Cisco Cisco Clean Access 3.5
4-23
Cisco Clean Access Server Installation and Administration Guide
OL-7045-01
Chapter 4 Clean Access Server Managed Domain
Local Device and Subnet Filtering
Local Device and Subnet Filtering
As typically implemented, Cisco Clean Access enforces authentication requirements on clients
attempting to access the network. An access filter lets you define specialized access privileges or
limitations for particular clients.
attempting to access the network. An access filter lets you define specialized access privileges or
limitations for particular clients.
Note
Access policies set in the Clean Access Server management page apply only to the CAS being
administered. To configure global passthrough policies for all Clean Access Servers, go to the Device
Management > Filters module in the CAM web console. Note that local policies override global
settings.
administered. To configure global passthrough policies for all Clean Access Servers, go to the Device
Management > Filters module in the CAM web console. Note that local policies override global
settings.
An access filter can:
•
Allow all traffic for a device without requiring authentication.
•
Block a device from accessing the network.
•
Exempt a device from having to authenticate while applying the traffic control policies of a role for
the device.
the device.
An access filter policy is one method that a Cisco Clean Access role can be assigned to a client. The
order of priority for role assignment as follows:
order of priority for role assignment as follows:
1.
MAC address
2.
Subnet / IP address
3.
Login information (login ID, user attributes from auth server, VLAN ID of user machine, etc.)
Therefore, if a MAC address associates the client with “Role A”, but the user’s login ID associates him
or her to “Role B”, “Role A” is used.
or her to “Role B”, “Role A” is used.
Note
•
Devices allowed in the MAC filter list cannot establish IPSec/L2TP/PPTP connections to the CAS.
Only users logging in via web login or Clean Access Agent can establish IPSec/L2TP/PPTP
connections to the CAS.
Only users logging in via web login or Clean Access Agent can establish IPSec/L2TP/PPTP
connections to the CAS.
•
With release 3.5(5) and above, the Clean Access Manager respects the global Device Filters list for
Out-of-Band deployments (does not apply to CAS-specific filters). See “Global Device and Subnet
Filtering” in the Cisco Clean Access Manager Installation and Administration Guide for details.
Out-of-Band deployments (does not apply to CAS-specific filters). See “Global Device and Subnet
Filtering” in the Cisco Clean Access Manager Installation and Administration Guide for details.
Configure Device Access Filter Policies
The Devices form allows you to specify access rules by device.
To set up device-based access controls:
1.
Click the Filter tab, and then the Devices submenu item.
2.
In the Devices tab, enter the MAC address of the device for which you want to create a policy in the
text field. Optionally, also enter an IP address of the device and a description, in the form:
text field. Optionally, also enter an IP address of the device and a description, in the form:
<MACAddress>/<IPAddress> <description>
<MACAddress>/<IPAddress> <description>
If you enter both a MAC and an IP address, the client must match both for the rule to apply.