Inband Virtual Gateway Layer 2

The CAS is acting like a layer 2 switch. It is configured with only a 
management interface, with eth0 and eth1 having the same IP address.

The default gateways for the wireless networks exist beyond the trusted 
interface of the CAS, not on the CAS.

If the CAS is configured in a centralized, rather than an edge deployment, 
you must have VLAN mapping (between the untrusted-side and trusted-side 
wireless VLANs) configured on the CAS.

All wireless VLANs from the AP are configured as 'managed subnets' on the 
CAS with an unused IP address from their address range, and they have VLAN 
mappings configured (all this is under Device Management > Clean Access 
Servers > Advanced)

The CAS is configured to pass through DHCP requests

Traffic flow:

1. The wireless user authenticates with the AP and sends out a DHCP request
2. The CAS receives the DHCP request via the wireless VLAN on the 
untrusted interface, maps the packet via the VLAN mapping to the trusted-
side VLAN and passes it out through the trusted interface to the wireless 
VLANs default gateway
3. The wireless VLANs default gateway interface passes the packet to the 
DHCP server via an IP helper address
4. The DHCP server receives the request, and sends the reply back through 
the wireless VLANs gateway, the CAS trusted interface, out the CAS 
untrusted interface, to the AP, and finally back to the wireless user

            VLAN 110     VLAN 10    VLAN 20
user --- AP -------- CAS ------- GW ------- DHCP
             Trunk        Trunk

5. Now the user has an IP address, and the remaining NAC steps can begin 
(authentication, policy assessment, remediation, certification)


It might be helpful for you to checkout the NAC ChalkTalk series at Cisco:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/pro
d_presentation0900aecd80549168.html

Cheers,

Greg