Cisco NAC high level flow for Out-of-Band deployments

Unanswered Question
Dec 31st, 2007

I've found a lot of good detailed information on configuration of Cisco NAC appliances, and the general functions. But not a good, high-level walk through the steps the appliances/solution handle an OOB deployment for handling new connections to a LAN.

Something along the lines of, a user connects to the LAN, is given addressing from a DHCP server, then <somehow?> the workstation is directed to the NAC appliance, where it checks for the presense of any required agents, checks against security requirements, then..etc. (Remediation servers involved here, etc.)

Is there a high level description of the flow, what/how the NAC appliances intereact with DHCP servers, Remediation servers, and any high-level description of required configurations in AAA servers, DHCP servers, remediation servers in order for them to work with the NAC appliances in this configuration?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
wiluszm Wed, 01/02/2008 - 07:12

Are you looking for Layer 2 or Layer 3 OOB scenarios. If L3 I can do a quick write up for you, but don't want to go through the detail unless it's what you're looking for.


pmccubbin Wed, 01/02/2008 - 12:25

Hi Mike,

Please post the write up. I understand it but am always looking for better ways to explain the process. You rate a "5" in my book for volunteering.



wiluszm Fri, 01/04/2008 - 08:28

Here we go:


1) Any managed switches must be built in on the CAM and the required configuration for switch SNMP traps must be used. This is important as it controls the CAM's visibility over user connects.

2) In L3 OOB the CAS can be placed physically anywhere. We have it in our data center.

3) Plan your VLANs. Let's say we have a remote location with 2 VLANs:

VLAN 0005 - NAC Auth

VLAN 0010 - User Access

This is important because in L3 OOB, you control traffic on the layer 3 boundary of the VLAN (i.e. the VLANs default gateway that is typically a router) using ACLs. An ACL on the "auth" VLAN controls where users can access before being certified. Typically this would allow traffic to the CAS, and remediation servers. Then, for the "clean" VLAN the ACL must prevent traffic from flowing to the CAS by denying traffic to it. So you would have a config like:

int gig0/0.5

description NAC Authentication Default Gateway

encapsulation dot1Q 5

ip address

ip helper-address

ip access-group NAC-AUTH in

ip access-list extended NAC-AUTH

! Permit traffic to CAS for authentication

permit ip any host

permit ip any host

permit ip any host

! Deny everything else so non-certified users can't access network resources

deny ip any any

int gig0/0.10

description NAC Certified Users Default Gateway

encapsulation dot1Q 10

ip address

ip helper-address

ip access-group NAC-CLEAN in

ip access-list extended NAC-CLEAN

! Deny will keep the NAC agent from constantly attempting to re-authenticate

deny ip any host

! Then let all other traffic through as we're a "clean" user

permit ip any any

4) Clients will receive all IP addresses from a DHCP server. In our deployment we use the "ip helper-address" command to forward DHCP requests to our DHCP cluster. You'll need a pool for each NAC VLAN you have.

So how does the NAC experience look like? Here's the flow:

1) New user plug into a NAC-managed switch. The switch sends a SNMP trap to the CAM that a new interface has come online.

2) The CAM detects the user is not already authenticated, so it changes the configuration of the port to place the user on VLAN 5. The user receives an IP address from the DHCP cluster.

3) Due to ACL limitation of the NAC-AUTH ACL, the user has limited access. The NAC agent on the workstation continues to poll for a live CAS at a configured address. Since the traffic is permitted the agent prompts for authentication.

4) Depending on your scenario, the user may enter credentials or may not need to if using Active Directory single sign-on.

5) If the user passes authentication, the posture validation of the client begins.

6) If the user does NOT pass posture assessment, they are left on the NAC-AUTH VLAN and are required to update as necessary. The agent will then pop-up again after a defined interval for authentication and the posture assessment will begin again.

7) Once the user is "clean", the CAM now changes the configuration of the switch again and puts the user onto VLAN 10. Once the VLAN is changed the user's client will request a new IP address and receive one from the DHCP cluster.

8) Now the user's traffic is limited by the NAC-CLEAN ACL. Since this ACL blocks access to the CAS, the agent doesn't pop-up and the user is left on the "clean" VLAN.

9) IF the user unplugs or the re-certification timer expires, the port is placed back into VLAN 5 and the next user will go through the same process or the same user will have to re-certify.



This Discussion