On Thu, May 7, 2009 at 1:03 PM, Diego Cossetta <[email protected]>wrote:
> > > > In-Band mode works by having the routing interface (the > > default gateway) be the CAS server. There is no VLAN switching on > > the port itself. > WHOOPS, I have to correct myself before we get too far off target. I meant InBand Real IP gateway mode in that comment. However, For InBand VirtualGateway, there is NO VLAN port switching at the Switchport level. CCA is not aware of the switch ports at all. > - Actually we connect the access points and switches using "NAC > controlled" ports (when you setup the port profile - under "Switch > Management > Profiles > Port" section - you have to specify the Auth > VLAN and Default Access VLAN for that port profile): is it correct that > the switch port is under NAC control (on a fixed VLAN)? (I think so... > If not, CAS will never intercept/manages communications on that port...) > No I do not think this is correct. I'm hoping someone will jump in and confirm this for me, since it's been a few years since I've done a VirtualGateway deployment. > You wrote: "You do NOT specify ports in IN-VG mode"; what did U mean? Do > U mean that in IB-VG mode we don't have to use NAC controlled ports on > switch? > See this cisco graphic for an overview http://www.cisco.com/en/US/i/100001-200000/180001-190000/183001-184000/183453.jpg When the CAS is a Virtual Gateway: •The CAS and CAM *must* be on different subnets. •eth0 and eth1 of the Clean Access Server can have the same IP address. •All end devices in the bridged subnet must be on the untrusted side of the CAS. •The CAS should be configured for DHCP forwarding. •Make sure to configure managed subnets for the CAS. For the example in Figure 1-2<http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_deploy.html#wp1050986>, you would configure two managed subnets: –10.1.1.2 / 255.255.255.0 1001 –10.1.2.2 / 255.255.255.0 1002 When the CAS is an Out-of-Band Virtual Gateway, the following also applies: •The CAS and CAM must be on different VLANs. •The CAS should be on a different VLAN than the user or Access VLANs. ------------------------------ *Note*•For Virtual Gateway (In-Band or OOB), Cisco recommends connecting the untrusted interface (eth1) of the CAS to the switch only *after* the CAS has been added to the CAM via the web console. •For Virtual Gateway with VLAN mapping (In-Band or OOB), the untrusted interface (eth1) of the CAS should not be connected to the switch until VLAN mapping has been configured correctly under *Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping*. See Configure VLAN Mapping, page 5-37<http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cas/s_addSrvr.html#wpxref95183> . > > - Are static routes required on CAS config (Device Management > Clean > Access Servers > CAS_IP > Advanced > Static Routes)? > . It depends if you need a static route. (I know that is a vague answer, but it's a vague question) Do you need static routes beyond a default route? If not, no you don't.
