the user's switch port Fa1/0/5 to VLAN 12. See Chapter 6, "Building a Cisco NAC Appliance Host Security Policy," for more information about user roles. Figure 10-27 shows the port Fa1/0/5 now in the access VLAN 12, as determined by the user role.

Figure 10.27

Figure 10-27

Port List—Access VLAN

Because you changed the VLAN of the user from VLAN 110 to VLAN 12 in this process, the subnet for the user also changed. Previously the user received an IP address from the VLAN 10 subnet scope. However, because the user is in VLAN 12 now, it must refresh its IP address. This can be done by configuring port bouncing. However, doing so is not recommended and not possible if you have IP phones. Instead, use the DHCP release/renew functionality built into Clean Access Agent and the web login applet. As a result, during the login process, you will see the Clean Access Agent screens shown in Figure 10-28 and Figure 10-29.

Figure 10.28

Figure 10-28

IP Refresh Dialog Box

Figure 10.29

Figure 10-29

IP Refresh Successful Dialog Box

The user will show up in the Online User list shown in Figure 10-30. This list is accessed by navigating to Monitoring > Online Users > Out-of-Band. If the OOB user is in quarantine, it shows up in the In-Band user list until it passes certification.

Figure 10.30

Figure 10-30

OOB Online Users List

Now if the user disconnects from the switch port, NAC Appliance removes the user from the online user list. NAC Appliance knows that the user disconnected because the switch is configured to send a linkdown SNMP trap to NAC Appliance Manager. Note that the port remains in VLAN 12. The port's VLAN does not change again until NAC Appliance Manager receives a linkup or MAC-notification trap on that port from the switch.

Another user, John, now connects to the same user port. The port immediately moves to the auth (untrusted) VLAN 110, as shown in Figure 10-31.

Figure 10.31

Figure 10-31

Switch Ports List—Untrusted

On the user's machine, Clean Access Agent pops up asking for authentication. Put in the credentials for the user john and click Login as shown in Figure 10-32.

Figure 10.32

Figure 10-32

Clean Access Agent Login

After the user is authenticated, NAC Appliance Manager determines that this user is a consultant and moves the user to VLAN 11. This is shown in the ports list of Figure 10-33 for the interface FastEthernet1/0/5. The Consultant user role is configured to use VLAN 11.

Figure 10.33

Figure 10-33

Switch Ports List—Consultant Role

The user shows up in the online user list as a Consultant, as shown in Figure 10-34.

Figure 10.34

Figure 10-34

Online User List—Consultant

Sample Design and Configuration for Layer 3 Out-of-Band Deployment

For Layer 3 out-of-band deployment, consider the topology in Figure 10-35.

Figure 10.35

Figure 10-35

Sample Layer 3 OOB Network Topology

Note - Figure 10-35 is the basis for this example and is referred to several times throughout the following text. It will be helpful to bookmark this page or note the page number for easy reference as you read through this example.

1 2 3 4 5 6 Page 3
Page 3 of 6
SD-WAN buyers guide: Key questions to ask vendors (and yourself)