Wireless LAN Controller Management: Configuring Wireless

Wireless LAN Controller Management: Configuring Wireless
C H A P T E R
5
Wireless LAN Controller Management:
Configuring Wireless Out-of-Band Deployment
This chapter describes how to configure Cisco NAC Appliance for Wireless Out-of-Band (Wireless
OOB) deployment. Topics include:
•
Overview, page 5-1
•
Wireless Out-of-Band Virtual Gateway Deployment, page 5-4
•
Configure Your Network for Wireless Out-of-Band, page 5-5
•
Configure Your Wireless LAN Controllers, page 5-7
•
Configure Wireless LAN Controller Connection on the CAM, page 5-13
•
Wireless Out-of-Band Users, page 5-24
•
Wireless OOB Troubleshooting, page 5-25
See Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.5(1)
for additional information on OOB deployments.
Overview
In a traditional in-band Cisco NAC Appliance wireless deployment, all network traffic to or from
wireless client machines passes through the Clean Access Server (CAS). For high throughput or highly
routed environments, a Cisco NAC Appliance Wireless Out-of-Band (Wireless OOB) deployment allows
client traffic to pass through the network only in order to be authenticated and certified before being
connected directly to the access network. This section discusses the following topics:
•
Wireless In-Band Versus Out-of-Band, page 5-2
•
Wireless Out-of-Band Requirements, page 5-2
•
SNMP Control, page 5-3
•
Summary Steps to Configure Wireless Out-of-Band, page 5-3
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-1
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Overview
Wireless In-Band Versus Out-of-Band
Table 5-1 summarizes different characteristics of each type of deployment.
Table 5-1
Wireless In-Band vs. Out-of-Band Deployment
Wireless In-Band Deployment Characteristics
Wireless Out-of-Band Deployment Characteristics
The Clean Access Server (CAS) is always inline
with user traffic (both before and following
authentication, posture assessment and
remediation). Enforcement is achieved through
being inline with traffic.
The Clean Access Server (CAS) is inline with user
traffic only during the process of authentication,
assessment and remediation. Following that, user
traffic does not come to the CAS. Enforcement is
achieved through the use of SNMP to coordinate
with Wireless LAN Controllers (WLCs) and to
assign/reassign VLAN assignments.
The CAS can be used to securely control
authenticated and unauthenticated user traffic.
The CAS can control user traffic during the
authentication, assessment and remediation phase,
but cannot do so post-remediation since the traffic
is Out-of-Band.
Bandwidth restricted to maximum allowable
throughput for installed Clean Access Server(s).
Out-of-Band bandwidth not restricted by Clean
Access Servers in network, as all client traffic
bypasses CASs once clients are authenticated.
Wireless Out-of-Band Requirements
Wireless Out-of-band implementation of Cisco NAC Appliance requires the following to be in place:
Note
•
Cisco Wireless LAN Controllers must be supported models that use at least the minimum supported
version of IOS (supporting SNMP traps). See Table 5-2.
•
Cisco Wireless LAN Controllers must be Layer 2 adjacent to the Clean Access Server(s) with which
they interoperate to support wireless client login.
•
Clean Access Servers supporting wireless client login and authentication must be installed and
configured in Virtual Gateway mode.
Administrators can update the object IDs (OIDs) of supported WLCs through CAM updates (under
Device Management > Clean Access > Updates > Summary | Settings). For example, if a new WLC
of a supported model (Cisco 4400 Series) is released, administrators only need to perform Cisco Updates
on the CAM to obtain support for the WLC OIDs, instead of performing a software upgrade of the
CAM/CAS.
The update WLC OID feature only applies to existing models. If a new WLC series is introduced,
administrators will still need to upgrade to ensure Wireless OOB support for the new WLCs. See
Configure and Download Updates, page 10-15.
Note
The supported mode of HREAP in Cisco NAC Wireless Out-Of-Band is central authentication, central
switching. In this state, the controller handles client authentication, and all client data is tunneled back
to the controller. This state is valid only in connected mode.
Local Switching is not supported with Cisco NAC Wireless OOB.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-2
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Overview
Note
For the most current details on WLC model/IOS version support, refer to Switch Support for Cisco NAC
Appliance.
Table 5-2
Supported Wireless LAN Controller Models
Supported Wireless LAN Controllers
Wireless LAN
Controller
Release
Cisco NAC
Appliance
Release
Cisco 4400 Series Wireless LAN Controllers
5.1 and later
4.5
Cisco 2000 Series Wireless LAN Controllers
Cisco Catalyst 3750G Integrated Wireless LAN Controller
Cisco Catalyst 6500/7600 Series Wireless Services Module (WiSM)
Cisco Wireless LAN Controller Module
SNMP Control
In a Wireless OOB deployment, you can add WLCs to the Clean Access Manager’s domain and
communicate with the WLC using the Simple Network Management Protocol (SNMP). SNMP is an
application layer protocol used by network management tools to exchange management information
between network devices. Cisco NAC Appliance and Cisco WLCs support the following SNMP versions
in a Wireless OOB environment:
CAM-to-OOB WLC SNMP Read
CAM-to-OOB WLC SNMP Write
•
SNMP V1
•
SNMP V1
•
SNMP V2c (V2 with
community string)
•
SNMP V2c
•
SNMP V3
OOB WLC-to-CAM SNMP Traps
•
SNMP V2c
You first need to configure the WLC to send and receive SNMP traffic to/from the Clean Access
Manager, then configure matching settings on the Clean Access Manager to send and receive traffic
to/from the WLC. This will enable the Clean Access Manager to get VLAN information from the WLC
and coordinate with the WLC when wireless users log out (or are “kicked out”) of the network and
removed from the Online Users List.
Summary Steps to Configure Wireless Out-of-Band
To enable Wireless OOB in you access network, you need to perform the following tasks:
1.
Configure your Wireless LAN Controller:
a. Enable SNMP read and write settings on the WLC.
b. Enable SNMP trap transmission on the WLC using SNMP v2c (the SNMP v2c protocol is the
only version of SNMP traps the CAM and WLCs have in common).
c. Configure SSIDs/dynamic interfaces on the WLC with both an Authentication (Quarantine)
VLAN and a standard Access VLAN.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-3
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Wireless Out-of-Band Virtual Gateway Deployment
2.
Ensure SNMP settings on the CAM match those assigned on the WLC using the guidelines in
Configure SNMP Receiver, page 5-18.
3.
Create a new device profile on the CAM for the WLC using the guidelines in Add New Wireless
LAN Controller, page 5-19.
Note
Unlike switch device profiles on the CAM, administrators do not configure or assign any
Port Profiles for WLCs. VLAN assignments for Authentication (Quarantine) and Access
VLANs originate form the WLC based on SNMP trap messages sent from the CAM
following client posture assessment and remediation.
4.
Add the new WLC device profile to the Device List using the guidelines in Add and Manage
Wireless LAN Controllers, page 5-19.
5.
Configure the CAS in your Cisco NAC Appliance network to support Wireless OOB network
functions using the appropriate sections of the “Configuring the CAS Managed Network” chapter
in the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release
4.5(1):
– Install the CAS as a Virtual Gateway according to the guidelines in the “Add New Server”
section.
– Ensure that the Cisco NAC Appliance system appropriately handles client traffic from the
WLC’s Authentication (Quarantine) VLAN by using the “Configuring Managed Subnets or
Static Routes” section.
– Since the CAS acts as a bridge in Virtual Gateway mode, be sure the CAS is configured to map
the WLC’s Access VLAN to the Cisco NAC Appliance Access VLAN (both on the Trusted
VLAN) using the “Configure VLAN Mapping” section.
Wireless Out-of-Band Virtual Gateway Deployment
Figure 5-1 illustrates a typical Wireless OOB Virtual Gateway deployment. The WLC assigns two
VLANs, AUthentication (Quarantine) VLAN 110 and Access VLAN 10, to one or more SSIDs/dynamic
interfaces to support wireless client access. The WLC and the Layer 2 access switch have a VLAN trunk
assignment for both VLANs so that client traffic automatically reaches the Layer 2 switch regardless of
whether the wireless client machine has authenticated with Cisco NAC Appliance or not. The Layer 2
switch ensures that all unauthenticated traffic gets directed to the Clean Access Server via VLAN 110
and that authenticated clients remain Out-of-Band, thus bypasses the CAS and proceeding directly to the
internal network via Access VLAN 10.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-4
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Your Network for Wireless Out-of-Band
Wireless Out-of-Band Layer 2 VGW Mode
Wireless
LAN controller
Layer 2
switch
Trunk
VLAN 10, 110
Wireless
client
Clean Access
Server
VLAN
110
VLAN 10
Layer 3
switch
Clean Access
Manager
VLAN
10
188734
Figure 5-1
Login and Authentication Flow in Wireless OOB Virtual Gateway Mode
1.
The unauthenticated wireless user connects to a Wireless LAN Controller through an associated
wireless access point.
2.
The WLC sends an association trap informing the CAM that a wireless user is logging in with Cisco
NAC Appliance network access credentials
3.
When the wireless client first logs into the Wireless OOB network, the user profile is assigned to
Authentication (Quarantine) VLAN 110.
4.
The CAS assigns the client machine an IP address from the access VLAN 10 and the WLC
authenticates the client.
Note
If Single-Sign On (SSO) is configured for the Wireless OOB network, the WLC also sends
the appropriate RADIUS accounting packets to the CAS.
5.
Cisco NAC Appliance performs posture assessment and remediation on the client machine and, if
the client machine meets security requirements, authenticates the client and sends an SNMP SET
command to the WLC granting access to the internal network.
6.
The WLC switches the client IP address from the Authentication (Quarantine) VLAN 110 to the
Access VLAN 10 and (now that the client machine has authenticated with Cisco NAC Appliance)
traffic between the wireless client machine and the internal network moves Out-of-Band, bypassing
the CAS.
When the user logs out of the wireless OOB network, the WLC sends another SNMP update to the CAM
to ensure the CAM removes the user profile from the wireless Online Users List. Likewise, if the Cisco
NAC Appliance administrator is forced to “kick” a user out of the network, the CAM sends an SNMP
trap to the WLC and the WLC, in return, automatically moves the user back to the Authentication
(Quarantine) VLAN, thus directing the now unauthenticated client traffic to the CAS.
Configure Your Network for Wireless Out-of-Band
The CAM communicates with associated WLCs using SNMP and manages Wireless OOB Virtual
Gateway CASs through the admin network. The trusted interface of the CAS connects to the
admin/management network, and the untrusted interface of the CAS connects to the managed client
network.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-5
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Your Network for Wireless Out-of-Band
When a wireless client connects to a WLC, the WLC automatically assigns the client to an
Authentication (Quarantine) VLAN and the traffic to/from the client goes through the CAS. After the
client is authenticated and certified through the Clean Access Server, the WLC receives an SNMP
message from the CAM allowing the client access to the network via the Access VLAN. Once on the
access VLAN, traffic to and from certified clients moves Out-of-Band, bypassing the Clean Access
Server.
The next sections describe the configuration steps needed to set up your Wireless OOB deployment:
Note
•
Configure Your Wireless LAN Controllers, page 5-7
•
Configure Wireless LAN Controller Connection on the CAM, page 5-13
You can only deploy CASs supporting wireless client machine authentication in Virtual Gateway mode.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-6
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Your Wireless LAN Controllers
Configure Your Wireless LAN Controllers
This section describes the steps needed to set up Wireless LAN Controllers (WLCs) to be used with
Cisco NAC Appliance for Wireless Out-of-Band.
•
Wireless LAN Controllers Configuration Notes, page 5-7
•
Example Wireless LAN Controller Configuration Steps, page 5-8
•
Wireless OOB Network Setup/Configuration Worksheet, page 5-12
Wireless LAN Controllers Configuration Notes
The following considerations should be taken into account when configuring Wireless LAN Controllers
for OOB:
•
Cisco NAC Appliance only supports Wireless OOB deployments with Cisco Wireless LAN
Controllers.
•
WLCs must be configured to interact with the CAM using SNMP read, write, and trap functions.
•
Each service set identifier (SSID)/dynamic interface on the WLC must have both an Authentication
(Quarantine) VLAN and Access VLAN configured.
•
Ensure that any access/aggregation switches in the network between the WLCs and the Clean Access
Server have the same Authentication (Quarantine) and Access VLANs trunked.
•
Authentication and Access VLANs are defined on the WLC and changes between the two are
transmitted to the CAM using SNMP traps—administrators do not assign VLANs from the CAM
via user role assignments or otherwise.
•
When a wireless user logs off, the WLC also sends SNMP information to the CAM to ensure the
user ID is removed from the Online Users List. Likewise, if the administrator must kick any users
out of the Online Users List, the CAM informs the WLC via SNMP and the WLC automatically
assigns the wireless client to the Authentication (Quarantine) VLAN.
•
If Single Sign-On (SSO) is required for wireless users, the WLC must also be configured to transmit
RADIUS accounting packets to the CAS.
Note
•
The VPN Auto Logout feature does not work in a Wireless OOB deployment. If VPN Auto
Logout signs a user out of the system, the CAM will not learn of the disconnection from the
WLC.
If your wireless access network provides services for Wireless IP Phones, ensure you configure a
separate SSID for such devices so that they do not encounter the Cisco NAC Appliance
authentication process.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-7
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Your Wireless LAN Controllers
Example Wireless LAN Controller Configuration Steps
This section provides a configuration example for a Cisco 4400 series Wireless LAN Controller.
•
Create the Dynamic Interface on the Wireless LAN Controller, page 5-8
•
Create the WLAN on the Wireless LAN Controller and Enable Cisco NAC Appliance Integration,
page 5-9
•
Configure SNMP on the Wireless LAN Controller, page 5-10
•
Specify the CAM as the SNMP Trap Receiver, page 5-11
Create the Dynamic Interface on the Wireless LAN Controller
To create and specify settings for a new Dynamic Interface on the Wireless LAN Controller:
Step 1
In the WLC graphical user interface, click Controller > Interfaces to open the Interfaces page.
Step 2
Click New and enter an Interface Name and VLAN ID in the Interfaces > New page that appears.
Step 3
Click Apply to commit your changes. The Interfaces > Edit page appears (Figure 5-2).
Figure 5-2
Step 4
WLC 4400 Interfaces > Edit Page
Configure the following parameters:
•
Guest LAN
•
Enable the Quarantine option and specify a quarantine Quarantine VLAN ID.
Note
•
Check the Quarantine check box if you want to configure this VLAN as unhealthy or you want
to configure network access control (NAC) out-of-band integration. Doing so causes the data
traffic of any client that is assigned to this VLAN to pass through the controller.
Physical port assignment
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-8
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Your Wireless LAN Controllers
•
VLAN identifier
•
Fixed IP address, IP netmask, and default gateway
•
Primary and secondary DHCP servers
•
Access control list (ACL) name, if required
Note
To ensure proper operation, you must set the Port Number and Primary DHCP Server
parameters.
Step 5
Click Save Configuration to save your changes.
Step 6
Repeat this procedure for each dynamic interface that you want to create or edit.
For more information, refer to the Cisco Wireless LAN Controller Configuration Guide, Release 5.1.
Create the WLAN on the Wireless LAN Controller and Enable Cisco NAC Appliance Integration
To create a new WLAN on the Wireless LAN Controller and enable integration with Cisco NAC
Appliance:
Step 1
In the WLC graphical user interface, click WLANs > New. The WLANs > New page appears.
Step 2
Choose WLAN from the Type dropdown menu.
Step 3
Enter up to 32 alphanumeric characters for the profile name to be assigned to this WLAN in the Profile
Name field. The profile name must be unique.
Step 4
Enter up to 32 alphanumeric characters for the SSID to be assigned to this WLAN in the WLAN SSID
field.
Step 5
Click Apply to commit your changes. The WLANs > Edit page appears (Figure 5-3).
Figure 5-3
WLC 4400 WLANs > Edit Page
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-9
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Your Wireless LAN Controllers
Step 6
Caution
On the General tab, check the Status checkbox to enable this WLAN.
Leave this option unchecked (disabled) until you have finished making configuration changes to the
WLAN.
Step 7
On the Advanced tab, check the State checkbox under the “NAC” heading to enable WLC integration
with Cisco NAC Appliance.
Step 8
Specify a Quarantine VLAN ID for wireless user sessions when authenticating with Cisco NAC
Appliance.
Step 9
Click Apply to commit your changes.
Step 10
Click Save Configuration to save your changes.
For more information, refer to the Cisco Wireless LAN Controller Configuration Guide, Release 5.1.
Configure SNMP on the Wireless LAN Controller
To ensure the Wireless LAN Controller is able to receive and process SNMP transmissions from the
CAM regarding OOB client machine status in the Cisco NAC Appliance system, you must enable and
configure SNMP behavior on the WLC.
To create a new SNMP community and enable SNMP on the WLC:
Step 1
Click Management and then Communities under SNMP. The SNMP v1 / v2c Community page
appears.
Step 2
Click New to create a new community. The SNMP v1 / v2c Community > New page appears
(Figure 5-4).
Figure 5-4
SNMP v1 / v2c Community > New Page
Step 3
In the Community Name field, enter a unique name containing up to 16 alphanumeric characters. (Do
not enter “public” or “private.”)
Step 4
Enter the IP Address of the CAM from which this device accepts SNMP packets with the associated
community and the respective IP Mask.
Step 5
Choose Read/Write from the Access Mode dropdown menu to specify the access level for this
community.
Step 6
Choose Enable from the Status dropdown menu to activate this community.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-10
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Your Wireless LAN Controllers
Step 7
Click Apply to commit your changes.
Step 8
Click Save Configuration to save your settings.
Step 9
Repeat this procedure if a “public” or “private” community still appears on the SNMP v1 / v2c
Community page.
For more information, refer to the Cisco Wireless LAN Controller Configuration Guide, Release 5.1.
Specify the CAM as the SNMP Trap Receiver
Once you enable and configure SNMP on the Wireless LAN Controller, you must also ensure the WLC
knows which CAM is receiving SNMP trap messages.
To specify the host name and IP address of the SNMP trap receiver CAM:
Step 1
Click Management and then Trap Receivers under SNMP. The SNMP Trap Receivers > New page
appears (Figure 5-5).
Figure 5-5
SNMP Trap Receivers > New Page
Step 2
Specify the host name of the CAM to receive SNMP traps from the WLC in the Trap Receiver Name
field.
Step 3
Enter the CAM’s IP address in the IP Address field.
Step 4
Choose Enable from the Status dropdown menu.
Step 5
Click Apply to commit your changes.
Step 6
Click Save Configuration to save your settings.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-11
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Your Wireless LAN Controllers
Wireless OOB Network Setup/Configuration Worksheet
Table 5-3 summarizes information needed to configure WLCs and the Clean Access Manager.
Table 5-3
Configuration Worksheet
Configuration Settings
Value
Wireless LAN Controller Configuration
WLC IP Address/Netmask:
New dynamic interface
SSID Access VLAN:
SSID Authentication (Quarantine) VLAN:
SNMP version used
SNMP (V1/V2c) read community name:
SNMP (V1/V2c) write community name:
SNMP (V3) auth method/username/password:
SNMP Trap V2c community string (to send traps to CAM):
CAM/CAS Configuration
CAM host name
CAM IP address:
CAS Trusted IP address:
CAS Untrusted IP address:
CAM SNMP Trap Receiver
Community name for SNMP Trap V1 devices:
Community name for SNMP Trap V2c devices:
Auth method/username/password for SNMP Trap V3 WLCs:
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-12
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Wireless LAN Controller Connection on the CAM
Configure Wireless LAN Controller Connection on the CAM
This section describes the web admin console configuration steps to implement Wireless OOB. In
general, you first configure Group and Wireless LAN Controller profiles, and the CAM’s SNMP
Receiver settings under OOB Management > Profiles. After the WLC profile is configured, add the new
WLC you want to communicate with to the Clean Access Manager’s domain under OOB Management
> Devices, and ensure the new profile appears in the Devices list.
The configuration sequence is as follows:
1.
Plan your settings and configure the switches to be managed, as described in previous section,
Configure Your Wireless LAN Controllers, page 5-7
2.
Add a Wireless Out-of-Band Clean Access Server and Configure Environment, page 5-13
3.
Configure Group Profiles, page 5-14
4.
Configure Wireless LAN Controller Profiles, page 5-15
5.
Configure SNMP Receiver, page 5-18
6.
Add and Manage Wireless LAN Controllers, page 5-19
Add a Wireless Out-of-Band Clean Access Server and Configure Environment
Almost all the CAM/CAS configuration for Wireless Out-of-Band deployment is done directly in the
OOB Management module of the CAM web console. If your Wireless LAN Controller installation
features great enough throughput/bandwidth, you can (and may need to) configure more than one Clean
Access Server to handle all of the authentication traffic between wireless client machines and the Cisco
NAC Appliance system.
To add a Wireless OOB Clean Access Server to the CAM:
Step 1
Choose the Out-of-Band Virtual Gateway option from the Server Type dropdown menu (Figure 5-6).
Figure 5-6
Add New OOB Server
The Clean Access Server itself must be either in-band or out-of-band. The Clean Access Manager can
control both in-band and out-of-band CASs in its domain.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-13
Chapter 5
Configure Wireless LAN Controller Connection on the CAM
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Note
You can only deploy CASs supporting wireless client machine authentication in Virtual Gateway mode.
Step 2
Enter the IP address of the Clean Access Server’s eth0 (trusted) interface in the Server IP Address field.
Step 3
(Optional) Enter the Clean Access Server location/description/purpose in the Server Location field.
Step 4
Click Add Clean Access Server.
Configure Group Profiles
When you first add a WLC to the Clean Access Manager’s domain (under OOB Management >
Devices), a Group profile must be applied to add the new WLC. There is a predefined Group profile
called default, shown in Figure 5-7. All WLCs are automatically put in the default group when you add
them. You can leave this default Group profile setting, or you can create additional Group profiles as
needed. If you are adding and managing a large number of WLCs, creating multiple Group profiles
allows you to filter which sets of devices to display from the list of WLCs (under OOB Management >
Devices > Devices > List).
Figure 5-7
Group Profiles List
Add Group Profile
Step 1
Go to OOB Management > Profiles > Group > New (Figure 5-8).
Figure 5-8
New Group
Step 2
Enter a single word for the Group Name. You can use digits and underscores, but no spaces.
Step 3
Enter an optional Description.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-14
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Wireless LAN Controller Connection on the CAM
Step 4
Click Add. The new Group profile appears under OOB Management > Profiles > Group > List.
Edit Group Profile
Step 1
To edit the profile later, after actual WLCs are added, go to OOB Management > Profiles > Group >
List and click the Edit button for the new Group profile.
Step 2
The Edit page appears (Figure 5-9).
Figure 5-9
Edit Group
Step 3
You can toggle the WLCs that belong in the Group profile by selecting the IP address of the WLC from
the Member Devices or Available Devices columns and clicking the Join or Remove buttons as
applicable.
Step 4
Click the Update button when done to save your changes.
Note
To delete a group profile, you must first remove the joined switches and/or WLCs from the profile.
Configure Wireless LAN Controller Profiles
A WLC profile must first be created under OOB Management > Profiles > Device > New, then applied
when a new WLC is added. A WLC profile classifies WLCs of the same model and SNMP settings, as
shown in Figure 5-10. The WLC profile configures how the CAM learns client Authentication/Access
VLAN assignments from the WLC and when to remove Wireless OOB clients from the Online Users
List for a WLC of that type.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-15
Chapter 5
Configure Wireless LAN Controller Connection on the CAM
Figure 5-10
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Device Profiles List
The Device profiles list under OOB Management > Profiles > Device > List provides three buttons:
•
Devices—Clicking this button brings up the list of added devices under OOB Management >
Devices > Devices > List (see Figure 5-14).
•
Edit—Clicking this button brings up the Edit Device profile form (see Figure 5-12).
•
Delete—Clicking this icon deletes the Device profile (a confirmation dialog appears first).
Add Wireless LAN Controller Profile
Use the following steps to add a Wireless LAN Controller profile.
Step 1
Go to OOB Management > Profiles > Device > New (Figure 5-11).
Figure 5-11
Step 2
Note
New Wireless LAN Controller Profile
Enter a single word for the Profile Name. You can use digits and underscores but no spaces.
It is a good idea to enter a WLC name that identifies the model and SNMP read and write versions, for
example “WLC4400v2v3.”
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-16
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Wireless LAN Controller Connection on the CAM
Step 3
Choose the Device Model for the profile from the dropdown menu.
Step 4
Enter the SNMP Port configured on the WLC to send/receive traps. The default port is 161.
Step 5
Enter an optional Description.
Step 6
Configure SNMP Read Settings to match those on the WLC.
Step 7
Step 8
Step 9
•
Choose the SNMP Version: SNMP V1 or SNMP V2C.
•
Type the Community String configured for the WLC.
Configure SNMP Write Settings to match those on the WLC.
•
Choose the SNMP Version: SNMP V1, SNMP V2C, or SNMP V3.
•
Type the Community String for SNMP V1 or SNMP V2C configured for the WLC.
If SNMP v3 is used for SNMP write settings on the WLC, configure the following settings to match those
on the WLC:
•
Choose a Security Method from the dropdown menu: NoAuthNoPriv, AuthNoPriv(MD5),
AuthNoPriv(SHA), AuthPriv(MD5+DES-CBC), or AuthPriv(SHA+DES-CBC).
•
Type the User Name.
•
Type the User Auth.
•
Type the User Priv.
Click Add to add the Wireless LAN Controller profile to OOB Management > Profiles > Device > List
(Figure 5-14).
Figure 5-12 illustrates a WLC profile defining a Cisco 440 Wireless LAN Controller with the same
SNMP settings: SNMP V2c with read community string “wlc4400_read” and write community string
“wlc4400_write.”
Figure 5-12
Example Wireless LAN Controller Profile
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-17
Chapter 5
Configure Wireless LAN Controller Connection on the CAM
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure SNMP Receiver
The SNMP Receiver form configures how the SNMP Receiver running on the Clean Access Manager
receives and responds to SNMP trap notifications from WLCs when user events occur (such as when a
user first logs on to or logs off of the network). The SNMP Receiver configuration on the CAM must
match the WLC configuration in order for the WLC to send SNMP traps to the CAM.
SNMP Trap
This page configures settings for the SNMP traps the CAM receives from switches and WLCs. The Clean
Access Manager SNMP Receiver can simultaneously support different versions of SNMP (V1, V2c, V3)
when controlling groups of switches and/or WLCs in which individual devices may be using different
versions of SNMP.
Step 1
Go to OOB Management > Profiles > SNMP Receiver > SNMP Trap (Figure 5-13).
Figure 5-13
CAM SNMP Receiver
Step 2
Use the default Trap Port on Clean Access Manager (162) or enter a new port number here.
Step 3
For SNMP V1 Settings, type the Community String used on switches using SNMP V1.
Step 4
For SNMP V2c Settings, type the Community String used on switches using SNMP V2c.
Step 5
For SNMP V3 Settings, configure the following fields used on switches using SNMP V3:
•
Choose the Security Method from the dropdown menu: NoAuthNoPriv, AuthNoPriv(MD5),
AuthNoPriv(SHA), AuthPriv(MD5+DES-CBC), or AuthPriv(SHA+DES-CBC)
•
Type the User Name.
•
Type the User Auth.
•
Type the User Priv
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-18
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Wireless LAN Controller Connection on the CAM
Step 6
Click Update to save settings.
Add and Manage Wireless LAN Controllers
The pages under the OOB Management > Devices > Devices tab are used to discover and add new
switches and WLCs within an IP range, add new switches or WLCs by exact IP address, and manage the
list of associated devices. There are two methods to add new managed WLCs:
•
Add New Wireless LAN Controller, page 5-19
•
Search New Wireless LAN Controllers, page 5-20
Figure 5-14
List of Devices
The list of devices under OOB Management > Devices > Devices > List displays all switches added
from the New or Search forms. Wireless LAN Controller entries in the list include the WLC’s IP
address, MAC address, Description, and WLC Profile. You can sort the entries on the list by Device
Group or Device Profile dropdowns, or you can simply type a Device IP and hit Enter to search for a
switch by its address. Additionally the List provides one control and two buttons:
Note
•
Config—Clicking the Config button brings up the Config Tab, page 5-22 for the WLC.
•
Delete—Clicking the Delete button deletes the WLC from the list (a confirmation dialog appears
before the WLC entry is removed).
The Port Profile dropdown is only used for adding switches to the Devices list and does not pertain to
WLCs.
Profile links do not apply to WLCs and are “grayed out” in the Devices list for WLC entries.
Add New Wireless LAN Controller
The New page allows you to add WLCs when exact IP addresses are already known.
Step 1
Go to OOB Management > Devices > Devices > New (Figure 5-15).
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-19
Chapter 5
Configure Wireless LAN Controller Connection on the CAM
Figure 5-15
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Add New Wireless LAN Controller
Step 2
Choose the Device Profile from the dropdown menu to apply to the WLC to be added.
Step 3
Choose the Device Group for the WLC from the dropdown menu.
Step 4
Type the IP Addresses of the WLC(s) you want to add. Separate each IP address by line.
Step 5
Enter an optional Description of the new switch.
Step 6
Click the Add button to add the WLC(s).
Step 7
Click the Reset button to reset the form.
Search New Wireless LAN Controllers
The Search page allows you to discover and add unmanaged switches within an IP range.
Step 1
Go to OOB Management > Devices > Devices > Search (Figure 5-16).
Figure 5-16
Search Devices
Step 2
Select a Device Profile from the dropdown list. The read community string of the selected WLC profile
is used to find WLCs with matching read settings.
Step 3
Type an IP Range in the text box. (The maximum range for a search is 256 addresses.)
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-20
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Wireless LAN Controller Connection on the CAM
Step 4
By default, the Don’t list devices already in the database checkbox is already checked. If you uncheck
this box, the resulting search will include devices you have already added.
Step 5
Choose a Device Group from the dropdown to apply to the WLCs found in the search.
Step 6
Click the checkbox to the left of each WLC you want to connect with the CAM. Alternatively, click the
checkbox at the top of the column to add all WLCs found from the search.
Note
While all WLCs matching the read community string of the WLC profile used for the search are listed,
only those WLCs matching the read SNMP version and community string can be added using the
Commit button. The CAM cannot communicate with a WLC unless its write SNMP settings match those
configured for its WLC profile.
Step 7
Click the Commit button to add the new devices. These devices are listed under OOB Management >
Devices > Devices > List.
Discovered Wireless Clients
Figure 5-17 shows the OOB Management > Devices > Discovered Clients > Wireless Clients page.
The Wireless Clients page lists all clients discovered by the Clean Access Manager via SNMP traps
between the CAM and the WLC. The page records the activities of out-of-band clients (regardless of
VLAN), based on the SNMP trap information that the Clean Access Manager receives.
When a client connects to a WLC and is assigned to the Authentication (Quarantine) VLAN, a trap is
sent and the Clean Access Manager creates an entry on the Wireless Clients page. The Clean Access
Manager adds a client’s MAC address, IP address, associated WLC, Access Point MAC address, and
Authentication (Quarantine) and Access VLAN assignments to the Wireless Clients list. Thereafter, the
CAM updates the entry as it receives new SNMP trap information for the client.
Removing an entry from the Wireless Clients list clears this status information for the Wireless OOB
client from the CAM.
Figure 5-17
Wireless Clients
Elements of the page are as follows:
•
Show clients connected to WLC with IP—Leave the default of ALL WLCs displayed, or choose
a specific WLC from the dropdown menu. The dropdown menu displays all managed WLCs
configured on the CAM.
•
Show client with MAC—Type a specific MAC address and press Enter to display a particular client.
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-21
Chapter 5
Configure Wireless LAN Controller Connection on the CAM
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
•
Clients/Page—Leave the default of 25 entries displayed per page, or choose from the dropdown
menu to displays 50, 100, 200, or ALL entries on the page.
•
Delete All Clients—This button removes all clients on the list.
•
Delete Selected—This button only removes the clients selected in the check column to the far right
of the page.
•
Note that you can click any of the following column headings to sort results by that column:
– MAC—MAC address of discovered wireless client
– IP—IP address of the wireless client
– WLC—IP address of the originating Wireless LAN Controller. Clicking the WLC IP address
brings up the OOB Management > Devices > WLC [IP address] > Config > Basic page for
the WLC. (For more information, see Config Tab, page 5-22.)
– SSID—The service set identifier to which the wireless client has been associated for network
access.
– AP MAC—The MAC address of the WLC Access Point through which the client is accessing
the network
– Auth VLAN—Authentication (Quarantine) VLAN
A value of “N/A” in this column indicates that the VLAN ID for this MAC address is
unavailable from the WLC.
– Access VLAN—Access VLAN of the client
A value of “N/A” in this column indicates the Access VLAN ID is unavailable for the client.
For example, if the user is switched to the Authentication VLAN but has never successfully
logged into Cisco NAC Appliance (due to wrong user credentials), this machine will never have
been assigned to the Access VLAN.
– Last Update—The last time the CAM updated the information of the entry.
See Wireless Out-of-Band Users, page 5-24 for additional details on monitoring out-of-band users.
Config Tab
The Config tab allows you to modify Basic and Group profile settings for a particular Wireless LAN
Controller:
•
Basic
•
Group
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-22
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Configure Wireless LAN Controller Connection on the CAM
Basic
The Basic tab (Figure 5-18) shows the following values configured for the WLC.
Figure 5-18
•
Config > Basic
The first values come from the initial configuration done on the WLC itself:
– IP Address
– MAC Address
– Location
– Contact
– System Info (translated from the MIB for the WLC)
•
Device Profile—Shows the Device Profile you are using for this WLC configured under OOB
Management > Profiles > Device. The WLC Device Profile sets the model type, the SNMP port on
which to send SNMP traps, SNMP version for read and write and corresponding community strings,
or authentication parameters (SNMP V3 Write).
•
Description—Optional description of the WLC. To change this field, type a new description and
click Update.
Group
This page displays all the Group Profiles configured in the Clean Access Manager, and the Group
Profiles to which the WLC currently belongs. You can add the WLC to other Groups, or you can remove
the WLC from a Group Joined. To change the Group membership for all switches, go to OOB
Management > Profiles > Group (see Configure Group Profiles, page 5-14).
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-23
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Wireless Out-of-Band Users
Figure 5-19
Config > Group
View Wireless Out-of-Band Online Users
When out-of-band is enabled, the Monitoring > View Online Users page displays links for both
In-Band and Out-of-Band users and display settings (Figure 5-20). See Out-of-Band Users, page 15-6
for details.
Figure 5-20
View Out-of-Band Online Users
Wireless Out-of-Band Users
Wireless OOB User Sessions
The following events trigger Wireless OOB users’ disconnection from the Cisco NAC Appliance system:
•
SNMP trap messages from the WLC
•
Certified Timer expiration
•
Session Timer expiration
•
Manual removal from CAM
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-24
OL-16410-01
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Wireless OOB Troubleshooting
Following log-off, users must undergo authentication again before they are allowed back into the internal
network. For additional details, see also Online Users List, page 15-3 and Manage Certified Devices,
page 10-30.
Wireless and Wired OOB User List Summary
Table 4-3 on page 4-66 describes the lists used to track out-of-band users.
Wireless OOB Troubleshooting
•
•
•
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
OL-16410-01
5-25
Chapter 5
Wireless LAN Controller Management: Configuring Wireless Out-of-Band Deployment
Wireless OOB Troubleshooting
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
5-26
OL-16410-01
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement