Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(2)
Configuring Layer 3 Out-of-Band
Downloads: This chapterpdf (PDF - 164.0KB) The complete bookPDF (PDF - 11.87MB) | Feedback

Configuring Layer 3 Out-of-Band (L3 OOB)

Table Of Contents

Configuring Layer 3 Out-of-Band (L3 OOB)

Overview

Layer 3 Out-of-Band Deployment Use Cases

Layer 3 Out-of-Band L2 vs L3 OOB Implementation

Layer 3 Out-of-Band L3 OOB Details

Layer 3 OOB: Configuration

Layer 3 OOB: Configuration

Layer 3 OOB: Important Configuration Notes

Layer 3 OOB: Networking


Configuring Layer 3 Out-of-Band (L3 OOB)


This chapter provides a general overview of the configuration needed for Layer 3 Out-of-Band deployment.

For general information on configuring the Cisco NAC Appliance for out-of-band deployment, see "Switch Management and Configuring Out-of-Band (OOB) Deployment" and "Enable the Login Page for L3 OOB" in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(2).

Overview

Multi-hop L3 support for in-band (wired) deployments enables administrators to deploy the Clean Access Server (CAS) in-band centrally (in core or distribution layer) to support users behind L3 Switches (e.g. routed access) and remote users behind VPN Concentrators or remote WAN routers.With L3 IB, users more than one L3 hop away from the CAS are supported and their traffic always goes through Cisco NAC Appliance.

Multi-hop L3 support for out-of-band (wired) deployments enables administrators to deploy the CAS out-of-band centrally (in core or distribution layer) to support users behind L3 Switches (e.g. routed access) and remote users behind WAN routers in some instances. With L3 OOB, users more than one L3 hop away from the CAS are supported and their traffic only has to go through Cisco NAC Appliance for authentication/posture assessment only.

Administrators have the option of deploying a remote CAS or L3 IB CAS for remote WAN users, and in some instances using L3 OOB.

Client MAC Address Detection—Clean Access Agent or ActiveX/Java Applet

The MAC detection mechanism of the Clean Access Agent will automatically acquire the client MAC address in L3 OOB deployments.

Users performing web login will download and execute either an ActiveX control (for IE browsers) or Java applet (for non-IE browsers) to the client machine prior to user login to determine the user machine's MAC address. This information is then reported to the CAS and the CAM to provide the IP address/ MAC address mapping.

ActiveX/Java Applet and Browser Compatibility

ActiveX is supported on IE 6.0 for Windows XP and Windows 2000 systems.

IE 7.0 Beta is not supported when the Clean Access Agent is installed. For the Agent to login and perform other operations, users must uninstall IE 7.0 Beta 2.

Java applets are supported for major browsers including Safari 1.2+, Mozilla (Camino, Opera), and Internet Explorer on Windows XP, Windows 2000, Mac OS 10, and Linux operating systems.

Due to Firefox issues with Java, Java applets are not supported for Firefox on Mac OS X. See the Firefox release notes (http://www.mozilla.com/firefox/releases/1.5.0.3.html) for details.


Note For MAC OS Clients: On Apple Mac OS, the browser settings to bypass proxy must have the full CAS IP address (e.g. 10.201.217.93) in order for the client machine to load the Java Applet and login successfully.



Note For Linux OOB Clients:

Because Linux machines behave differently than Windows/Mac OS clients (i.e. do not release IP address when NIC is down and renew IP address when NIC is up), use the following steps for OOB Linux clients:

1. Set a short lease time (e.g. 60 seconds) for the DHCP server on the Auth VLAN.

2. In the Port Profile, disable (uncheck) the "Remove out-of-band online user when SNMP linkdown trap is received" option.

This will cause the Linux client to renew its IP address shortly after authentication/certification.

Note Because Linux shuts down/restarts the NIC when renewing the IP address, if this option is enabled (checked) in the Port Profile, the renewal will set the port back to the Auth VLAN.

3. Alternatively, you can set the Port Profile to: "Change to [Access VLAN] if the device is certified but not in the out-of-band user list." This ensures the port stays on the Access VLAN for an authenticated/certified Linux client that is reconnecting to the port after renewing its DHCP lease.


This new feature modifies the following web admin console pages:

A new checkbox and dropdown menu is added for "Use ActiveX or Java Applet to detect client MAC address when Clean Access Server cannot detect the MAC address" in the following user login configuration pages:

CAM web console: Administration > User Pages > Login Page > List [Edit] | General

CAS management pages: Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Login Page > List [Edit] > General

Device Management > Clean Access > Updates (version information for updates to L3 Java Applet Web Client and L3 ActiveX Web Client)

In addition, the web login pages for L3 OOB users will reflect status information related to loading the ActiveX control or Java applet, and renewing the client IP address.

Layer 3 Out-of-Band Deployment Use Cases

OOB is for wired deployments only

L3 OOB is best used in Routed Access deployments

L3 OOB can also be used for Remote WAN sites but considerations/tradeoffs with other deployments, such as:

Remote CAS to WAN sites

L3 IB CAS in Central site to support WAN sites

Layer 3 Out-of-Band L2 vs L3 OOB Implementation

In L2 OOB:

Users are Layer 2 adjacent to the CAS

User device connects to switch, switch sends SNMP trap to CAM

CAM gets device mac and port information from switch

CAS receives packets and sends source IP/MAC info to CAM

CAM now has complete mapping IP/MAC/Port

Once device is certified to be compliant, CAM knows which port to change VLAN

In L3 OOB

Users are one or more hops away from the CAS

CAM still gets device MAC and port information from switch

CAS receives packets with user's IP

CAS gets MAC information from either Agent or web-login page enabled for ActiveX/Java Applet to determine device MAC address and report it back to CAS

CAS informs CAM of IP/MAC of device

CAM has complete IP-MAC-Port mapping

Layer 3 Out-of-Band L3 OOB Details

Using the CCA Agent

The Agent will inform CAS of the device MAC address.

Without the CCA Agent (using weblogin)

Web-login page will download ActiveX Control or Java Applet to determine device MAC address and report it back to CAS

CAS informs CAM of IP/MAC of device

CAM has complete IP-MAC-Port mapping

Layer 3 OOB: Configuration

With CCA Agent

CCA Agent will inform CAS of MAC address

No additional configuration is needed

Without CCA Agent (using Web Login)

Configure the Login Page

On CAM: Administration > User Pages > Login Page > Add/Edit

Or CAS: Device Management > CCA Servers > Manage [CAS_IP] > Authentication > Login Page | [Override Global Settings]

Figure 3-1 Administration User Page

Layer 3 OOB: Configuration

On Login Page, there is a new checkbox and dropdown menu "Use ActiveX or Java Applet to detect client MAC address when Clean Access Server cannot detect the MAC address" with the following options:

ActiveX Only

Java Applet Only

ActiveX Preferred

Java Applet Preferred

ActiveX on IE, Java Applet on non-IE Browser

For "Preferred" options, the preferred option is loaded first; if it fails, the other option is loaded

ActiveX is fastest with IE

ActiveX is preferred and faster than applet

ActiveX supported on IE 6.0 on Windows XP/2000

Java Applet supported on most browsers


Note DHCP IP addresses can be refreshed for client machines using the Clean Access Agent or ActiveX Control/Java Applet without requiring port bouncing after authentication and posture assessment. See "Enable Web Client for Login Page" in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(2) for further details.


Figure 3-2 Administration User Page Edit

Layer 3 OOB: Important Configuration Notes

If a Managed Subnet is configured, NAC Appliance will not use L3 OOB for those subnets.

Managed subnets are for L2 users only.

You must click the "Enable L3 support" checkbox under Device Management > CCA Servers > Manage [CAS_IP] > Network > IP.

Figure 3-3 Enabling L3 Support

Client machine should be able to execute either ActiveX or Java Applet.

When the CAM changes the VLAN on the switch port from the Auth VLAN to the Access/User Role VLAN, port bouncing is required.

In Port profiles (Switch Management > Profiles > Port > New/Edit), make sure "Bounce the port after VLAN is changed" is checked.

Figure 3-4 VLAN Setting Changes to Bounce a Port

In Port profiles, make sure "Remove out-of-band online user without bouncing the port" is unchecked.

Figure 3-5 Unchecked OOB Selection

Layer 3 OOB: Networking

L3 OOB will typically be used in Routed Access environments.

With OOB, the goal is to make user traffic flow through the CAS during Authentication, Posture Assessment and Remediation only.

CAS challenges user for credentials and also acts as policy enforcement device in the Unauthenticated and Quarantine/Temporary roles.

Once the user is certified to be compliant, it bypasses the CAS.

Use networking technologies (such as PBR or VRF) to achieve this goal.