HP 3350 - Cisco NAC Appliance Spezifikationen Seite 160
- Seite / 681
- Inhaltsverzeichnis
- FEHLERBEHEBUNG
- LESEZEICHEN
Bewertet. / 5. Basierend auf Kundenbewertungen
3-70
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 3 Switch Management: Configuring Out-of-Band Deployment
Out-of-Band Users
Wired
Clients and
Wireless
Clients
• The Wired Clients and Wireless Clients lists (Figure 3-33 on page 3-53 and Figure 4-20 on page 4-24)
record the activities of Out-of-Band clients (regardless of VLAN), based on the SNMP trap information
that the CAM receives.
• For Wired OOB clients, the CAM adds a client’s MAC address, originating switch IP address, and switch
port number to the Out-of-Band Discovered Clients list after receiving SNMP trap information for the
client from the switch. The CAM updates the entry as it receives SNMP trap information for the client.
• For Wireless OOB clients, the CAM adds a client’s MAC address, IP address, associated WLC, Access
Point MAC address, and Authentication (Quarantine) and Access VLAN assignments to the Wireless
Clients list. Thereafter, the CAM updates the entry as it receives new SNMP trap information for the
wireless client.
• Removing an entry from the Wired Clients or Wireless Clients list clears this status information for the
OOB client from the CAM.
Note For Wired OOB clients, an entry must exist in the Wired Clients list in order for the CAM to determine
the switch port for which to change the VLAN. If the user is logging in at the same time that an entry
in the Discovered Clients list is deleted, the CAM will not be able to detect the switch port.
Out-of-Band
Online Users
• The Out-of-Band Online Users list (Figure 11-25 on page 11-32) tracks all authenticated Out-of-Band
users that are on the Access VLAN (on the trusted network).
• The CAM adds the client MAC address to the Out-of-Band Online Users list after a client is switched to
the Access VLAN.
Note The “User IP” of an OOB online user is the IP address of the user on the Authentication VLAN. By
definition Cisco NAC Appliance does not track users once they are on the Access VLAN; therefore
OOB users are tracked by the Authentication VLAN IP address they have while in the Cisco NAC
Appliance network.
• When a user is removed from the Out-of-Band Online Users list, the CAM instructs the switch or
Wireless LAN Controller to change the VLAN of the port from the Access VLAN to the Authentication
VLAN.
Note For Wired OOB clients, if the Cisco NAC Appliance system somehow terminates the OOB client
session (if the system administrator is forced to “kick” the user out, for example) and the switch
changes the VLAN assignment for the client’s access port from the Access VLAN back to the
Authentication VLAN, the client machine discovers the VLAN change and, if configured, initiates an
IP address refresh/renew to ensure the user stays connected to the network. For details on the polling
method and configuration guidelines, see Configure Access to Authentication VLAN Change
Detection, page 3-67.
• Additionally, if Bounce the port after VLAN is changed is checked for the Port Profile (Real-IP
gateways), the following occurs:
1. The CAM bounces the switch port (off and on).
2. The switch resends SNMP traps to the CAM.
3. The CAM discovers the device connected to the switch port from SNMP MAC change
notification/MAC move notification or linkup traps received.
4. The port is assigned the Auth VLAN if the device is not certified.
5. The CAM changes the VLAN of the port according to the Port Profile configuration
Table 3-4 Wired and Wireless User List Summary
User List Description
- Manager Configuration Guide 1
- CONTENTS 3
- Contents 10
- OL-28003-01 10
- About This Guide 19
- Document Organization 20
- Document Conventions 21
- New Features in this Release 21
- Product Documentation 22
- Documentation Updates 23
- Introduction 25
- Chapter 1 Introduction 26
- Clean Access Manager (CAM) 29
- Clean Access Server (CAS) 29
- Client Login Overview 30
- Cisco NAC Appliance Agents 38
- Cisco NAC Web Agent 40
- Network Scanner 41
- Managing Users 44
- Publishing Information 47
- Admin Console Summary 48
- Servers, Adding Filters 51
- Global and Local Settings 59
- Adding Multiple Entries 62
- Figure 2-6 Endpoint Summary 69
- Configure Device Filters 70
- Figure 2-7 New Device Filter 71
- Test Device Filter Policies 75
- Configure Subnet Filters 77
- Limitations 79
- Map Endpoint Policies 83
- View Rules 85
- Edit Rules 85
- Delete Rules 86
- Order Rules 86
- Cisco ISE is not reachable 89
- Deployment 91
- In-Band Versus Out-of-Band 92
- Out-of-Band Requirements 92
- Flow for OOB VGW Mode 98
- Deployment Modes 100
- L3 Out-of-Band Deployment 103
- Configure Your Switches 104
- • Switch configuration level: 108
- CAT 2950 109
- Internet 109
- CAT 3550 109
- Switch Configuration 111
- CAM/CAS Configuration 111
- List of MIBs and OIDs 112
- Configure Group Profiles 118
- Add Group Profile 119
- Edit Group Profile 119
- Configure Switch Profiles 120
- Add Switch Profile 121
- Configure Port Profiles 123
- Add Port Profile 124
- Configure VLAN Profiles 130
- Add VLAN Profile 132
- Edit VLAN Profile 133
- Configure SNMP Receiver 134
- Advanced Settings 135
- To Change Default SNMP 136
- Add and Manage Switches 138
- Add New Switch 139
- Search New Switches 140
- Verify Devices 141
- Discovered Clients 142
- Manage Switch Ports 144
- Figure 3-34 Ports Tab 145
- • Profile (2) 150
- Config Tab 153
- Advanced 154
- Linkdown Traps 154
- Port Security 155
- Enabling Port Security 155
- Re-Enabling MAC Notification 156
- Figure 3-41 Config Group 157
- • L2 OOB Real IP Gateway 157
- Out-of-Band Users 158
- OOB Troubleshooting 161
- Troubleshooting SNMP 162
- Unknown User Name 163
- Wrong Digest 163
- Authorization Error 163
- Unsupported Security Level 163
- No Access 163
- OOB Client MAC/IP Not Found 164
- Additional Information 164
- Overview 165
- DHCP Bridging Mode 167
- SNMP Control 168
- SNMP Trap 183
- Discovered Wireless Clients 188
- Figure 4-22 Config > Group 190
- Wireless Out-of-Band Users 191
- User Login Page 193
- Proxy Settings 194
- Add Default Login Page 195
- Agent Login 198
- Web Login 198
- Customize Login Page Content 200
- Upload a Resource File 205
- Customize Login Page Styles 206
- Guest User Access 209
- Local Users 215
- Create User Roles 216
- User Role Types 217
- Normal Login Role 218
- Session Timeouts 220
- Default Login Page 221
- Traffic Policies for Roles 221
- Adding a New User Role 221
- Role Properties 223
- Editing an Existing Role 228
- Create Local User Accounts 229
- Local Authentication 233
- Providers 233
- Mapping Rules 233
- FIPS 140-2 Compliance 233
- Kerberos 235
- Set Up the IPSec Tunnel 239
- (Figure 7-8) 243
- Click Add 243
- Windows NT 245
- Multiple Domain SSL 251
- Windows NetBIOS SSO 252
- Cisco VPN SSO 254
- Add Cisco VPN SSO Auth Server 255
- Allow All 256
- AD/LDAP Configuration Example 259
- Configure Mapping Rule 262
- Add Mapping Rule to Role (B) 265
- Editing Mapping Rules 267
- Auth Test 269
- Authentication Successful 270
- Authentication Failed 270
- RADIUS Accounting 271
- Data Fields 273
- Logout Event Data Fields 274
- Figure 7-39 Login Events 276
- Figure 7-40 Logout Events 276
- Figure 7-41 Shared Events 276
- Schedule 277
- Traffic Policy Priority 278
- Global vs. Local Scope 279
- Add IP-Based Policy 280
- Edit IP-Based Policy 283
- Enable Default Allowed Hosts 285
- Add Allowed Host 286
- Control Bandwidth Usage 289
- Session Timer 291
- Heartbeat Timer 291
- In-Band (L2) Sessions 292
- Example Traffic Policies 300
- Microsoft Xbox 301
- Other Game Ports 301
- Unauthenticated Role 303
- Agent Temporary Role 303
- Quarantine Role 303
- Step 7 Click Update 311
- Configure Out-of-Band Logoff 312
- Network Requirements 313
- Feature Limitations 314
- Enable Out-of-Band Logoff 315
- Troubleshooting OOB Logoff 315
- View Current Updates 318
- Agent Distribution 324
- Installation Page 326
- • nac_logo.gif 339
- • nac_login.xml 339
- • nacStrings_xx.xml 339
- Agent Login Screen 340
- Cisco NAC Agent MSI Installer 343
- Role Mapping 346
- AV Rules and AS Rules 349
- Verify AV/AS Support Info 350
- Create an AV Rule 353
- Create an AS Rule 359
- Prerequisites 364
- Custom Requirements 377
- Custom Rules 378
- Custom Checks 379
- Copying Checks and Rules 379
- Configuration Summary 380
- Create Custom Check 380
- Registry Checks 381
- File Checks 382
- Service Check 383
- Create a Custom Rule 384
- Validate Rules 386
- Create a Custom Requirement 387
- Map Requirements to Rules 397
- Validate Requirements 400
- Figure 9-48 Requirement List 401
- Downgrading the Agent 408
- Configure Agent Auto-Upgrade 409
- Uninstalling the Agent 410
- Uninstall Cisco NAC Agent 411
- Uninstall Mac OS X Agent 411
- Versioning 413
- Cisco Updates 413
- Cisco NAC Agent Download 415
- Cisco NAC Agent 416
- Figure 10-2 Login Page 417
- System Requirements 439
- Mac OS X Cisco NAC Agent 457
- Mac OS X Agent Prerequisites 458
- Mac OS X Agent Restrictions 462
- CAM/CAS Restrictions 462
- CCAAgent.app (Figure 10-76) 476
- Viewing Agent Reports 480
- Exporting Agent Reports 484
- Manage Certified Devices 489
- Add Exempt Device 491
- Add Floating Devices 495
- Report Settings 497
- CCA Servers 499
- Managed Switches 499
- Authentication Servers 500
- Custom Reports 501
- Figure 11-20 Generate Reports 502
- Generating a Report 503
- Scheduling Report Generation 504
- View Saved Templates 505
- View Executive Summary 505
- Configuration 506
- User Activity Log Files 506
- Online Users list 507
- Interpreting Active Users 508
- View Online Users 509
- In-Band Users 510
- Log Users Off the Network 513
- Display Settings 514
- Agent Troubleshooting 515
- Cisco NAC Web Agent Logs 516
- Client Cannot Connect/Login 517
- AV/AS Rule Troubleshooting 519
- Background 520
- Workaround 520
- Option 2 521
- Configuring Network Scanning 522
- User Page Summary 525
- Configure the Quarantine Role 527
- Uploading Plugins 528
- Deleting Plugins 529
- Configure General Setup 530
- Apply Plugins 531
- Configure Plugin Options 533
- Test Scanning 537
- View Scan Reports 538
- Monitoring Event Logs 546
- Interpreting Event Logs 549
- Table 13-2 Log Viewer Page 550
- Event Log Example 552
- Configuring Syslog Logging 554
- Cisco NAC Appliance Log Files 556
- Enable SNMP Polling/Alerts 558
- Add New Trapsink 560
- SNMP on Individual CAS 562
- Add New Trapsink to CAS 563
- Administering the CAM 564
- Failover 567
- Set System Time 568
- Manage CAM SSL Certificates 570
- Viewing Trusted CAs 580
- Removing Trusted CAs 581
- System Upgrade 587
- Licensing 588
- Remove Product Licenses 590
- Remove Legacy License Keys 590
- Policy Import/Export 591
- Example Scenarios 592
- Before You Start 593
- Configure the Master 595
- Configure the Receiver 598
- Perform Policy Sync 599
- Perform Manual Sync 600
- Perform Auto Sync 601
- View History Logs 602
- Support Logs 605
- Agent Logs 609
- Admin Users 610
- Figure 14-33 Admin Groups 611
- Figure 14-34 New Admin Group 612
- Login/Logout an Admin User 614
- Add an Admin User 614
- Edit an Admin User 615
- Active Admin User Sessions 616
- Manage System Passwords 619
- Backing Up the CAM Database 621
- Database Recovery Tool 627
- API Support 628
- Error and Event Log Messages 630
- CAM Event Log Messages 631
- Authentication Requirements 637
- Device Filter Operations 638
- Appendix B API Support 639
- User Operations 644
- Guest Access Operations 647
- Report Operations 649
- MIB Support 658
- Table C-1 CLEAN ACCESS - MIB 659
- Table C-2 SNMPv2-MIB 660
- Table C-3 RFC1213-MIB 660
- Table C-4 IP-MIB 661
- Table C-4 IP-MIB (continued) 662
- Ta b l e C - 5 U D P - M I B 664
- Table C-6 HOST-RESOURCES-MIB 664
- Appendix C MIB Support 665
- Ta b l e C - 7 M TA- M I B 666
- Table C-8 IF-MIB 666
- Table C-9 DISMAN-EVENT-MIB 667
- Table C-8 IF-MIB (continued) 667
- Table C-12 UCD-DLMOD-MIB 670
- Table C-13 NET-SNMP-AGENT-MIB 671
- Table C-16 SNMP-MPD-MIB 671
- Table C-17 SNMP-TARGET-MIB 672
- OpenSSL/Open SSL Project 674
- Original SSLeay License: 675
Verwandte Produkte und Handbücher für PC / Workstation Barebones HP 3350 - Cisco NAC Appliance
(136 Seiten)
(8 Seiten)
(175 Seiten)
(158 Seiten)© 2020, manymanuals.de. Alle Rechte vorbehalten. | 1.106 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Kommentare zu diesen Handbüchern