Cisco Wireless Controller Configuration Guide, Release 7.5

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: March 13, 2015

Chapter: Configuring NAC Out-of-Band Integration

Configuring NAC Out-of-Band Integration
Prerequisites for NAC Out Of Band
Restrictions for NAC Out of Band
NAC Out-of-Band Integration
Configuring NAC Out-of-Band Integration (GUI)
Configuring NAC Out-of-Band Integration (CLI)

Configuring NAC Out-of-Band Integration

Prerequisites for NAC Out Of Band

CCA software release 4.5 or later releases is required for NAC out-of-band integration.
Because the NAC appliance supports static VLAN mapping, you must configure a unique quarantine VLAN for each interface that is configured on the controller. For example, you might configure a quarantine VLAN of 110 on controller 1 and a quarantine VLAN of 120 on controller 2. However, if two WLANs or guest LANs use the same distribution system interface, they must use the same quarantine VLAN if they have one NAC appliance deployed in the network. The NAC appliance supports unique quarantine-to-access VLAN mapping.
For a posture reassessment that is based on a session expiry, you must configure the session timeout on both the NAC appliance and the WLAN, making sure that the session expiry on the WLAN is greater than that on the NAC appliance.
When a session timeout is configured on an open WLAN, the timing out of clients in the Quarantine state is determined by the timer on the NAC appliance. After the session timeout expires for WLANs that use web authentication, clients deauthenticate from the controller and must perform posture validation again.

All Layer 2 and Layer 3 authentication occurs in the quarantine VLAN. To use external web authentication, you must configure the NAC appliance to allow HTTP traffic to and from external web servers and to allow the redirect URL in the quarantine VLAN.

Note

See the Cisco NAC appliance configuration guides for configuration instructions at http://www.cisco.com/c/en/us/support/security/nac-appliance-clean-access/products-installation-and-configuration-guides-list.html.

If you want to enable NAC on an access point group VLAN, you must first enable NAC on the WLAN. Then you can enable or disable NAC on the access point group VLAN. If you ever decide to disable NAC on the WLAN, be sure to disable it on the access point group VLAN as well.
The NAC appliance supports up to 3500 users, and the controller supports up to 5000 users. Multiple NAC appliances might need to be deployed.
If you want to enable NAC on an access point group VLAN, you must first enable NAC on the WLAN. Then you can enable or disable NAC on the access point group VLAN. If you ever decide to disable NAC on the WLAN, be sure to disable it on the access point group VLAN as well.
The NAC appliance supports up to 3500 users, and the controller supports up to 5000 users. Multiple NAC appliances might need to be deployed.
In controller software releases prior to 5.1, the controller integrates with the NAC appliance only in in-band mode, where the NAC appliance must remain in the data path. For in-band mode, a NAC appliance is required at each authentication location (such as at each branch or for each controller), and all traffic must traverse the NAC enforcement point. In controller software release 5.1 or later releases, the controller can integrate with the NAC appliance in out-of-band mode, where the NAC appliance remains in the data path only until clients have been analyzed and cleaned. Out-of-band mode reduces the traffic load on the NAC appliance and enables centralized NAC processing.
NAC out-of-band integration is supported only on WLANs configured for FlexConnect central switching. It is not supported for use on WLANs configured for FlexConnect local switching.

Restrictions for NAC Out of Band

NAC out-of-band integration is not supported for use with the WLAN AAA override feature.
In controller software releases prior to 5.1, the controller integrates with the NAC appliance only in in-band mode, where the NAC appliance must remain in the data path. For in-band mode, a NAC appliance is required at each authentication location (such as at each branch or for each controller), and all traffic must traverse the NAC enforcement point. In controller software release 5.1 or later releases, the controller can integrate with the NAC appliance in out-of-band mode, where the NAC appliance remains in the data path only until clients have been analyzed and cleaned. Out-of-band mode reduces the traffic load on the NAC appliance and enables centralized NAC processing.
NAC out-of-band integration is supported only on WLANs configured for FlexConnect central switching. It is not supported for use on WLANs configured for FlexConnect local switching.

NAC Out-of-Band Integration

The Cisco NAC Appliance, also known as Cisco Clean Access (CCA), is a network admission control (NAC) product that enables network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. NAC identifies whether machines are compliant with security policies and repairs vulnerabilities before permitting access to the network.

The NAC appliance is available in two modes: in-band and out-of-band. Customers can deploy both modes if desired, each geared toward certain types of access (in-band for supporting wireless users and out-of-band for supporting wired users, for example).

To implement the NAC out-of-band feature on the controller, you must enable NAC support on the WLAN or guest LAN and then map this WLAN or guest LAN to an interface that is configured with a quarantine VLAN (untrusted VLAN) and an access VLAN (trusted VLAN). When a client associates and completes Layer 2 authentication, the client obtains an IP address from the access VLAN subnet, but the client state is Quarantine. While deploying the NAC out-of-band feature, be sure that the quarantine VLAN is allowed only between the Layer 2 switch on which the controller is connected and the NAC appliance and that the NAC appliance is configured with a unique quarantine-to-access VLAN mapping. Client traffic passes into the quarantine VLAN, which is trunked to the NAC appliance. After posture validation is completed, the client is prompted to take remedial action. After cleaning is completed, the NAC appliance updates the controller to change the client state from Quarantine to Access.

Figure 1. Example of NAC Out-of-Band Integration.
The link between the controller and the switch is configured as a trunk, enabling the quarantine VLAN (110) and the access VLAN (10). On the Layer 2 switch, the quarantine traffic is trunked to the NAC appliance while the access VLAN traffic goes directly to the Layer 3 switch. Traffic that reaches the quarantine VLAN on the NAC appliance is mapped to the access VLAN based on a static mapping configuration.

This section contains the following subsections:

Configuring NAC Out-of-Band Integration (GUI)

Procedure

Step 1

Configure the quarantine VLAN for a dynamic interface as follows:

Choose Controller > Interfaces to open the Interfaces page.
Click New to create a new dynamic interface.
In the Interface Name text box, enter a name for this interface, such as “quarantine.”
In the VLAN ID text box, enter a nonzero value for the access VLAN ID, such as “10.”
Click Apply to commit your changes. The Interfaces > Edit page appears.

Select the Quarantine check box and enter a nonzero value for the quarantine VLAN ID, such as “110.”

Note

We recommend that you configure unique quarantine VLANs throughout your network. If multiple controllers are configured in the same mobility group and access interfaces on all controllers are in the same subnet, it is mandatory to have the same quarantine VLAN if there is only one NAC appliance in the network. If multiple controllers are configured in the same mobility group and access interfaces on all controllers are in different subnets, it is mandatory to have different quarantine VLANs if there is only one NAC appliance in the network.

Configure any remaining text boxes for this interface, such as the IP address, netmask, and default gateway.
Click Apply to save your changes.

Step 2

Configure NAC out-of-band support on a WLAN or guest LAN as follows:

Choose WLANs to open the WLANs page.
Click the ID number of the desired WLAN or guest LAN. The WLANs > Edit page appears.
Choose the Advanced tab to open the WLANs > Edit (Advanced) page.
Configure NAC out-of-band support for this WLAN or guest LAN by selecting the NAC State check box. To disable NAC out-of-band support, leave the check box unselected, which is the default value.
Click Apply to commit your changes.

Step 3

Configure NAC out-of-band support for a specific access point group as follows:

Choose WLANs > Advanced > AP Groups to open the AP Groups page.
Click the name of the desired access point group.
Choose the WLANs tab to open the AP Groups > Edit (WLANs) page.
Click Add New to assign a WLAN to this access point group. The Add New section appears at the top of the page.
From the WLAN SSID drop-down list, choose the SSID of the WLAN.
From the Interface Name drop-down list, choose the interface to which you want to map the access point group. Choose the quarantine VLAN if you plan to enable NAC out-of-band support.
To enable NAC out-of-band support for this access point group, select the NAC State check box. To disable NAC out-of-band support, leave the check box unselected, which is the default value.

Click Add to add this WLAN to the access point group. This WLAN appears in the list of WLANs assigned to this access point group.

Note

If you ever want to remove this WLAN from the access point group, hover your cursor over the blue drop-down arrow for the WLAN and choose Remove.

Step 4

Click Save Configuration to save your changes.

Step 5

See the current state of the client (Quarantine or Access) as follows:

Choose Monitor > Clients to open the Clients page.

Click the MAC address of the desired client to open the Clients > Detail page. The NAC state appears under the Security Information section.

Note

The client state appears as “Invalid” if the client is probing, has not yet associated to a WLAN, or cannot complete Layer 2 authentication.

Configuring NAC Out-of-Band Integration (CLI)

Procedure

Step 1

Configure the quarantine VLAN for a dynamic interface by entering this command:

config interface quarantine vlan interface_name vlan_id

Note

You must configure a unique quarantine VLAN for each interface on the controller.

To disable the quarantine VLAN on an interface, enter 0 for the VLAN ID.

Step 2

Enable or disable NAC out-of-band support for a WLAN or guest LAN by entering this command:

config {wlan | guest-lan} nac {enable | disable} {wlan_id | guest_lan_id}

Step 3

Enable or disable NAC out-of-band support for a specific access point group by entering this command:

config wlan apgroup nac {enable | disable} group_name wlan_id

Step 4

Save your changes by entering this command:

save config

Step 5

See the configuration of a WLAN or guest LAN, including the NAC state by entering this command:

show {wlan wlan_ id | guest-lan guest_lan_id}

Information similar to the following appears:


WLAN Identifier.................................. 1
Profile Name..................................... wlan
Network Name (SSID).............................. wlan
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control

  NAC-State...................................... Enabled
  Quarantine VLAN............................. 110 ...

Step 6

See the current state of the client (either Quarantine or Access) by entering this command:

show client detailed client_mac

Information similar to the following appears:


Client’s NAC state.................................. QUARANTINE

Note

The client state appears as “Invalid” if the client is probing, has not yet associated to a WLAN, or cannot complete Layer 2 authentication.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)