Inband Virtual Gateway Layer 2
The CAS is acting like a layer 2 switch. It is configured with only a
management interface, with eth0 and eth1 having the same IP address.
The default gateways for the wireless networks exist beyond the trusted
interface of the CAS, not on the CAS.
If the CAS is configured in a centralized, rather than an edge deployment,
you must have VLAN mapping (between the untrusted-side and trusted-side
wireless VLANs) configured on the CAS.
All wireless VLANs from the AP are configured as 'managed subnets' on the
CAS with an unused IP address from their address range, and they have VLAN
mappings configured (all this is under Device Management > Clean Access
Servers > Advanced)
The CAS is configured to pass through DHCP requests
Traffic flow:
1. The wireless user authenticates with the AP and sends out a DHCP request
2. The CAS receives the DHCP request via the wireless VLAN on the
untrusted interface, maps the packet via the VLAN mapping to the trusted-
side VLAN and passes it out through the trusted interface to the wireless
VLANs default gateway
3. The wireless VLANs default gateway interface passes the packet to the
DHCP server via an IP helper address
4. The DHCP server receives the request, and sends the reply back through
the wireless VLANs gateway, the CAS trusted interface, out the CAS
untrusted interface, to the AP, and finally back to the wireless user
VLAN 110 VLAN 10 VLAN 20
user --- AP -------- CAS ------- GW ------- DHCP
Trunk Trunk
5. Now the user has an IP address, and the remaining NAC steps can begin
(authentication, policy assessment, remediation, certification)
It might be helpful for you to checkout the NAC ChalkTalk series at Cisco:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/pro
d_presentation0900aecd80549168.html
Cheers,
Greg
