Specifications

2-10

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters

Global Device and Subnet Filtering

• Agent requirements and network scanning plugins are configured globally from the CAM and apply

to all CASs.

Global Device and Subnet Filtering

This section describes the following:

• Overview

• Device Filters and User Count License Limits

• Adding Multiple Entries

• Corporate Asset Authentication and Posture Assessment by MAC Address

• Device Filters for In-Band Deployment

• Device Filters for Out-of-Band Deployment

• Device Filters for Out-of-Band Deployment Using IP Phones

• In-Band and Out-of-Band Device Filter Behavior Comparison

• Device Filters and Gaming Ports

• Global vs. Local (CAS-Specific) Filters

• Global Device Filter Lists from Cisco NAC Profiler

• Configure Device Filters

• Configure Subnet Filters

Overview

By default, Cisco NAC Appliance forces user devices on the untrusted side of the CAS to authenticate

(log in) when attempting to access the network. If you need to allow devices on the untrusted side to

bypass authentication, you can configure device or subnet filters.

Filter lists (configured under Device Management > Filters) can be set by MAC, IP, or subnet address,

and can automatically assign user roles to devices. Filters allow devices (user or non-user) to bypass both

authentication and (optionally) posture assessment. This section describes how to configure device and

subnet filters.

Device filters are specified by MAC address (and optionally IP for In-Band deployments) of the device,

and can be configured for either In-Band (IB) or Out-of-Band (OOB) deployments. The MAC addresses

are input and authenticated through the CAM, but the CAS is the device that performs the actual filtering

action. For OOB, the use of device filters must also be enabled in the Port Profile (see Add Port Profile,

page 3-34). For both IB and OOB, devices put in the filter list bypass authentication. In both Layer 2 and

Layer 3 deployments, Out-of-Band device filters rely only on client MAC address when determining

whether or not to act upon MAC notification messages from an associated switch. (Device filters do not

take client IP addresses into account for Out-of-Band client machines because the CAM cannot reliably

verify Out-of-Band client IP addresses.)

Subnet filters can be configured for IB deployments only and are specified by subnet address and subnet

mask (in CIDR format).

You can configure device or subnet filters to do the following:

• IB: Bypass login/posture assessment and allow all traffic for the device/subnet.

OOB: Bypass login/posture assessment and assign the Default Access VLAN to the device.