Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
301302303304305306307308309310
8-27
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule
Example Traffic Policies
Adding Traffic Policies for Default Roles
Create Untrusted -> Trusted traffic policies for the default roles (Unauthenticated, Temporary, and
Quarantine) to allow users access to any of the resources described below.
Unauthenticated Role
If customizing the web login page to reference logos or files on the CAM or external URL, create IP
policies to allow the Unauthenticated role HTTP (port 80) access to the CAM or external server. (See
also Upload a Resource File, page 5-13 and Create Content for the Right Frame, page 5-11 for details.)
Agent Temporary Role
If providing definition updates for enterprise antivirus products, allow access to the local update
server so that the Agent can trigger a live update (see Allowing Traffic for Enterprise AV Updates
with Local Servers, page 8-24).
Note This behavior is only applicable to the Cisco NAC Agent because the Cisco NAC Web Agent
does not support automatic remediation.
If providing required software packages from the CAM (e.g, via File Distribution), create IP policies
to allow Temporary role access to port 443 (HTTPS) of the CAM. Make sure to specify IP
address/subnet mask to allow access only to the CAM (for example,
10.201.240.11/255.255.255.255:443).
Enable Default Host Policies and Trusted DNS Server and/or create new allowed Host policies to
allow users access to update sites (see Enable Default Allowed Hosts, page 8-9).
Set up any additional traffic policies to allow users in the Temporary role access to external web
pages or servers (for example, see Configure Network Policy Page (Acceptable Use Policy) for
Agent Users, page 9-11).
Quarantine Role
If providing required software packages from the CAM (e.g. via network scanning Vulnerabilities
page), create IP policies to allow the Quarantine role access to port 443 (HTTPS) of the CAM. Make
sure to specify the IP address and subnet mask to allow access only to the CAM (for example,
10.201.240.11 /255.255.255.255:443).
Enable Default Host Policies and Trusted DNS Server and/or create new allowed Host policies to
allow users access to update sites (see Enable Default Allowed Hosts, page 8-9).
Set up any additional traffic policies to allow users in the Quarantine role access to external web
pages or servers for remediation.
Table 8-2 summarize resources, roles and example traffic policies for system roles