Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
71727374757677787980
2-22
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering
As an option, you can enter an IP address with the MAC to make sure no one spoofs the MAC
address to gain network access. If you enter both a MAC and an IP address, the client must match
both for the rule to apply.
You can specify a description by device or for all devices. A description specific to a particular
device (in the MAC Address field) supersedes a description that applies all devices in the
Description (all entries) field. There cannot be spaces within the description in the device entry
(see Figure 2-7).
Step 3 Choose the policy for the device from the Access Type choices:
ALLOW
IB - bypass login, bypass posture assessment, allow access
OOB - bypass login, bypass posture assessment, assign Default Access VLAN
DENY
IB - bypass login, bypass posture assessment, deny access
OOB - bypass login, bypass posture assessment, assign Auth VLAN
ROLE
IB - bypass login, bypass L2 posture assessment, assign role
OOB - bypass login, bypass L2 posture assessment, assign User Role VLAN. The Out-of-Band User
Role VLAN is the Access VLAN configured in the user role. See Chapter 6, “User Management:
Configuring User Roles and Local Users” for details.
CHECK
IB - bypass login, apply posture assessment, assign role
OOB - bypass login, apply posture assessment, assign User Role VLAN
IGNORE
OOB (only) - ignore SNMP traps from managed switches (IP Phones)
Note For OOB, you must also enable the use of global device filters at the Port Profile level under
OOB Management > Profiles > Port > New or Edit. See Add Port Profile, page 3-34 for
details.
Step 4 Click Add to save the policy.
Step 5 The List page under the Devices tab appears.
The following examples are all valid entries (that can be entered at the same time):
00:16:21:11:4D:67/10.1.12.9 pocket_pc
00:16:21:12:* group1
00:16:21:13:4D:12-00:16:21:13:E4:04 group2
Note If bandwidth management is enabled, devices allowed without specifying a role will use the bandwidth
of the Unauthenticated Role. See Control Bandwidth Usage, page 8-13 for details.
Note Troubleshooting Tip: If you see ERROR: “Adding device MAC failed” and you are unable to add any
devices in the filter list (regardless of which option is checked, or whether an IP address/description is
included), check the Event Logs. If you see “xx:xx:xx:xx:xx:xx could not be added to the MAC list”,
this can indicate that one of the CASs is disconnected.