Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
291292293294295296297298299300
8-24
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule
Example Traffic Policies
Example Traffic Policies
This section describes the following:
Allowing Authentication Server Traffic for Windows Domain Authentication, page 8-24
Allowing Traffic for Enterprise AV Updates with Local Servers, page 8-24
Allowing Gaming Ports, page 8-24
Adding Traffic Policies for Default Roles, page 8-27
Allowing Authentication Server Traffic for Windows Domain Authentication
If you want users on the network to be able to authenticate to a Windows domain prior to authenticating
to the Cisco NAC Appliance, the following minimum policies allow users in the Unauthenticated role
access to AD (NTLM) login servers:
Allow TCP *:* Server/255.255.255.255: 88
Allow UDP *:* Server/255.255.255.255: 88
Allow TCP *:* Server/255.255.255.255: 389
Allow UDP *:* Server/255.255.255.255: 389
Allow TCP *:* Server/255.255.255.255: 445
Allow UDP *:* Server/255.255.255.255: 445
Allow TCP *:* Server/255.255.255.255: 135
Allow UDP *:* Server/255.255.255.255: 135
Allow TCP *:* Server/255.255.255.255: 3268
Allow UDP *:* Server/255.255.255.255: 3268
Allow TCP *:* Server/255.255.255.255: 139
Allow TCP *:* Server/255.255.255.255: 1025
Allowing Traffic for Enterprise AV Updates with Local Servers
In order to allow definition updates for enterprise antivirus products, such as Trend Micro OfficeScan,
the Temporary role needs to be configured to allow access to the local server for automatic AV definition
updates.
For Trend Micro OfficeScan, the Temporary role policy needs to allow access to the local server with
AutoPccP.exe. The Agent calls the Trend client locally, and the Trend client in turn runs the
AutoPccP.exe file either on a share drive (located at \\<trendserverip\ofcscan\Autopccp.exe) or through
HTTP (depending on your TrendMicro configuration) and downloads the AV patches.
Allowing Gaming Ports
To allow gaming services, such as Microsoft Xbox Live, Cisco recommends creating a gaming user role
and to add a filter for the device MAC addresses (under Device Management > Filters > Devices >
New) to place the devices into that gaming role. You can then create traffic policies for the role to allow
traffic for gaming ports.