Cisco Clean Access Users and Administrators wrote:


> This sounds like you are mixing implementation types.  You do
> NOT specify ports in IN-VG mode.
> You only do this in OOB mode.
> 
> In-Band mode works by having the routing interface (the
> default gateway) be the CAS server.  There is no VLAN switching on
> the port itself. 

Hi Mike, and first of all thx for the reply...

I'll try to be more clear in the explanation :-)

- Actually we connect the access points and switches using "NAC
controlled" ports (when you setup the port profile - under "Switch
Management > Profiles > Port" section - you have to specify the Auth
VLAN and Default Access VLAN for that port profile): is it correct that
the switch port is under NAC control (on a fixed VLAN)? (I think so...
If not, CAS will never intercept/manages communications on that port...)

- Have the APs to be on the same VLAN (Auth VLAN) of the above managed
port, defined into that port profile?

You wrote: "You do NOT specify ports in IN-VG mode"; what did U mean? Do
U mean that in IB-VG mode we don't have to use NAC controlled ports on
switch?

- Are static routes required on CAS config (Device Management > Clean
Access Servers > CAS_IP > Advanced > Static Routes)?

I hope this further infos help making clearer the point... :-)

Diego

-- 
Diego Cossetta
ICT Security Consultant - Scouting e Sviluppo Tecnico - Business Unit
I.NET | BT Global Services Tel: +39-02-328631
Fax: +39-02-328637701
e-Mail: [log in to unmask]
http://www.inet.it