Chapter 10: Configuring Out-of-Band

Cisco Press

1 2 3 4 5 6 Page 6
Page 6 of 6

NAC Appliance Agent sends the discovery packets on port 8905 to the discovery host configured on NAC Appliance Manager. By default, the discovery host is the IP address of NAM. This is because NAM always exists on the trusted network, and for a user on the untrusted network to reach a host on the trusted network, it has to go through NAS and therefore will discover NAS.

In this design, you are not forcing all user traffic to reach NAC Appliance Server. Adding a technology such as policy-based routing, virtual routing and forwarding, or generic routing encapsulation would force traffic through NAC Appliance Server. You are using VLAN ACLs that do not force traffic back to NAC Appliance Server, but only restrict where it can go. Therefore, you must change the discovery host from NAC Appliance Manager (the default) to be the untrusted port IP of NAC Appliance Server, as shown in Figure 10-55. Doing so ensures that the NAC Appliance Agent discovery packets will reach NAC Appliance Server.

Figure 10.55

Figure 10-55

Changing Discovery Host

Step 17: Configuring the Web Login Page

You have to configure the web login page for users who don't use NAC Appliance Agent. The Login Page edit screen is shown in Figure 10-56.

This design uses ActiveX and Java applet controls for the following two purposes:

  • To obtain the MAC address of the user device. This is required for OOB Layer 3 mode to operate. The client's MAC address is used to find the switch port the client is connected to.

  • To trigger an IP release/renew when the user is moved from the untrusted VLAN to the trusted VLAN.

Be sure to enable the web client and check or enable each of the options below it.

Figure 10.56

Figure 10-56

Login Page Edit Screen

Step 18: Testing Whether OOB and User Role–Based VLAN Assignment Works

If you navigate to Switch Management > Device > Switches > List > > Ports, you will see that interface Fa1/0/5 is not connected and is currently on VLAN 10 (Initial VLAN). This is shown in Figure 10-57.

Now connect a laptop to interface Fa1/0/5. You will see that the port was immediately moved to the untrusted VLAN 110. This was triggered by the switch sending an SNMP MAC-notification trap to NAC Appliance Manager. The port was moved to VLAN 110 because the port profile had the auth (untrusted) VLAN set to VLAN 110. See Figure 10-58 for details.

Figure 10.57

Figure 10-57

Ports List—Before Connection

Figure 10.58

Figure 10-58

Ports List—After Connection

On the user PC, you will see that NAC Appliance Agent has popped up. Put in the credentials for the user jane, as shown in Figure 10-59.

Figure 10.59

Figure 10-59

Clean Access Agent Authentication Popup

When you click Login, NAC Appliance determines that the user jane belongs to the Employee user role. NAC Appliance looks at the OOB user role VLAN configured under the Employee user role and moves the user's switch port, Fa1/0/5, to VLAN 12. This is shown in Figure 10-60.

Figure 10.60

Figure 10-60

Ports List—After Authentication

Because you changed the VLAN of the user from VLAN 110 to VLAN 12 in this process, you will also trigger a DHCP release/renew on the user's machine. As a result, during the login process, you will see the NAC Appliance agent screens shown in Figure 10-61 and Figure 10-62.

Figure 10.61

Figure 10-61

Agent Refreshing IP

Figure 10.62

Figure 10-62

Agent Refreshing IP Successful

The user appears in the OOB online user list, as shown in Figure 10-63. If the user is put in the Temporary role for remediation, it shows up in the in-band users list until it becomes clean.

Now if the user disconnects from the switch port, NAC Appliance removes the user from the online users list. This is triggered by the switch sending an SNMP linkdown trap to NAC Appliance Manager. The port VLAN, however, is not changed—it remains in VLAN 12.

Figure 10.63

Figure 10-63

Online Users List—OOB

Now another user, John, connects to the same switch port. The switch sends a new SNMP MAC-notification trap to NAC Appliance Manager. The port will immediately move to the auth (untrusted) VLAN 110, as shown in Figure 10-64, so that the new user can log in.

Figure 10.64

Figure 10-64

Ports List—Next User

On the user's machine, Clean Access Agent pops up, as shown in Figure 10-65. Put in the credentials for the user John and click Login.

Figure 10.65

Figure 10-65

Clean Access Agent Authentication Popup

After the user is authenticated, NAC Appliance Manager determines that this user is a consultant and moves the user to VLAN 11, which is the VLAN configured for the OOB user role VLAN for the Guest role. The user shows up in the out-of-band online user list as a Consultant, as shown in Figure 10-66.

Figure 10.66

Figure 10-66

Online Users List—OOB

Additional Out-of-Band Considerations

Here is a list of other considerations worth noting in regard to the sample setup you just ran through:

  • The previous steps covered a scenario in which users have NAC Appliance Agent and the agent is able to discover NAC Appliance Server.

  • Users who don't have NAC Appliance Agent have to be given a URL to which they can go for authentication. That URL should resolve to the untrusted port IP of NAC Appliance Server. Therefore, guest users who want to get network access can be given a URL, for example: You can put an entry into the DNS server to make this DNS name resolve to, which is the untrusted port IP of the NAS.

  • If you want to perform NAC Appliance Server load balancing in a Layer 3 OOB environment, you have several choices:

  • — Use a server load-balancing device, such as a Cisco ACE module.

    — Use a discovery host IP address that points to a client that is reachable only by going through the servers. Then configure the network to load balance this address via routing.

    — Use DNS round-robin to load balance the servers. Be careful with this method because it might not deal well with failures, depending on your environment. To use it, you can configure the DNS host name to resolve to the different servers and make the DNS server load balance between them. If you are using NAC Appliance Agent, you can configure the discovery host to be a DNS name instead of an IP, make the DNS server resolve that DNS name to the different servers, and load balance between them.

  • In Out-of-Band mode, use SNMP traps to trigger the NAC process and SNMP sets to change the VLAN on the switch port. If configuring out-of-band in a Layer 3 environment, you must ensure that the network is reliable and will not drop the SNMP packets. You should consider this factor if you deploy Layer 3 OOB for remote sites where the SNMP traffic might traverse an unreliable or congested WAN link. You might consider prioritizing SNMP traffic on the WAN link using QoS mechanisms. Doing so will help ensure good SNMP communication between the switches at the remote site and NAC Appliance Manager at the central site. A future release of NAC Appliance will use SNMP informs to help with this issue.


In this chapter, you examined how to configure NAC Appliance using the Out-of Band deployment mode. You covered several of the design considerations for OOB as well as how it works. Two detailed, step-by-step OOB sample setups were given. The first setup used OOB with Layer 2 client adjacency, whereas the second setup used OOB with Layer 3 client adjacency. Each example provided instructions on how to configure each of the relevant devices in the solution. This includes the Cisco switches, routers, NAC Appliance Manager and NAC Appliance Server, and VLAN access lists where appropriate. These sample configurations are intended as guides to help you build your own NAC Appliance OOB solution that fits your environment.

Copyright © 2007 Pearson Education. All rights reserved.

Learn more about this topic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

1 2 3 4 5 6 Page 6
Page 6 of 6
SD-WAN buyers guide: Key questions to ask vendors (and yourself)