Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
61626364656667686970
2-14
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering
Note In both Layer 2 and Layer 3 deployments, Out-of-Band device filters rely only on client MAC address
when determining whether or not to act upon MAC notification messages from an associated switch.
(Device filters do not take client IP addresses into account for Out-of-Band client machines because the
CAM cannot reliably verify Out-of-Band client IP addresses.)
Note When you are changing the behavior of the MAC address for Role-Based device filters, the change is
not dynamic. The CAM should receive Linkup or MAC Notification in case of wired network. The CAM
should receive Association/ Disassociation traps in case of wireless network. This is mandatory to avoid
first time Posture Assessment when the NAC Agent popup is closed at the client end.
Device Filters for In-Band Deployment
Cisco NAC Appliance assigns user roles to users either by means of authentication attributes, or through
device/subnet filter policies. As a result, a key feature of device/subnet filter policy configuration is the
ability to assign a system user role to a specified MAC address or subnet. Cisco NAC Appliance
processing uses the following order of priority for role assignment:
1. MAC address
2. Subnet/IP address
3. Login information (login ID, user attributes from auth server, VLAN ID of user machine, etc.)
Therefore, if a MAC address associates the client with “Role A,” but the user’s login ID associates him
or her to “Role B,” “Role A” is used.
For complete details on user roles, see Chapter 6, “User Management: Configuring User Roles and Local
Users.
Note For more information on In-Band vs. Out-of-Band client machine behavior based on specified Device
Filter type, see In-Band and Out-of-Band Device Filter Behavior Comparison, page 2-16.
Note For management of Access Points (APs) from the trusted side, you can ensure the APs are reachable
from the trusted side (i.e. through SNMP, HTTP, or whatever management protocol is used) by
configuring a filter policy through Device Management > Filters > Devices.
Device Filters for Out-of-Band Deployment
The Clean Access Manager respects the global Device Filters list for Out-of-Band deployments. As is
the case for In-Band deployments, for OOB, the rules configured for MAC addresses on the global
Device Filter list will have the highest priority for user/device processing. In both Layer 2 and Layer 3
deployments, Out-of-Band device filters rely only on client MAC address when determining whether or
not to act upon MAC notification messages from an associated switch. (Device filters do not take client
IP addresses into account for Out-of-Band client machines because the CAM cannot reliably verify
Out-of-Band client IP addresses.)