HP 3350 - Cisco NAC Appliance Spezifikationen Seite 99
- Seite / 681
- Inhaltsverzeichnis
- FEHLERBEHEBUNG
- LESEZEICHEN
Bewertet. / 5. Basierend auf Kundenbewertungen
3-9
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 3 Switch Management: Configuring Out-of-Band Deployment
Deployment Modes
Note To support a variety of switch configurations, Cisco NAC Appliance supports switches using both MAC
Change Notification and MAC Move Notification traps.
3. The client attempts to acquire a DHCP address. The core L2 switch forwards all Auth VLAN traffic
to the Out-of-Band Virtual Gateway CAS.
4. The CAS receives the VLAN 100 traffic on its untrusted interface (via the 802.1q trunk).
5. With VLAN mapping rules already configured to map the Auth VLAN to the Access VLAN (under
Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping), the
CAS retags the allowed DHCP traffic from VLAN 100 on its untrusted side to VLAN 10 on its
trusted side and forwards the retagged traffic on its trusted interface to the L3 router/DHCP server.
Note When the CAS is a Virtual Gateway, it can only be in DHCP Passthrough mode. When VLAN mapping
is used for Out-of-Band, the default permissions on the filters transparently allow DNS and DHCP traffic
from the untrusted interface, and no additional traffic control policies need to be configured. See the
Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x) for details on VLAN
mapping.
6. From the router’s point of view, this is a request from VLAN 10. The router returns the DHCP
response to VLAN 10 on the CAS.
7. With VLAN mapping rules enabled, the CAS retags the allowed traffic (on the 802.1q trunk) from
VLAN 10 to VLAN 100 and forwards the DHCP response to the initiating client.
8. The client authenticates through the Clean Access Server via web login or the Agent. If configured,
the client goes through posture assessment, all the while transmitting and receiving traffic on the
Auth VLAN (100) to the CAS. All traffic that is permitted for remediation is allowed to pass through
the CAS, and is placed on VLAN 10. If the traffic is not permitted, it is dropped. When certified, the
client is placed on the Certified Devices List.
9. At this point, CAM sends an SNMP SET trap to the switch instructing it to change the client port
from the Auth VLAN (100) to the Access VLAN (10) (as specified in the Port Profile), and puts the
MAC address of the client in the OOB Online Users list (Monitoring > Online Users > View
Online Users > Out-of-Band).
10. Because this is an OOB Virtual Gateway deployment, and the client already has an IP address
associated with the Access VLAN, the client port is not bounced after it is switched to the Access
VLAN.
11. Once the client is on the Access VLAN, the client is on the trusted network and the client’s traffic
no longer goes through the Clean Access Server.
Note If the Cisco NAC Appliance system somehow terminates the OOB client session (if the system
administrator is forced to “kick” the user out, for example) and the switch changes the VLAN assignment
for the client’s access port from the Access VLAN back to the Authentication VLAN, the client machine
discovers the VLAN change and, if configured, initiates an IP address refresh/renew to ensure the user
stays connected to the network. For details on the polling method and configuration guidelines, see
Configure Access to Authentication VLAN Change Detection, page 3-67.
- Manager Configuration Guide 1
- CONTENTS 3
- Contents 10
- OL-28003-01 10
- About This Guide 19
- Document Organization 20
- Document Conventions 21
- New Features in this Release 21
- Product Documentation 22
- Documentation Updates 23
- Introduction 25
- Chapter 1 Introduction 26
- Clean Access Manager (CAM) 29
- Clean Access Server (CAS) 29
- Client Login Overview 30
- Cisco NAC Appliance Agents 38
- Cisco NAC Web Agent 40
- Network Scanner 41
- Managing Users 44
- Publishing Information 47
- Admin Console Summary 48
- Servers, Adding Filters 51
- Global and Local Settings 59
- Adding Multiple Entries 62
- Figure 2-6 Endpoint Summary 69
- Configure Device Filters 70
- Figure 2-7 New Device Filter 71
- Test Device Filter Policies 75
- Configure Subnet Filters 77
- Limitations 79
- Map Endpoint Policies 83
- View Rules 85
- Edit Rules 85
- Delete Rules 86
- Order Rules 86
- Cisco ISE is not reachable 89
- Deployment 91
- In-Band Versus Out-of-Band 92
- Out-of-Band Requirements 92
- Flow for OOB VGW Mode 98
- Deployment Modes 100
- L3 Out-of-Band Deployment 103
- Configure Your Switches 104
- • Switch configuration level: 108
- CAT 2950 109
- Internet 109
- CAT 3550 109
- Switch Configuration 111
- CAM/CAS Configuration 111
- List of MIBs and OIDs 112
- Configure Group Profiles 118
- Add Group Profile 119
- Edit Group Profile 119
- Configure Switch Profiles 120
- Add Switch Profile 121
- Configure Port Profiles 123
- Add Port Profile 124
- Configure VLAN Profiles 130
- Add VLAN Profile 132
- Edit VLAN Profile 133
- Configure SNMP Receiver 134
- Advanced Settings 135
- To Change Default SNMP 136
- Add and Manage Switches 138
- Add New Switch 139
- Search New Switches 140
- Verify Devices 141
- Discovered Clients 142
- Manage Switch Ports 144
- Figure 3-34 Ports Tab 145
- • Profile (2) 150
- Config Tab 153
- Advanced 154
- Linkdown Traps 154
- Port Security 155
- Enabling Port Security 155
- Re-Enabling MAC Notification 156
- Figure 3-41 Config Group 157
- • L2 OOB Real IP Gateway 157
- Out-of-Band Users 158
- OOB Troubleshooting 161
- Troubleshooting SNMP 162
- Unknown User Name 163
- Wrong Digest 163
- Authorization Error 163
- Unsupported Security Level 163
- No Access 163
- OOB Client MAC/IP Not Found 164
- Additional Information 164
- Overview 165
- DHCP Bridging Mode 167
- SNMP Control 168
- SNMP Trap 183
- Discovered Wireless Clients 188
- Figure 4-22 Config > Group 190
- Wireless Out-of-Band Users 191
- User Login Page 193
- Proxy Settings 194
- Add Default Login Page 195
- Agent Login 198
- Web Login 198
- Customize Login Page Content 200
- Upload a Resource File 205
- Customize Login Page Styles 206
- Guest User Access 209
- Local Users 215
- Create User Roles 216
- User Role Types 217
- Normal Login Role 218
- Session Timeouts 220
- Default Login Page 221
- Traffic Policies for Roles 221
- Adding a New User Role 221
- Role Properties 223
- Editing an Existing Role 228
- Create Local User Accounts 229
- Local Authentication 233
- Providers 233
- Mapping Rules 233
- FIPS 140-2 Compliance 233
- Kerberos 235
- Set Up the IPSec Tunnel 239
- (Figure 7-8) 243
- Click Add 243
- Windows NT 245
- Multiple Domain SSL 251
- Windows NetBIOS SSO 252
- Cisco VPN SSO 254
- Add Cisco VPN SSO Auth Server 255
- Allow All 256
- AD/LDAP Configuration Example 259
- Configure Mapping Rule 262
- Add Mapping Rule to Role (B) 265
- Editing Mapping Rules 267
- Auth Test 269
- Authentication Successful 270
- Authentication Failed 270
- RADIUS Accounting 271
- Data Fields 273
- Logout Event Data Fields 274
- Figure 7-39 Login Events 276
- Figure 7-40 Logout Events 276
- Figure 7-41 Shared Events 276
- Schedule 277
- Traffic Policy Priority 278
- Global vs. Local Scope 279
- Add IP-Based Policy 280
- Edit IP-Based Policy 283
- Enable Default Allowed Hosts 285
- Add Allowed Host 286
- Control Bandwidth Usage 289
- Session Timer 291
- Heartbeat Timer 291
- In-Band (L2) Sessions 292
- Example Traffic Policies 300
- Microsoft Xbox 301
- Other Game Ports 301
- Unauthenticated Role 303
- Agent Temporary Role 303
- Quarantine Role 303
- Step 7 Click Update 311
- Configure Out-of-Band Logoff 312
- Network Requirements 313
- Feature Limitations 314
- Enable Out-of-Band Logoff 315
- Troubleshooting OOB Logoff 315
- View Current Updates 318
- Agent Distribution 324
- Installation Page 326
- • nac_logo.gif 339
- • nac_login.xml 339
- • nacStrings_xx.xml 339
- Agent Login Screen 340
- Cisco NAC Agent MSI Installer 343
- Role Mapping 346
- AV Rules and AS Rules 349
- Verify AV/AS Support Info 350
- Create an AV Rule 353
- Create an AS Rule 359
- Prerequisites 364
- Custom Requirements 377
- Custom Rules 378
- Custom Checks 379
- Copying Checks and Rules 379
- Configuration Summary 380
- Create Custom Check 380
- Registry Checks 381
- File Checks 382
- Service Check 383
- Create a Custom Rule 384
- Validate Rules 386
- Create a Custom Requirement 387
- Map Requirements to Rules 397
- Validate Requirements 400
- Figure 9-48 Requirement List 401
- Downgrading the Agent 408
- Configure Agent Auto-Upgrade 409
- Uninstalling the Agent 410
- Uninstall Cisco NAC Agent 411
- Uninstall Mac OS X Agent 411
- Versioning 413
- Cisco Updates 413
- Cisco NAC Agent Download 415
- Cisco NAC Agent 416
- Figure 10-2 Login Page 417
- System Requirements 439
- Mac OS X Cisco NAC Agent 457
- Mac OS X Agent Prerequisites 458
- Mac OS X Agent Restrictions 462
- CAM/CAS Restrictions 462
- CCAAgent.app (Figure 10-76) 476
- Viewing Agent Reports 480
- Exporting Agent Reports 484
- Manage Certified Devices 489
- Add Exempt Device 491
- Add Floating Devices 495
- Report Settings 497
- CCA Servers 499
- Managed Switches 499
- Authentication Servers 500
- Custom Reports 501
- Figure 11-20 Generate Reports 502
- Generating a Report 503
- Scheduling Report Generation 504
- View Saved Templates 505
- View Executive Summary 505
- Configuration 506
- User Activity Log Files 506
- Online Users list 507
- Interpreting Active Users 508
- View Online Users 509
- In-Band Users 510
- Log Users Off the Network 513
- Display Settings 514
- Agent Troubleshooting 515
- Cisco NAC Web Agent Logs 516
- Client Cannot Connect/Login 517
- AV/AS Rule Troubleshooting 519
- Background 520
- Workaround 520
- Option 2 521
- Configuring Network Scanning 522
- User Page Summary 525
- Configure the Quarantine Role 527
- Uploading Plugins 528
- Deleting Plugins 529
- Configure General Setup 530
- Apply Plugins 531
- Configure Plugin Options 533
- Test Scanning 537
- View Scan Reports 538
- Monitoring Event Logs 546
- Interpreting Event Logs 549
- Table 13-2 Log Viewer Page 550
- Event Log Example 552
- Configuring Syslog Logging 554
- Cisco NAC Appliance Log Files 556
- Enable SNMP Polling/Alerts 558
- Add New Trapsink 560
- SNMP on Individual CAS 562
- Add New Trapsink to CAS 563
- Administering the CAM 564
- Failover 567
- Set System Time 568
- Manage CAM SSL Certificates 570
- Viewing Trusted CAs 580
- Removing Trusted CAs 581
- System Upgrade 587
- Licensing 588
- Remove Product Licenses 590
- Remove Legacy License Keys 590
- Policy Import/Export 591
- Example Scenarios 592
- Before You Start 593
- Configure the Master 595
- Configure the Receiver 598
- Perform Policy Sync 599
- Perform Manual Sync 600
- Perform Auto Sync 601
- View History Logs 602
- Support Logs 605
- Agent Logs 609
- Admin Users 610
- Figure 14-33 Admin Groups 611
- Figure 14-34 New Admin Group 612
- Login/Logout an Admin User 614
- Add an Admin User 614
- Edit an Admin User 615
- Active Admin User Sessions 616
- Manage System Passwords 619
- Backing Up the CAM Database 621
- Database Recovery Tool 627
- API Support 628
- Error and Event Log Messages 630
- CAM Event Log Messages 631
- Authentication Requirements 637
- Device Filter Operations 638
- Appendix B API Support 639
- User Operations 644
- Guest Access Operations 647
- Report Operations 649
- MIB Support 658
- Table C-1 CLEAN ACCESS - MIB 659
- Table C-2 SNMPv2-MIB 660
- Table C-3 RFC1213-MIB 660
- Table C-4 IP-MIB 661
- Table C-4 IP-MIB (continued) 662
- Ta b l e C - 5 U D P - M I B 664
- Table C-6 HOST-RESOURCES-MIB 664
- Appendix C MIB Support 665
- Ta b l e C - 7 M TA- M I B 666
- Table C-8 IF-MIB 666
- Table C-9 DISMAN-EVENT-MIB 667
- Table C-8 IF-MIB (continued) 667
- Table C-12 UCD-DLMOD-MIB 670
- Table C-13 NET-SNMP-AGENT-MIB 671
- Table C-16 SNMP-MPD-MIB 671
- Table C-17 SNMP-TARGET-MIB 672
- OpenSSL/Open SSL Project 674
- Original SSLeay License: 675
Verwandte Produkte und Handbücher für PC / Workstation Barebones HP 3350 - Cisco NAC Appliance
(136 Seiten)
(8 Seiten)
(175 Seiten)
(158 Seiten)© 2020, manymanuals.de. Alle Rechte vorbehalten. | 2.218 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Kommentare zu diesen Handbüchern