Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
61626364656667686970
2-12
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering
Device Filters and User Count License Limits
MAC addresses specified with the “ALLOW” option in the Device Filter list (bypass
authentication/posture assessment/remediation) do not count towards the user count license limit.
MAC addresses specified with the “CHECK” option in the Device Filter list (bypass authentication
but go through posture assessment/remediation) do count towards the user count license limit.
Note The maximum number of (non-user) devices that can be filtered is based on memory limitations and is
not directly connected to user count license restrictions. A CAS can safely support approximately 5,000
MAC addresses per 1 GB of memory.
Device filters and user/endpoint count license limits related to Cisco NAC Profiler depend upon the
Cisco NAC Profiler system deployment. For specific information, see Cisco NAC Appliance Service
Contract / Licensing Support and Cisco NAC Profiler Installation and Configuration Guide.
Changing the behavior of MAC address role-based device filters is not dynamic, it is mandate for CAM
to receive link-up/MAC notification in case of wired and Association/ Disassociation trap in case of
wireless to avoid first time posture assessment when NAC agent pop-up is closed at the end-client.
Adding Multiple Entries
You can enter a large number of MAC addresses into the device filter list by:
1. Specifying wildcards and MAC address ranges when configuring device filters.
2. Copying and pasting individual MAC addresses (one per line) into the New Device Filter form and
adding all of them with one click.
3. Using the API (cisco_api.jsp) addmac function to add the MAC addresses programmatically. See
API Support, page 14-65 for details.
Note You can automate the management of large number of endpoints by deploying the Cisco NAC Profiler
solution. When configured, the Cisco NAC Profiler Server/Collector automatically populates and
maintains global device filters on the CAM for profiled endpoints. See Global Device Filter Lists from
Cisco NAC Profiler, page 2-18 for more information.
Corporate Asset Authentication and Posture Assessment by MAC Address
Cisco NAC Appliance can perform MAC-based authentication and posture assessment of client
machines without requiring the user to log into Cisco NAC Appliance. This feature is implemented
through the “CHECK” device filter control for global and local device filters and the Agent. The Cisco
NAC Web Agent performs posture assessment, but does not provide a medium for remediation. The user
must manually fix/update the client machine and “Re-Scan” to fulfill posture assessment requirements
with the Web Agent.
Note The CHECK feature only applies to Cisco NAC Appliance Agents which support posture assessment.
The following Device Filter configuration options are available: