Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
61626364656667686970
2-15
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering
For OOB, the order of priority for rule processing is as follows:
1. Device Filters (if configured with a MAC address, and if enabled for OOB)
2. Certified Devices List
3. Out-of-Band Online User List
MAC address device filters configured for OOB have the following options and behavior:
ALLOW—Bypass login and posture assessment and assign Default Access VLAN to the port
DENY—Bypass login and posture assessment and assign Auth VLAN to the port
ROLE—Bypass login and L2 posture assessment and assign User Role VLAN to the port
CHECK—Bypass login, apply posture assessment, and assign User Role VLAN to the port
IGNORE—Ignore SNMP traps from managed switches (IP Phones)
Note To use global device filters for OOB, you must enable the Change VLAN according to global
device filter list option for the Port Profile (under OOB Management > Profiles > Port > New or
Edit). See Add Port Profile, page 3-34 for details.
This feature applies to global device filters only. Cisco strongly recommends you do not configure
any local (CAS-specific) device filters when deployed in an Out-of-Band environment.
See Out-of-Band User Role VLAN, page 6-10 for details on VLAN assignment via the user role.
Note When you are changing the behavior of the MAC address device filters from ALLOW to DENY, the
change is not dynamic. As the client traffic is directed to default Access VLAN initially, when the
behavior changes to DENY, the traffic should be directed to Authentication VLAN. You should
manually remove the MAC address from CDL/OUL to apply the DENY rule to that MAC address
device filters.
When you are changing the behavior of the MAC address device filters from DENY to ALLOW,
the change is dynamic. When the client traffic reaches the eth1 interface of the CAS, it checks the
Device filter rules and allows the user though the behavior has been moved from Deny to ALLOW.
Note For more information on In-Band vs. Out-of-Band client machine behavior based on specified Device
Filter type, see In-Band and Out-of-Band Device Filter Behavior Comparison, page 2-16.
For further details, see Chapter 3, “Switch Management: Configuring Out-of-Band Deployment.
Device Filters for Out-of-Band Deployment Using IP Phones
You must create a Global Device filter list of MAC addresses designed to ignore IP phones through
which client machines connect to your network. You can define a list of MAC addresses by compiling a
collection of individual MAC addresses (Cisco recommends this method only for small deployments),
specify a range of MAC addresses using range delimiters and/or wildcard characters, and you can also
extract a list of MAC addressees from an existing IP phone management application like Cisco
CallManager.