Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Clean Access (NAC) Getting Started ?

Just got our clean access servers for testing. Got four 3140-H1 servers that are to be configured as a Manager w/ Backup Failover server, and Access Server w/ Backup.

So, reading the documentation on setup, and configuration getting prepared to get started on it. Wondering what others experiences are with it.

Any lessons learned? Advice or suggestions?

Going to be configured in out of band for a 4506. Most ports have Cisco 7960 IP Phones connected. This particular installation is in a call center basically, and the goal / idea is to limit agents from brining in their personal laptops and getting on the network.

Basically need to prevent personal machines from accessing network. But we will allow them internet only access.

Anyway, thats the basics. Just wondering if anyone has any pointers or suggestions before I get started and possible going off in the wrong direction and wasting too much time.

New Member

Re: Clean Access (NAC) Getting Started ?

Appreciate the response, I have been reading all the documentation of course, but I was really looking for more real world comments. Things others had learned or experienced in going through their own deployments.

Vendor docs are not always the best source of info obviously, but regardless I do appreciate your time and effort in responding.

New Member

Re: Clean Access (NAC) Getting Started ?

We have the same setup here. Running OOB, Real-IP GW L2 Mode.

Things you need to know : when In OOB mode, the traffic policies profiles that are filtered through the CAS are Unauthenticated, Quarantaine and Temporary Profile. All other must switch to their prod VLAN and therefore CAS filter does not apply.

Another annoying this, the CAS filter is directional, and it is not stateful. You can't have logs on the traffic that passes through the CAS as well. For this reason, we had to put our CAS behind a Firewall. So anyone that are going on the authenticated VLAN, are Firewalled.

Also, when OOB, the Clean Access Agent will not put the workstation back to the authentication VLAN when you log off. Cisco should release this features in 2007.

Also, If your users need access to internet (i.e. external visitors) you'll probably need to create a specific vlan for them, and switch them to this VLAN, with the rules out to the internet on you internet FW (you won't be able to control traffic from the CAS).

CreatePlease to create content