I have read through this forum for a few hours now trying to get a handle on how to properly configure a Cisco 3310 NAC appliance in an environment in which each end-user PC connects to the network through their Cisco 7940 IP phone.
From what I have gathered, you can configure the NAC appliance to ignore the phones based on their MAC address, which will cause the PCs to have to authenticate properly. Is that correct, or is their a different/better way of accomplishing this?
Also, I seem to have read conflicting information on In-Band vs. Out-Of-Band configurations for this type of architecture (PC->phone->switch). Am I able to use Out-Of-Band, or am I limited to only an In-Band configuration?
There should be no problem in in-band with PCs behind phones.
The problem comes in with OOB situations where the switch is sending SNMP traps to the CAM every time a new MAC address is discovered on a switch port. So, the switch would send a trap to the CAM for both the PC MAC and the phone MAC. Depending on your configuration (if you have the settings checked to allow only one MAC address per port, and to reset the VLAN on that port if more than one MAC is detected), the CAM would now think that there are two devices connected to the port that need to be authenticated. Since the phone will never be able to authenticate via Clean Access, this usually means that users will end up in a login loop (login succesfully, then CAM gets a trap from the phone, and resets the port to unauth VLAN). What you can do to fix this is put all the phones in the ignore filter and set the port profile to respect the filters. This way, the switch still sends the traps, but the CAM knows to ignore traps from those MAC addresses and so will only switch the port based on the user MAC addresses. Clear as mud?
No, that makes perfect sense. Thanks for clearing that up.
So it is entirely possible to run OOB with the PCs connecting through the phones, assuming you add each phone's MAC address to the ignore filter, correct?
I'm a little concerned with running IB just because that would mean that there would be a new bottleneck in the network if the NAC appliance couldn't process all of the traffic being sent to it. I want to use OOB if possible based on what I have read about the differences between it and IB. My initial thought is to set up the Clean Access Server in an OOB Virtual Gateway operating mode.
From what you know of how the NAC appliances work, would the OOB Virtual Gateway seem like a reasonable choice? I'm still in the planning stages, but I want to make sure I'm not way off in left field.
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 18.104.22.168Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 22.214.171.124R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...