LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

May 2008

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS May 2008

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	OOB Set up guide
From:	Daniel Sichel <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Fri, 2 May 2008 09:06:56 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (48 lines)

<snip>
We are looking at transitioning to Out-of-Band for our CCA deployment
here at AU and in 
preparation are setting up our test hardware in order to gauge user
impact. I'm finding 
the Cisco provided documentation vague at best however.
<snip>

Vague is an understatement. A couple of caveats from one with many
bleeding wounds in this battle. 
1. Identify the management VLAN and set it on the protected side.
2. BELIEVE THEM when they say, do not connect up the untrusted interface
until the managed subnets are set up. 
3. Do not Try this with a flat network if you don't have to; that is
have a layer three boundary between clients on protected side and
servers. There was a bug in the click router module that appears to have
been fixed in the latest software release for the CAM and CAS. If your
servers and clients are on the same LAN segment  (ours are) then you
need this release. Alternatively, you can have clients and the servers
they access on different LANs if you don't already. This may cause
issues with  access to DHCP and remediation sources.
4. Do NOT BELIEVE the diagrams in the manual, they are SOOOO MISLEADING
and conflict with each other. 
5. Configure static routes to your authentication servers.
6. I use VLAN mapping, but have been told by Cisco support people that
this feature "is of the devil".  Proceed with caution I guess.
7. Talk to your switch people. They will be giving you read/write SNMP
access or this stuff won't work. On the plus side v3 is supported so if
your switches have the chops, you can encrypt the SNMP traffic to keep
it hidden from mischievous visitors. 
8. If you can, get a hold of the Cisco internal training documentation,
it's not too bad.
9. You really do need to keep the CAS and CAM on separate vlans, you
really do need the dead end vlans for native mode on CAS ports. You
really will need to talk to your router and firewall people to
facilitate all the different traffic.
10. And finally, if you figure out how to get a signing off client to
properly drop itself from the list of online users and certified devices
ALL THE TIME, let me know. 

Cheers



Daniel Sichel, CCNP, MCSE,MCSA,MCTS (Windows 2008)
Network Engineer
Ponderosa Telephone (559) 868-6367

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU