Specifications

2-17
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering
The Require users to be certified at every web login option only applies to the In-Band Online Users
list. When this option is enabled and the Online Users list entry is deleted, the corresponding Certified
Devices List entry is deleted if there are no other Online Users list (either In-Band or Out-of-Band)
entries with the same MAC address.
Device Filters and Gaming Ports
To allow gaming services, such as Microsoft Xbox Live, Cisco recommends creating a gaming user role
and adding a filter for the device MAC addresses (under Device Management > Filters > Devices >
New) to place the devices into that gaming role. You can then create traffic policies for the role to allow
traffic for gaming ports. For additional details, see:
Allowing Gaming Ports, page 8-24
http://www.cisco.com/warp/customer/707/ca-mgr-faq2.html#q16
Adding a New User Role, page 6-7
Global vs. Local (CAS-Specific) Filters
You can add device/subnet filter policies at a global level for all Clean Access Servers in the Clean
Access Manager Filters pages, or for a specific Clean Access Server through the CAS management
pages. The CAM stores both types of access filters and distributes the global filter policies to all Clean
Access Servers and the local filter policies to the relevant CAS.
For subnet filter policies (in Device Management > Filters > Subnet) where one subnet filter specifies
a subset of an address range in a broader subnet filter, the CAM determines the priority of the filter based
on the size of the subnet address range. The smaller the subnet (like a /30 or /28 subnet mask), the higher
the priority in the subnet filter hierarchy. For example, a subnet filter policy allowing traffic from the
192.168.128.0/28 address range would take precedence over another subnet filter policy denying traffic
from the from the 192.168.128.0/24 address range. Whether the subnet filter policy is global or local
makes no difference when determining the priority.
CHECK (device not in
Certified Devices List)
Do posture assessment
(In-Band Online Users
list entry in Temporary
role) and add Certified
Devices List entry after
posture assessment (no
Online Users list entry)
(Same as above) Do posture assessment
(In-Band Online Users
list entry in Temporary
role), add Certified
Devices List entry after
posture (Out-of-Band
Online Users list entry)
and assign to Access
VLAN (based on Port
Profile)
Do posture assessment
(In-Band Online Users
list entry in temp role),
add Certified Devices
List entry after posture
(Out-of-Band Online
Users list entry) and
assign to Access
VLAN (based on Port
Profile)
IGNORE No effect (normal
behavior)
No effect (normal
behavior)
No effect (normal
behavior)
SNMP traps are
ignored
Table 2-2 Layer 2 and Layer 3 In-Band and Out-of-Band MAC Address FIlter Behavior
Device Filter Type
Layer 2 In-Band
(Global and CAS)
Layer 3 In-Band
(Global and CAS)
Out-of-Band without
Port Profile option
(Global)—Out-of-Band
(CAS)
Out-of-Band with Port
Profile option (Global
only)