Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
61626364656667686970
2-11
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering
IB: Block network access to the device/subnet.
OOB: Block network access and assign the Auth VLAN to the device.
IB: Bypass login/posture assessment and assign a user role to the device/subnet.
OOB: Bypass login/posture assessment and assign the Out-of-Band User Role VLAN to the device
(the Access VLAN configured in the user role).
Note Because a device in a Filter entry is allowed/denied access without authentication, the device will not
appear in the Online Users list in a Layer 2 deployment. (They can, however, still be tracked on the
In-Band network through the Active Layer 2 Device Filters List.) See View Active Layer 2 Device Filter
Policies, page 2-26 for more information.
Some uses of device filters include:
For printers on user VLANs, you can set up an “allow” device filter for the printer's MAC address
to allow the printer to communicate with Windows servers. Cisco recommends configuring device
filters for printers in OOB deployment also. This prevents a user from connecting to a printer port
in order to bypass authentication.
For In-Band Cisco NAC Appliance L3/VPN concentrator deployment, you can configure a device
or subnet filter to allow traffic from an authentication server on the trusted network to communicate
with the VPN concentrator on the untrusted network.
For very large numbers of non-NAC network devices (IP phones, printers, fax machines, etc.), you
can add them to the device filter list to ensure they bypass Cisco NAC Appliance authentication,
posture assessment, and remediation functions.
Note Device filter lists can also be automatically created and updated on the CAM using Cisco NAC
Profiler. See Global Device Filter Lists from Cisco NAC Profiler, page 2-18 for details.
Note The Policy Sync feature exports all global device filters created on the Master CAM to the Receiver
CAMs. Any MAC address which is in the Master CAMs global Device Filter list will be exported,
including Cisco NAC Profiler generated filters. See Policy Import/Export, page 14-28 for details.
Note Device filter settings and/or subnet filter settings take precedence over the CAS Fallback Policy. While
in CAS fallback mode, CAS device filter settings determine behavior based on the client MAC address.
If device filter settings do not apply (for example, if the CAS is a Layer 3 gateway and cannot determine
the client MAC address), the CAS also looks for applicable subnet filter settings before applying the
CAS Fallback Policy. See Cisco NAC Appliance - Clean Access Server Configuration Guide, Release
4.9(x) for details.
Note In wireless deployments, when you are adding a client to the filter list, make sure that the client is not
connected to the WLC and authenticated by NAC. If the client machine is already connected to WLC
and authenticated, adding it to the filter list does not work. You need to disconnect the client machine
and reconnect it to enable the filter.