Step 18 Testing Whether OOB and User Role Based VLAN Assignment Works

If you navigate to Switch Management > Device > Switches > List > 10.10.30.1 > Ports, you will see that interface Fa1/0/5 is not connected and is currently on VLAN 10 (Initial VLAN). This is shown in Figure 10-57.

Now connect a laptop to interface Fa1/0/5. You will see that the port was immediately moved to the untrusted VLAN 110. This was triggered by the switch sending an SNMP MAC-notification trap to NAC Appliance Manager. The port was moved to VLAN 110 because the port profile had the auth (untrusted) VLAN set to VLAN 110. See Figure 10-58 for details.

Figure 10-57 Ports List—Before Connection

Cisco Clean Access Lite Manager

Switch Management > Devices > Switch [10.10.22.2]

Config

1

Ports

Set the initial VLANs for the ports to the current VLAN settings of the switch:

Set up mac-notification on managed switch ports:

Save the switch running configuration into non-volatile memory:

Setup

For trunk ports (blue background ), the VLAN value refers to trunk native VLAN.

Update I Cancel

For trunk ports (blue background ), the VLAN value refers to trunk native VLAN.

M

Current VLAN

jnrHa

KTTa

Profile I

Nate

Fal/0/1

10001

Fa stEth e rn etl/0/1 -à

a3 \ll

|22

p

| Default [uncontrolled! TI |

Fal/0/2

10002

Fa stEth e rn etl/0/2 9

r |i

X

p

| Default [uncontrolled! ^ I |

Fal/0/3

10003

FastEth ernetl/0/3 9

|l

X

p

| Default [uncontrolled] |

Fa1/0/4

10004

FastEth ernetl/0/4 9

0 [1

X

p

| Default [uncontrolled] ^J |

Fal/0/5

1ÜG05

FastEth ernetl/0/5 9

0 |1D

|10

^

p

| NAC_controlled j^J |

Fal/0/6

10006

FastEth ernetl/0/6 9

■P h a [J_

X

p

| Default [uncontrolled] ^J |

Fal/0/7

10007

FastEth ernetl/0/7 9

'/ |l

X

p

| Default [uncontrolled] H |

Figure 10-58 Ports List—After Connection

Figure 10-58 Ports List—After Connection

On the user PC, you will see that NAC Appliance Agent has popped up. Put in the credentials for the user jane, as shown in Figure 10-59.

Figure 10-59 Clean Access Agent Authentication Popup

Figure 10-59 Clean Access Agent Authentication Popup

When you click Login, NAC Appliance determines that the user jane belongs to the Employee user role. NAC Appliance looks at the OOB user role VLAN configured under the Employee user role and moves the user's switch port, Fa1/0/5, to VLAN 12. This is shown in Figure 10-60.

Figure 10-60 Ports List—After Authentication

Cisco Clean Access Lite Manager

Switch Management > Devices > Switch [10.10.22.2]

Config

1

Ports

Set the initial VLANs for the ports to the current VLAN settings of the switch:

Set up mac-notification on managed switch ports:

Save the switch running configuration into non-volatile memory:

Setup I Save I

For trunk ports (blue backgrc

), the VLAN value refers to trunk native VLAN.

Update I Cancel |

For trunk ports (blue backgrc

), the VLAN value refers to trunk native VLAN.

I Name

uniia

BEB

Profile

Note

Fal/0/1

10001

FastEthernetl/0/1

3^ ¡22

|22

P

| Default [uncontrolled] ^J |

Fal/0/2

10002

Fa stEth e rn etl/0/2 9

3^ |1

X

P

| Default [uncontrolled] zi |

Fal/0/3

10003

Fa stEth e rn etl/0/3 9

3^ |l

X

P

| Default [uncontrolled] ^J |

Fa1/0/4

1G004

Fa stEth e rn etl/0/4 ¿

3^ |1

X

P

| Default [uncontrolled] |

Fal/0/5

10005

Fa stEth e rn etl/0/5 9

3^ |10_

P

| NAC_controlled |

Fal/0/6

10006

Fa stEth e rn etl/0/6 9

3« |l

X

P

I Default [uncontrolled] T11

Because you changed the VLAN of the user from VLAN 110 to VLAN 12 in this process, you will also trigger a DHCP release/renew on the user's machine. As a result, during the login process, you will see the NAC Appliance agent screens shown in Figure 10-61 and Figure 10-62.

