Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
301302303304305306307308309310
8-29
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 8 User Management: Traffic Control, Bandwidth, Schedule
Troubleshooting Host-Based Policies
Figure 8-19 Example Traffic Policies for File Distribution Requirement (File is on CAM)
Troubleshooting Host-Based Policies
For host-based policies, the CAS needs to see DNS responses in order to allow the traffic. If having
trouble with host-based policies, check the following:
Make sure allowed hosts are enabled.
Make sure a DNS server has been correctly added to the list of DNS servers to track (you can also
add an asterisk (“*”) to track any DNS server).
Make sure the DNS server is on the trusted interface of the CAS. If the DNS server is on the
untrusted side of the CAS, the CAS never sees the DNS traffic.
Make sure DNS reply traffic is going through the CAS. For example, ensure there is no alternate
route for return traffic (i.e. trusted to untrusted) where traffic goes out through CAS but does not
come back through the CAS. This can be tested by adding a “Block ALL” policy to the “Trusted to
Untrusted” direction for the Unauthenticated or Temporary Role. If DNS, etc. still succeeds, then
there is an alternate path.
Make sure the DNS server listed for the client is correct.
Make sure proxy settings are correct for the client (if proxy settings are required)
Check Device Management > CCA Servers > Manage [CAS_IP] > Filters > Roles > Allowed
Hosts > View Current IP Address List to see the list of current IPs that are being tracked through
the host based policies. If this list is empty, users will see a security message.