Cisco Cisco Clean Access 3.5
3-9
Cisco Clean Access Manager Installation and Administration Guide
OL-7044-01
Chapter 3 Device Management: Adding Clean Access Servers, Adding Filters
Global Device and Subnet Filtering
Device Filters for In-Band Deployment
Cisco Clean Access assigns user roles to users either by means of authentication attributes, or through
device/subnet filter policies. As a result, a key feature of device/subnet filter policy configuration is the
ability to assign a system user role to a specified MAC address or subnet. Cisco Clean Access processing
uses the following order of priority for role assignment:
device/subnet filter policies. As a result, a key feature of device/subnet filter policy configuration is the
ability to assign a system user role to a specified MAC address or subnet. Cisco Clean Access processing
uses the following order of priority for role assignment:
1.
MAC address
2.
Subnet / IP address
3.
Login information (login ID, user attributes from auth server, VLAN ID of user machine, etc.)
Therefore, if a MAC address associates the client with “Role A,” but the user’s login ID associates him
or her to “Role B,” “Role A” is used.
or her to “Role B,” “Role A” is used.
For complete details on user roles, see
Note
•
For management of Access Points (APs) from the trusted side, you can ensure the APs are reachable
from the trusted side (i.e. through SNMP, HTTP, or whatever management protocol is used) by
configuring a filter policy through Device Management > Filters > Devices.
from the trusted side (i.e. through SNMP, HTTP, or whatever management protocol is used) by
configuring a filter policy through Device Management > Filters > Devices.
•
When upgrading to 3.5(x), device filters added by the EOLed AP Management feature will not be
lost.
lost.
Device Filters for Out-of-Band Deployment
With release 3.5(5) and above, the Clean Access Manager respects the global Device Filters list for
Out-of-Band deployments. In OOB, the rules configured for MAC addresses on the global Device Filter
list will have the highest priority for user/device processing (just as for In-Band deployments).
Out-of-Band deployments. In OOB, the rules configured for MAC addresses on the global Device Filter
list will have the highest priority for user/device processing (just as for In-Band deployments).
For OOB, the order of priority for rule processing is as follows:
1.
Device Filters (if configured with a MAC address, and if enabled for OOB)
2.
Certified Devices List
3.
Out-of-Band Online User List
MAC address device filters configured for OOB have the following options and behavior:
•
allow—The device is put in the Default Access VLAN.
•
deny—The device is put in the Default Auth VLAN.
•
use role—The device is put in the Access VLAN configured for the user role.
Note
•
You must enable the use of device filters for OOB at the Port Profile level under Switch
Management > Profiles > Port > New or Edit. See
Management > Profiles > Port > New or Edit. See
for details.
•
This feature applies to global device filters only (does not apply to CAS-specific device filters).
For further details, see