Cisco Cisco Clean Access 3.5
3-8
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering
•
For other settings, such as traffic control policies, the priority of the policy (higher or lower)
determines which global or local policy is enforced.
determines which global or local policy is enforced.
•
Some features must be enabled on the CAS first (via the CAS management pages) before being
configured in the CAM, for example:
configured in the CAM, for example:
–
L3 support for the Clean Access Agent (for multi-hop L3 deployments)
–
Bandwidth Management
–
Use of VPN policy between CAS and users in user role
•
Clean Access requirements and network scanning plugins are configured globally from the CAM
and apply to all CASes.
and apply to all CASes.
Global Device and Subnet Filtering
As typically implemented, Cisco Clean Access enforces authentication for user devices attempting to
access the network. You can use device/subnet filtering to allow devices on the untrusted side of the
network to bypass authentication and Cisco Clean Access requirements before being allowed access to
the trusted side of the network.
access the network. You can use device/subnet filtering to allow devices on the untrusted side of the
network to bypass authentication and Cisco Clean Access requirements before being allowed access to
the trusted side of the network.
Device filters are specified by MAC address of the device (and optionally IP address). Subnet filters are
specified by subnet address and subnet mask (in CIDR format).
specified by subnet address and subnet mask (in CIDR format).
You can configure device or subnet filters to do the following:
•
Allow all traffic for the device (or subnet) without requiring authentication.
•
Block a device (or subnet) from accessing the network.
•
Exempt a device (or subnet) from authentication and assign a user role to the device.
As another example, (such as VPN concentrator integration) you can configure device or subnet filters
to allow traffic from an authentication server on the trusted network to communicate with a VPN
concentrator on the untrusted network.
to allow traffic from an authentication server on the trusted network to communicate with a VPN
concentrator on the untrusted network.
Note
Because a device in a Filter entry is allowed/denied access without authentication, the device will not
appear on the Online Users list (see
appear on the Online Users list (see
for details).
This section describes the following:
•
•
•
•
•
•
•