Cisco Cisco NAC Appliance 4.1.0
5-37
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 5 Clean Access Server Managed Domain
CAS Fallback Policy
CAS Fallback Policy
The CAS Fallback policy feature allows administrators to configure the level of user access permitted
by the Clean Access Server when the Clean Access Manager becomes unreachable to the CAS. For
example, if a remote CAS attempts to reach the CAM, but the WAN link fails, CAS Fallback can be used
to specify the user access policy: allow all user traffic, block all user traffic, or only allow traffic for
already-authenticated users (default CAS behavior).
by the Clean Access Server when the Clean Access Manager becomes unreachable to the CAS. For
example, if a remote CAS attempts to reach the CAM, but the WAN link fails, CAS Fallback can be used
to specify the user access policy: allow all user traffic, block all user traffic, or only allow traffic for
already-authenticated users (default CAS behavior).
The CAS checks the status of the CAM periodically, according to the Detect Interval specified. If the
CAM is not reachable before the specified Detect Timeout, the CAS declares the CAM as dead, and sets
the traffic policy of every user role to “Allow All, “Block All” or “Ignore” based on the Fallback Policy
chosen.
CAM is not reachable before the specified Detect Timeout, the CAS declares the CAM as dead, and sets
the traffic policy of every user role to “Allow All, “Block All” or “Ignore” based on the Fallback Policy
chosen.
Note
The CAS fallback feature is for situations where communication between the CAS and CAM is lost. For
protection against CAS failure itself in a Central Deployment, the CAS failover bundle is recommended.
protection against CAS failure itself in a Central Deployment, the CAS failover bundle is recommended.
1.
Go to Device Management > CCA Servers > Manage [CAS_IP] > Filter > Fallback
Figure 5-20
CAS Fallback
2.
From the Fallback Policy dropdown menu, select one of the following options:
–
Ignore (default)—Allow traffic only for authenticated users but block new users. This allows
existing (authenticated) users to access local and remote site resources, but new
(unauthenticated) users will be blocked.
existing (authenticated) users to access local and remote site resources, but new
(unauthenticated) users will be blocked.
–
Allow All—Allow all traffic for all users (authenticated and new). This allows new and existing
users to access local and remote site resources.
users to access local and remote site resources.
–
Block All—Block all traffic for all users (authenticated and new). This blocks all users from
accessing local and remote site resources.
accessing local and remote site resources.
3.
Type a Detect Interval (default is 60 seconds). The Detect Interval determines how often the CAS
verifies if the CAM is still connected.
verifies if the CAM is still connected.
4.
Type a Detect Timeout (default is 300 seconds). The Detect Timeout determines the time of “no
response” after which the CAS declares the CAM as dead.
response” after which the CAS declares the CAM as dead.