Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
51525354555657585960
2-9
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters
Global and Local Administration Settings
Local administration settings are set in the CAS management pages for a Clean Access Server and
apply only to that CAS. These include CAS network settings, SSL certificates, DHCP and 1:1 NAT
configuration, VPN concentrator configuration, IPSec key changes, local traffic control policies,
and local device/subnet filter policies.
The global or local scope of a setting is indicated in the Clean Access Server column in the web admin
console, as shown in Figure 2-4.
Figure 2-4 Scope of Settings
GLOBAL—The entry was created using a global form in the CAM web admin console and applies
to all Clean Access Servers in the CAM’s domain.
<IP Address>—The entry was created using a local form from the CAS management pages and
applies only for the CAS with this IP address.
In general, pages that display global settings (referenced by GLOBAL) also display local settings
(referenced by CAS IP address) for convenience. These local settings can usually be edited or deleted
from global pages; however, they can only be added from the local CAS management pages for a
particular Clean Access Server.
Global and Local Settings
Global (defined in CAM for all CASs) and local (CAS-specific) settings often coexist on the same CAS.
If a global and local setting conflict, either the local setting overrides the global setting, or the priority
of the policy determines which global or local policy to enforce.
For device filter policies affecting a range of MAC addresses and traffic control policies, the priority
of the policy (higher or lower in Device Management > Filters > Devices > Order) determines
which global or local policy to enforce. Any device filter policy for an individual MAC address takes
precedence over a filter policy (either global or local) for a range of addresses that includes the
individual MAC address.
For subnet filter policies where one subnet filter specifies a subset of an address range in a broader
subnet filter, the CAM determines the priority of the filter based on the size of the subnet address
range. The smaller the subnet (like a /30 or /28 subnet mask), the higher the priority in the subnet
filter hierarchy.
Some features must be enabled both on the CAS (via the CAS management pages) and/or configured
in the CAM console, for example:
L3 support (for multi-hop L3 deployments) is enabled per CAS, but may require login
page/Agent configuration on CAM
Bandwidth Management is enabled per CAS but can be configured for all roles on the CAM
Active Directory SSO is configured per CAS but requires Auth Provider on CAM
Cisco VPN Concentrator SSO is configured per CAS but requires Auth Provider on CAM