Cisco Cisco Clean Access 3.5
10-4
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 10 Local Clean Access Settings
Specify Floating Devices
Specify Floating Devices
A floating device is certified only for the duration of a user session. Once the user logs out, the next user
of the device needs to be certified again. Floating devices are useful for shared equipment, such as kiosk
computers or wireless cards loaned out by a library.
of the device needs to be certified again. Floating devices are useful for shared equipment, such as kiosk
computers or wireless cards loaned out by a library.
You can also specify devices that are never exempt from certification requirements by MAC address.
This is useful for multi-user devices, such as dialup routers that channel multi-user traffic from the
untrusted (managed) network. In such cases, the Clean Access Server will see only the MAC address of
that device as the source address of traffic from the trusted network. If the device is not configured as a
floating device, this means that after the first user is certified, additional users will be unintentionally
exempt from certification. By configuring the router’s MAC address as a floating device that is never
certified, you can ensure that each user accessing the network through the device is individually assessed
for vulnerabilities/requirements met.
This is useful for multi-user devices, such as dialup routers that channel multi-user traffic from the
untrusted (managed) network. In such cases, the Clean Access Server will see only the MAC address of
that device as the source address of traffic from the trusted network. If the device is not configured as a
floating device, this means that after the first user is certified, additional users will be unintentionally
exempt from certification. By configuring the router’s MAC address as a floating device that is never
certified, you can ensure that each user accessing the network through the device is individually assessed
for vulnerabilities/requirements met.
Note
You must run release 3.5(3) or above of the CAM/CAS/Agent to support multi-hop L3 in-band
deployment. Clean Access Agent 3.5.2 and below do not support deployment behind routers or dial-up
routers.
deployment. Clean Access Agent 3.5.2 and below do not support deployment behind routers or dial-up
routers.
In this case, the users are distinguished by IP address. Note that users must have different IP addresses
for this to work. If the router performs NATing services, the users are indistinguishable to the Clean
Access Manager and only the first user will be certified.
for this to work. If the router performs NATing services, the users are indistinguishable to the Clean
Access Manager and only the first user will be certified.
See also
.
To specify a local floating device:
1.
Go to Device Management > CCA Servers > Manage [CAS_IP] > Filter > Clean Access >
Floating Devices.
Floating Devices.
Figure 10-2
Floating Devices (Local)
2.
Specify a floating device by MAC address in the form:
<MAC> <type> <description>
Where:
–
MAC
is the MAC address of the device (in standard hexadecimal MAC address format, e.g.,
00:16:21:23:4D:00
).