Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

591

592

593

594

595

596

597

598

599

600

14-28

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 14 Administering the CAM

Policy Import/Export

The Policy Import/Export feature allows administrators to propagate device filters, traffic and

remediation policies, and OOB port profiles from one CAM to several CAMs. You can define policies

on a single CAM and configure it to be the Policy Sync Master. You can then configure up to a maximum

of 10 CAMs or 10 CAM HA-pairs to be Policy Sync Receivers. You can export policies manually or

schedule an Auto Policy Sync to occur once every x number of days.

A CAM can be either a Master or Receiver for Policy Sync, and only one Master CAM is allowed to push

policies for a given set of Receivers. To perform Policy Sync, the Master and Receiver CAMs must

authorize each other using the DN from the SSL certificate for each CAM or CAM HA-pair. For

production deployments, CA-signed SSL certificates should be used. CAM HA-pairs will need an SSL

certificate generated for the Service IP of the pair, with the DN from this certificate used to authorize

each CAM in the HA pair for the Policy Sync configuration.

During Policy Sync, the Master configuration completely overrides (and clears) the existing Receiver

configuration for the policies that are configured for Policy Sync, such as OOB profiles or user roles.

Policies/configurations that are not subject to Policy Sync are otherwise left alone on the Receiver CAM

after a Policy Sync.

Note • All CAMs must run release 4.5 or later to enable Policy Sync.

• On CAM HA-pairs, Policy Sync settings are disabled for the Standby CAM.

Policy Sync Policies

Policy Sync enables the following global configurations to be propagated from a Master CAM.

• Role-Based Policies

–

User roles with associated global traffic control policies (IP-based, Host-based, L2 Ethernet)

and session timers

Note This includes customized policies and the Default Host Policies, Default L2 Policies from

Cisco Updates that are on the Master CAM.

–

Global device filters with access type: Role or Check

–

Agent rules (Cisco and AV/AS), requirements, rule-requirement mappings, and

role-requirement mappings

Note This includes customized checks/rules and Cisco Checks & Rules and Supported AV/AS

Product List (Windows & Macintosh) from Cisco Updates that are on the Master CAM and

associated to rules/requirements.

• Non Role-Based Policies

–

Global device filters with access type: Allow, Deny or Ignore

• OOB Policies (excludes switch information (i.e. Device/SNMP))

–

Port Profiles