HP 3350 - Cisco NAC Appliance Spezifikationen Seite 102
- Seite / 681
- Inhaltsverzeichnis
- FEHLERBEHEBUNG
- LESEZEICHEN
Bewertet. / 5. Basierend auf Kundenbewertungen
3-12
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 3 Switch Management: Configuring Out-of-Band Deployment
Deployment Modes
Flow for Out-of-Band Real-IP Gateway Mode
1. The unauthenticated user connects the client machine to the network through an edge switch.
2. The switch sends MAC notification or linkup/linkdown SNMP traps for the client to the CAM.
Because the client is not on the Certified Devices List/Online Users list yet, the CAM sends an
SNMP SET trap to the switch instructing it to change the client port to the Authentication VLAN
specified in the Port Profile (100), and the CAM places the client on the Out-of-Band Wired Clients
list (OOB Management > Devices > Discovered Clients > Wired Clients).
Note To support a variety of switch configurations, Cisco NAC Appliance supports switches using both MAC
Change Notification and MAC Move Notification traps.
3. The unauthenticated client requests and receives an IP address on the Auth VLAN (x.x.100.x).
4. The client authenticates through the CAS via web login or the Agent. If configured, the client goes
through posture assessment, all the while transmitting and receiving traffic on the Auth VLAN (100)
to the CAS. When clean, the client is placed on the Certified Devices List. The CAS acts as the
default gateway while the client remediates. Only permitted traffic is allowed to pass through from
the untrusted to trusted interface.
5. At this point, the CAM instructs the switch to change the client switch port from the Authentication
VLAN (100) to the Access VLAN (10) (according to the Port Profile), and puts the client MAC
address on the Out-of-Band Online Users list (Monitoring > Online Users > View Online Users >
Out-of-Band).
6. The client port is switched to the Access VLAN and is bounced (as set in the Port Profile). When
the port is bounced, the client acts as if the network cable is unplugged, thus releasing its DHCP
binding on the interface. Once the port is brought back up from the shutdown state, the client
performs a DHCP renewal or discovery, as if it were connecting to the network for the first time.
Since the switch port is now on a different VLAN, the client receives a new IP address that is valid
for the access subnet.
7. With an IP address on the Access VLAN (x.x.10.x), the client now transmits traffic on the trusted
network, on the Access VLAN specified in the Port Profile.
8. Once the client is on the Access VLAN, the client’s traffic no longer goes through the CAS.
Note If the Cisco NAC Appliance system somehow terminates the OOB client session (if the system
administrator is forced to “kick” the user out, for example) and the switch changes the VLAN
assignment for the client’s access port from the Access VLAN back to the Authentication
VLAN, the client machine discovers the VLAN change and, if configured, initiates an IP address
refresh/renew to ensure the user stays connected to the network. For details on the polling
method and configuration guidelines, see Configure Access to Authentication VLAN Change
Detection, page 3-67.
9. For certified clients, the Port Profile form (OOB Management > Profiles > Port > New/Edit)
provides the following options (see Add Port Profile, page 3-34). You can switch the client to:
• The Access VLAN specified in the Port Profile form.
• The Access VLAN specified for the user role of the client, if you choose to use a role-based port
profile (see Figure 3-9 on page 3-27 for details).
- Manager Configuration Guide 1
- CONTENTS 3
- Contents 10
- OL-28003-01 10
- About This Guide 19
- Document Organization 20
- Document Conventions 21
- New Features in this Release 21
- Product Documentation 22
- Documentation Updates 23
- Introduction 25
- Chapter 1 Introduction 26
- Clean Access Manager (CAM) 29
- Clean Access Server (CAS) 29
- Client Login Overview 30
- Cisco NAC Appliance Agents 38
- Cisco NAC Web Agent 40
- Network Scanner 41
- Managing Users 44
- Publishing Information 47
- Admin Console Summary 48
- Servers, Adding Filters 51
- Global and Local Settings 59
- Adding Multiple Entries 62
- Figure 2-6 Endpoint Summary 69
- Configure Device Filters 70
- Figure 2-7 New Device Filter 71
- Test Device Filter Policies 75
- Configure Subnet Filters 77
- Limitations 79
- Map Endpoint Policies 83
- View Rules 85
- Edit Rules 85
- Delete Rules 86
- Order Rules 86
- Cisco ISE is not reachable 89
- Deployment 91
- In-Band Versus Out-of-Band 92
- Out-of-Band Requirements 92
- Flow for OOB VGW Mode 98
- Deployment Modes 100
- L3 Out-of-Band Deployment 103
- Configure Your Switches 104
- • Switch configuration level: 108
- CAT 2950 109
- Internet 109
- CAT 3550 109
- Switch Configuration 111
- CAM/CAS Configuration 111
- List of MIBs and OIDs 112
- Configure Group Profiles 118
- Add Group Profile 119
- Edit Group Profile 119
- Configure Switch Profiles 120
- Add Switch Profile 121
- Configure Port Profiles 123
- Add Port Profile 124
- Configure VLAN Profiles 130
- Add VLAN Profile 132
- Edit VLAN Profile 133
- Configure SNMP Receiver 134
- Advanced Settings 135
- To Change Default SNMP 136
- Add and Manage Switches 138
- Add New Switch 139
- Search New Switches 140
- Verify Devices 141
- Discovered Clients 142
- Manage Switch Ports 144
- Figure 3-34 Ports Tab 145
- • Profile (2) 150
- Config Tab 153
- Advanced 154
- Linkdown Traps 154
- Port Security 155
- Enabling Port Security 155
- Re-Enabling MAC Notification 156
- Figure 3-41 Config Group 157
- • L2 OOB Real IP Gateway 157
- Out-of-Band Users 158
- OOB Troubleshooting 161
- Troubleshooting SNMP 162
- Unknown User Name 163
- Wrong Digest 163
- Authorization Error 163
- Unsupported Security Level 163
- No Access 163
- OOB Client MAC/IP Not Found 164
- Additional Information 164
- Overview 165
- DHCP Bridging Mode 167
- SNMP Control 168
- SNMP Trap 183
- Discovered Wireless Clients 188
- Figure 4-22 Config > Group 190
- Wireless Out-of-Band Users 191
- User Login Page 193
- Proxy Settings 194
- Add Default Login Page 195
- Agent Login 198
- Web Login 198
- Customize Login Page Content 200
- Upload a Resource File 205
- Customize Login Page Styles 206
- Guest User Access 209
- Local Users 215
- Create User Roles 216
- User Role Types 217
- Normal Login Role 218
- Session Timeouts 220
- Default Login Page 221
- Traffic Policies for Roles 221
- Adding a New User Role 221
- Role Properties 223
- Editing an Existing Role 228
- Create Local User Accounts 229
- Local Authentication 233
- Providers 233
- Mapping Rules 233
- FIPS 140-2 Compliance 233
- Kerberos 235
- Set Up the IPSec Tunnel 239
- (Figure 7-8) 243
- Click Add 243
- Windows NT 245
- Multiple Domain SSL 251
- Windows NetBIOS SSO 252
- Cisco VPN SSO 254
- Add Cisco VPN SSO Auth Server 255
- Allow All 256
- AD/LDAP Configuration Example 259
- Configure Mapping Rule 262
- Add Mapping Rule to Role (B) 265
- Editing Mapping Rules 267
- Auth Test 269
- Authentication Successful 270
- Authentication Failed 270
- RADIUS Accounting 271
- Data Fields 273
- Logout Event Data Fields 274
- Figure 7-39 Login Events 276
- Figure 7-40 Logout Events 276
- Figure 7-41 Shared Events 276
- Schedule 277
- Traffic Policy Priority 278
- Global vs. Local Scope 279
- Add IP-Based Policy 280
- Edit IP-Based Policy 283
- Enable Default Allowed Hosts 285
- Add Allowed Host 286
- Control Bandwidth Usage 289
- Session Timer 291
- Heartbeat Timer 291
- In-Band (L2) Sessions 292
- Example Traffic Policies 300
- Microsoft Xbox 301
- Other Game Ports 301
- Unauthenticated Role 303
- Agent Temporary Role 303
- Quarantine Role 303
- Step 7 Click Update 311
- Configure Out-of-Band Logoff 312
- Network Requirements 313
- Feature Limitations 314
- Enable Out-of-Band Logoff 315
- Troubleshooting OOB Logoff 315
- View Current Updates 318
- Agent Distribution 324
- Installation Page 326
- • nac_logo.gif 339
- • nac_login.xml 339
- • nacStrings_xx.xml 339
- Agent Login Screen 340
- Cisco NAC Agent MSI Installer 343
- Role Mapping 346
- AV Rules and AS Rules 349
- Verify AV/AS Support Info 350
- Create an AV Rule 353
- Create an AS Rule 359
- Prerequisites 364
- Custom Requirements 377
- Custom Rules 378
- Custom Checks 379
- Copying Checks and Rules 379
- Configuration Summary 380
- Create Custom Check 380
- Registry Checks 381
- File Checks 382
- Service Check 383
- Create a Custom Rule 384
- Validate Rules 386
- Create a Custom Requirement 387
- Map Requirements to Rules 397
- Validate Requirements 400
- Figure 9-48 Requirement List 401
- Downgrading the Agent 408
- Configure Agent Auto-Upgrade 409
- Uninstalling the Agent 410
- Uninstall Cisco NAC Agent 411
- Uninstall Mac OS X Agent 411
- Versioning 413
- Cisco Updates 413
- Cisco NAC Agent Download 415
- Cisco NAC Agent 416
- Figure 10-2 Login Page 417
- System Requirements 439
- Mac OS X Cisco NAC Agent 457
- Mac OS X Agent Prerequisites 458
- Mac OS X Agent Restrictions 462
- CAM/CAS Restrictions 462
- CCAAgent.app (Figure 10-76) 476
- Viewing Agent Reports 480
- Exporting Agent Reports 484
- Manage Certified Devices 489
- Add Exempt Device 491
- Add Floating Devices 495
- Report Settings 497
- CCA Servers 499
- Managed Switches 499
- Authentication Servers 500
- Custom Reports 501
- Figure 11-20 Generate Reports 502
- Generating a Report 503
- Scheduling Report Generation 504
- View Saved Templates 505
- View Executive Summary 505
- Configuration 506
- User Activity Log Files 506
- Online Users list 507
- Interpreting Active Users 508
- View Online Users 509
- In-Band Users 510
- Log Users Off the Network 513
- Display Settings 514
- Agent Troubleshooting 515
- Cisco NAC Web Agent Logs 516
- Client Cannot Connect/Login 517
- AV/AS Rule Troubleshooting 519
- Background 520
- Workaround 520
- Option 2 521
- Configuring Network Scanning 522
- User Page Summary 525
- Configure the Quarantine Role 527
- Uploading Plugins 528
- Deleting Plugins 529
- Configure General Setup 530
- Apply Plugins 531
- Configure Plugin Options 533
- Test Scanning 537
- View Scan Reports 538
- Monitoring Event Logs 546
- Interpreting Event Logs 549
- Table 13-2 Log Viewer Page 550
- Event Log Example 552
- Configuring Syslog Logging 554
- Cisco NAC Appliance Log Files 556
- Enable SNMP Polling/Alerts 558
- Add New Trapsink 560
- SNMP on Individual CAS 562
- Add New Trapsink to CAS 563
- Administering the CAM 564
- Failover 567
- Set System Time 568
- Manage CAM SSL Certificates 570
- Viewing Trusted CAs 580
- Removing Trusted CAs 581
- System Upgrade 587
- Licensing 588
- Remove Product Licenses 590
- Remove Legacy License Keys 590
- Policy Import/Export 591
- Example Scenarios 592
- Before You Start 593
- Configure the Master 595
- Configure the Receiver 598
- Perform Policy Sync 599
- Perform Manual Sync 600
- Perform Auto Sync 601
- View History Logs 602
- Support Logs 605
- Agent Logs 609
- Admin Users 610
- Figure 14-33 Admin Groups 611
- Figure 14-34 New Admin Group 612
- Login/Logout an Admin User 614
- Add an Admin User 614
- Edit an Admin User 615
- Active Admin User Sessions 616
- Manage System Passwords 619
- Backing Up the CAM Database 621
- Database Recovery Tool 627
- API Support 628
- Error and Event Log Messages 630
- CAM Event Log Messages 631
- Authentication Requirements 637
- Device Filter Operations 638
- Appendix B API Support 639
- User Operations 644
- Guest Access Operations 647
- Report Operations 649
- MIB Support 658
- Table C-1 CLEAN ACCESS - MIB 659
- Table C-2 SNMPv2-MIB 660
- Table C-3 RFC1213-MIB 660
- Table C-4 IP-MIB 661
- Table C-4 IP-MIB (continued) 662
- Ta b l e C - 5 U D P - M I B 664
- Table C-6 HOST-RESOURCES-MIB 664
- Appendix C MIB Support 665
- Ta b l e C - 7 M TA- M I B 666
- Table C-8 IF-MIB 666
- Table C-9 DISMAN-EVENT-MIB 667
- Table C-8 IF-MIB (continued) 667
- Table C-12 UCD-DLMOD-MIB 670
- Table C-13 NET-SNMP-AGENT-MIB 671
- Table C-16 SNMP-MPD-MIB 671
- Table C-17 SNMP-TARGET-MIB 672
- OpenSSL/Open SSL Project 674
- Original SSLeay License: 675
Verwandte Produkte und Handbücher für PC / Workstation Barebones HP 3350 - Cisco NAC Appliance
(136 Seiten)
(8 Seiten)
(175 Seiten)
(158 Seiten)© 2020, manymanuals.de. Alle Rechte vorbehalten. | 1.346 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Kommentare zu diesen Handbüchern