Figure 10-61 Agent Refreshing IP

Figure 10-62 Agent Refreshing IP Successful

The user appears in the OOB online user list, as shown in Figure 10-63. If the user is put in the Temporary role for remediation, it shows up in the in-band users list until it becomes clean.

Now if the user disconnects from the switch port, NAC Appliance removes the user from the online users list. This is triggered by the switch sending an SNMP linkdown trap to NAC Appliance Manager. The port VLAN, however, is not changed—it remains in VLAN 12.

Figure 10-63 Online Users List—OOB

Cisco Clean Access Lite Manager

Monitoring > Online Users

View Online Users | Display Settings In-Band • Out-of-Band

| Any CCA Server | Any Provider H |Any Role j^j | Any Switch

Active users: 1 (Mali users since last reset: 1)

Reset Max Users

Active users: 1 (Mali users since last reset: 1)

Reset Max Users

Online Users 1 -1 of 11 First | Previous | Next | Last |

1 User Name

User IP

User MAC

jane

10,10.110.2

00:15:53:7E:9D:EB

Local DB Employee 10.10,22.2 10005 |j

Now another user, John, connects to the same switch port. The switch sends a new SNMP MAC-notification trap to NAC Appliance Manager. The port will immediately move to the auth (untrusted) VLAN 110, as shown in Figure 10-64, so that the new user can log in.

Figure 10-64 Ports List—Next User

Cisco Clean Access Lite Manager

Switch Management > Devices > Switch [10.10.22.2]

Config

1

Ports

Set the initial VLANs for the ports to the current VLAN settings of the switch:

Set up mac-notification on managed switch ports:

Save the switch running configuration into non-volatile memory:

Setup I Save I

For trunk ports (blue background M I), the VLAN value refers to trunk native VLAN,

Update I Cancel |

For trunk ports (blue background M I), the VLAN value refers to trunk native VLAN,

Update I Cancel |

I Name

Description

«M

Current VLAN

1MJI

ism

Profile

Note

Fal/0/1

10001

FastEthernetl/0/1

3^ ¡22

\22

P

| Default [uncontrolled] ^J |

Fal/0/2

10002

Fa stEth e rn etl/0/2

3<$ |1

X

P

| Default [uncontrolled] |

Fal/0/3

10003

Fa stEth e rn etl/0/3

O

3^ |l

X

P

| Default [uncontrolled] ^J |

Fa1/0/4

10004

Fa stEth e rn etl/0/4

a

|1

X

P

| Default [uncontrolled] |

Fal/0/5

10005

Fa stEth e rn etl/0/5

j

3^ ¡10

|110

P

| NAC_controlled !▼] |

Fal/0/6

10006

Fa stEth e rn etl/0/6

9

3^ |1

11

X

P

| Default [uncontrolled] T| I

On the user's machine, Clean Access Agent pops up, as shown in Figure 10-65. Put in the credentials for the user John and click Login.

Figure 10-65 Clean Access Agent Authentication Popup

Figure 10-65 Clean Access Agent Authentication Popup

After the user is authenticated, NAC Appliance Manager determines that this user is a consultant and moves the user to VLAN 11, which is the VLAN configured for the OOB user role VLAN for the Guest role. The user shows up in the out-of-band online user list as a Consultant, as shown in Figure 10-66.

Figure 10-66 Online Users List—OOB

Cisco Clean Access Lite Manager

Monitoring > Online Users

View Online Users | Display Settings In-Band • Out-of-Band

¡Any CCA Serve | Any Provider | Any Role j] |Any Switch

Search For; |-Select Field| equals 3 f~

Active users: 1 (Max users since last reset: 1)

Reset Max Users Online Users 1 -1 of 1 | First | Previous | Next | Last |

User IP User MAC

10.10.110,3 00:15:50:7E:9D:EB Local DB Consultant 10,10.22.2 10005

Was this article helpful?

0 0

Post a comment