LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

October 2008

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS October 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Any issues using the CAS as the dhcp server
From:	Jeremy Wood <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Wed, 8 Oct 2008 08:45:15 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (94 lines)

The next version of CCA will support OOB wireless, but you need to be
running WiSM 5.1.151.0. From the WiSM release notes:

"NAC out-of-band integration—The Cisco NAC Appliance, also known as
Cisco Clean Access (CCA), is a network admission control (NAC) product
that identifies whether machines are compliant with security policies
and repairs vulnerabilities before permitting access to the network.
In controller software releases prior to 5.1.151.0, the controller
integrates with the NAC appliance only in in-band mode, where the NAC
appliance must remain in the data path. For in-band mode, a NAC
appliance is required at each authentication location (such as at each
branch or for each controller), and all traffic must traverse the NAC
enforcement point. In controller software release 5.1.151.0, the
controller can integrate with the NAC appliance in out-of-band mode,
where the NAC appliance remains in the data path only until clients
have been analyzed and cleaned. Out-of-band mode reduces the traffic
load on the NAC appliance and enables centralized NAC processing.

Note CCA software release 4.5 or later is required for NAC out-of-band
integration. "

So something for everyone to look forward to :)

--Jeremy

On Wed, Oct 8, 2008 at 07:21, Nancy Watson <[log in to unmask]> wrote:
> Mike,
> Thanks for the response.
> We are going to run it back to the Wism then push it through the CAS.  I
> didn't explain that very clearly but we have 4 WiSM blades in a central
> location that will dump off into the CAS.
> Have you had any issues with the CAS functioning as a dhcp server someone at
> another University said they prefer to use an external dhcp server because
> there were issues with CAS failover on dhcp.  They were not specific and it
> may be they preferred to use the external dhcp server.  I don't know if
> there were any scaling issues on the number of vlans that can be defined on
> the CAS.
> I think we are going to use vrf and OOB when new WiSM code comes out, that
> is being handled by someone else so I can't speak intelligently about it
> yet.
> Nancy
>
> "Success is being able to balance your life and be passionate about what you
> do" - Susan Handley
>
>
> On Oct 7, 2008, at 8:42 PM, Mike King wrote:
>
> Nancy,
> Unless I missed something in a later feature release, Wireless requires
> IN-band.
> Also, I would not run the VLAN for the LWAPP access points through the CAS.
>  You want your AP's to be on an unmanaged network.   Think of it this way.
>  Your doubling the traffic through your CAS because all the traffic has to
> traverse the CAS to get to the Wireless controller, and then sent back to
> the CAS to have authentication/posture.   (  Client -> AP -> CAS ->
> WirelessController -> CAS -> Internet  )
> Another side affect is that you would have to create exclusions (Filters)
> for all the Access Points in the CAM/CAS so the AP's could communicate with
> the Wireless Controller.
> I would trunk a VLAN into the Wireless controller, and run that VLAN thru
> CAS. Then you have your SSID dump all your traffic on this VLAN. This is how
> I've setup CCA before.
> You can even get fancy and apply different VLAN's to different User
> accounts, using the same SSID.
> I'm sure Lee will chime in with a similar answer.
> Mike
>
> On Tue, Oct 7, 2008 at 4:57 PM, Nancy Watson <[log in to unmask]> wrote:
>>
>> We are deploying the Cisco NAC, inband, real-ip gateway to replace our
>> Bluesocket solution for authentication.  The plan is to use the HA-CAS as
>> the dhcp servers and configuring upwards in the 100's of vlans on the box
>> for our LWAPP access points.
>> Does anyone know of any issues using the NAC servers as the dhcp server
>> versus an external dhcp server?  Is there issues with handling large numbers
>> of vlans?
>>
>> We have  2 WiSM centrally located and will be moving to OOB and posture
>> assessment in the future.
>>
>> Thanks,
>> Nancy
>>
>> --
>> <><><><><><><><><><><><><><><><><><><><><><><><><><>
>> Nancy Watson                    CNS Network Services
>> Sr. Network Engineer            352-273-1057
>> https://net-services.ufl.edu    352-392-5579 x167
>> <><><><><><><><><><><><><><><><><><><><><><><><><><>
>
>
>

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU