Cisco Cisco NAC Appliance 4.1.0
9-7
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 9 Local Traffic Control Policies
Add Local Host-Based Traffic Control Policies
Enable Proxy Traffic
You can enable an individual CAS to parse host policies when user traffic passes through a specified
proxy server.
proxy server.
When the “Parse Proxy Traffic for Roles other than Unauthenticated Role” option is checked for an
individual CAS, and a proxy server is specified on the CAS Proxy page, the CAS will check the payloads
of GET, POST and CONNECT HTTP/HTTPS/FTP requests to make sure that the host is on the host
policy list before allowing traffic to the proxy server. This allows users to access only the host sites
enabled for a role (e.g. Temporary or quarantine users that need to meet requirements) when the specified
proxy server is used. Note that the “parse proxy traffic” feature is enabled per CAS, and you must specify
the Proxy server IP and port on the CAS Proxy page and enable the “Parse Proxy Traffic for Roles
other than Unauthenticated Role” option for this feature to take effect.
individual CAS, and a proxy server is specified on the CAS Proxy page, the CAS will check the payloads
of GET, POST and CONNECT HTTP/HTTPS/FTP requests to make sure that the host is on the host
policy list before allowing traffic to the proxy server. This allows users to access only the host sites
enabled for a role (e.g. Temporary or quarantine users that need to meet requirements) when the specified
proxy server is used. Note that the “parse proxy traffic” feature is enabled per CAS, and you must specify
the Proxy server IP and port on the CAS Proxy page and enable the “Parse Proxy Traffic for Roles
other than Unauthenticated Role” option for this feature to take effect.
Note
For the Unauthenticated role, host policies do not work when a proxy server is specified, and the user is
always redirected to the login page.
always redirected to the login page.
To enable host policies when traffic is going through proxy server specified on the CAS:
1.
Go to Device Management > CCA Servers > Manage [CAS_IP] > Advanced > Proxy
2.
Specify the proxy IP/port as described in
.
3.
Go to Device Management > CCA Servers > Manage [CAS_IP] > Filter > Roles > Allowed
Hosts (
Hosts (
).
Figure 9-4
CAS—Allowed Hosts
4.
Click the checkbox for “Proxy Traffic for Roles other than Unauthenticated Role.” This option
will apply to all roles other than the Unauthenticated role (not just Temporary/quarantine roles).
will apply to all roles other than the Unauthenticated role (not just Temporary/quarantine roles).
5.
Click the Update button.