Cisco Cisco Clean Access 3.5

For other settings, such as traffic control policies, the priority of the policy (higher or lower) 
determines which global or local policy is enforced. 

Some features must be enabled on the CAS first (via the CAS management pages) before being 
configured in the CAM, for example: 

L3 support for the Clean Access Agent (for multi-hop L3 deployments)

Bandwidth Management 

Use of VPN policy between CAS and users in user role

Clean Access requirements and network scanning plugins are configured globally from the CAM 
and apply to all CASes. 

As typically implemented, Cisco Clean Access enforces authentication for user devices attempting to 
access the network. You can use device/subnet filtering to allow devices on the untrusted side of the 
network to bypass authentication and Cisco Clean Access requirements before being allowed access to 
the trusted side of the network. 

Device filters are specified by MAC address of the device (and optionally IP address). Subnet filters are 
specified by subnet address and subnet mask (in CIDR format). 

You can configure device or subnet filters to do the following: 

Allow all traffic for the device (or subnet) without requiring authentication. 

Block a device (or subnet) from accessing the network. 

Exempt a device (or subnet) from authentication and assign a user role to the device.

As another example, (such as VPN concentrator integration) you can configure device or subnet filters 
to allow traffic from an authentication server on the trusted network to communicate with a VPN 
concentrator on the untrusted network. 

Because a device in a Filter entry is allowed/denied access without authentication, the device will not 
appear on the Online Users list (see 

 for details). 

This section describes the following: