Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3)
Device Management: Adding Clean Access Servers, Adding Filters
Downloads: This chapterpdf (PDF - 629.0KB) The complete bookPDF (PDF - 19.87MB) | Feedback

Device Management: Adding Clean Access Servers, Adding Filters

Table Of Contents

Device Management: Adding Clean Access Servers, Adding Filters

Working with Clean Access Servers

Add Clean Access Servers to the Managed Domain

Manage the Clean Access Server

Configure Clean Access Manager-to-Clean Access Server Authorization

Summary of Steps to Configure Clean Access Manager-to-Clean Access Server Authorization

Enable Authorization and Specify Authorized Clean Access Servers

Check Clean Access Server Status

Disconnect a Clean Access Server

Reboot the Clean Access Server

Remove the Clean Access Server from the Managed Domain

Troubleshooting when Adding the Clean Access Server

Global and Local Administration Settings

Global and Local Settings

Global Device and Subnet Filtering

Overview

Device Filters and User Count License Limits

Adding Multiple Entries

Corporate Asset Authentication and Posture Assessment by MAC Address

Device Filters for In-Band Deployment

Device Filters for Out-of-Band Deployment

Device Filters for Out-of-Band Deployment Using IP Phones

In-Band and Out-of-Band Device Filter Behavior Comparison

Device Filters and Gaming Ports

Global vs. Local (CAS-Specific) Filters

Global Device Filter Lists from Cisco NAC Profiler

Configure Device Filters

Add Global Device Filter

Display/Search/Import/Export Device Filter Policies

Order Device Filter Wildcard/Range Policies

Test Device Filter Policies

View Active Layer 2 Device Filter Policies

Edit Device Filter Policies

Delete Device Filter Policies

Configure Subnet Filters


Device Management: Adding Clean Access Servers, Adding Filters


This chapter describes how to add and manage Clean Access Servers from the Clean Access Manager and configure device and/or subnet filters. It contains the following sections.

Working with Clean Access Servers

Global and Local Administration Settings

Global Device and Subnet Filtering

The first step in implementing Cisco NAC Appliance is configuring devices in the Clean Access Manager (CAM)'s administrative domain. Clean Access Servers must be added to the CAM in order to manage them directly in the web console.

By default, Cisco NAC Appliance forces user devices on the untrusted side of the CAS to authenticate when attempting to access the network.

User roles, user authentication, user web pages, and traffic policies for In-Band user traffic must be configured for users on the untrusted network as described in the following chapters:

Chapter 6 "User Management: Configuring User Roles and Local Users"

Chapter 7 "User Management: Configuring Authentication Servers"

Chapter 8 "User Management: Traffic Control, Bandwidth, Schedule"

If deploying Cisco NAC Appliance for Out-of-Band, you will also need to configure the CAM as described in Chapter 3 "Switch Management: Configuring Out-of-Band Deployment".

After Cisco NAC Appliance is configured for user traffic on the unstrusted side of your network, you may need to allow devices on the untrusted side to bypass authentication and posture assessment (for example printers or VPN concentrators). See Global Device and Subnet Filtering for how to configure filters in the Clean Access Manager for these kinds of devices.

Working with Clean Access Servers

The Clean Access Server gets its runtime parameters from the Clean Access Manager and cannot operate until it is added to the CAM's domain. Once the CAS is installed and added to the CAM, you can configure local parameters in the CAS and monitor it through the web admin console.

This section describes the following:

Add Clean Access Servers to the Managed Domain

Manage the Clean Access Server

Configure Clean Access Manager-to-Clean Access Server Authorization

Check Clean Access Server Status

Disconnect a Clean Access Server

Reboot the Clean Access Server

Remove the Clean Access Server from the Managed Domain

Troubleshooting when Adding the Clean Access Server


Note In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa.


For details on configuring local CAS-specific settings, see the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3).

Add Clean Access Servers to the Managed Domain

The Clean Access Server must be running to be added to the Clean Access Manager.


Note If intending to configure the Clean Access Server in Virtual Gateway mode (IB or OOB), you must disable or unplug the untrusted interface (eth1) of the CAS until after you have added the CAS to the CAM from the web admin console. Keeping the eth1 interface connected while performing initial installation and configuration of the CAS for Virtual Gateway mode can result in network connectivity issues.

For Virtual Gateway with VLAN mapping (In-Band or OOB), the untrusted interface (eth1) of the CAS should not be connected to the switch until VLAN mapping has been configured correctly under Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping.

See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for details.


To add a Clean Access Server:


Step 1 From Device Management, click the CCA Servers link on the navigation menu.

Step 2 Click the New Server tab.

Figure 2-1 Add New Server

Step 3 In the Server IP address field, type the IP address of the Clean Access Server's eth0 trusted interface.


Note The eth0 IP address of the CAS is the same as the Management IP address.


Step 4 Optionally, in the Server Location field, type a description of the Clean Access Server's location or other identifying information.

Step 5 For In-Band operation, choose one of the following operating modes for the Clean Access Server from the Server Type list:

Virtual Gateway - Operates as an L2 transparent bridge, while providing IPSec, filtering, virus protection, and other services.

Real-IP Gateway - Acts as the default gateway for the untrusted network.

Step 6 For Out-of-Band operation, you must choose one of the following Out-of-Band operating types:

Out-of-Band Virtual Gateway—Operates as a Virtual Gateway during authentication and certification, before the user is switched Out-of-Band (i.e., the user is connected directly to the access network).

Out-of-Band Real-IP Gateway—Operates as a Real-IP Gateway during authentication and certification, before the user is switched Out-of-Band (i.e., the user is connected directly to the access network).

The CAM can control both In-Band and Out-of-Band Clean Access Servers in its domain. However, the CAS itself must be either In-Band or Out-of-Band.

For more information on Out-of-Band deployment, see Chapter 3 "Switch Management: Configuring Out-of-Band Deployment."

See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for further details on the CAS operating modes.

Step 7 Click Add Clean Access Server. The Clean Access Manager looks for the Clean Access Server on the network, and adds it to its list of managed Servers (Figure 2-2). The Clean Access Server is now in the Clean Access Manager's administrative domain.


Manage the Clean Access Server

After adding the Clean Access Server, you can configure CAS-specific settings such as VLAN Mapping or DHCP configuration. For some parameters, such as traffic control policies, the settings in the CAS can override the CAM's global settings.

Once you add the CAS to the Clean Access Manager, the CAS appears in the List of Servers tab as one of the managed Servers, as shown in Figure 2-2.

Figure 2-2 List of Servers Tab

Each Clean Access Server entry lists the IP address, server type, location, and connection status of the CAS. In addition four management control icons are displayed: Manage, Disconnect, Reboot, and Delete.

Click the Manage icon to administer the Clean Access Server.


Note For more information on configuring Clean Access Servers (such as DHCP or high availability) see the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3).


Configure Clean Access Manager-to-Clean Access Server Authorization

When you add Clean Access Servers to the CAM, you can also choose to enable mutual Authorization between the appliances to enhance network security.

Using the CAM Authorization web console page, administrators can enter the Distinguished Names (DNs) of one or more CASs to ensure secure communications between the CAM and CAS(s). Once you enable the Authorization feature and add one or more CASs to the Authorized CCA Servers list, the CAM does not accept communications from CASs that do not appear in the list. Therefore, when you choose to employ and enable this feature in your network, you must add all of your managed CASs to the Authorized CCA Servers list to ensure you maintain CAM-CAS connection for all of the CASs in your network.

Likewise, you must also enable this feature and specify a CAM DN on all of the CASs in your network to establish two-way authorization between the CAMs/CASs.

If you have deployed your CAMs/CASs in an HA environment, you can enable authorization for both the HA-Primary and HA-Secondary machines in the HA pair by specifying the DN of only the HA-Primary appliance. For example, if the CAM manages a CAS HA pair, you only need to list the HA-Primary CAS on the CAM's Authorization page. Likewise, if you are enabling this feature on a CAS managed by a CAM HA pair, you only need to list the HA-Primary CAM on the CAS's Authorization page.)

Summary of Steps to Configure Clean Access Manager-to-Clean Access Server Authorization


Step 1 Configure CAS Authorization on the CAM web console under Device Management > Clean Access Servers > Authorization (see Enable Authorization and Specify Authorized Clean Access Servers).

Step 2 Configure CAM Authorization on the CAS web console under Administration > Authorization (see the "Enable Authorization and Specify the Authorized Clean Access Manager" section in the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3)).

Step 3 Before deploying in a production environment, obtain trusted CA-signed certificates for CAM and CAS and import them to CAM/CAS under Administration > SSL > Trusted Certificate Authorities (for CAM), and Administration > SSL > Trusted Certificate Authorities (for CAS).


Warning If your previous deployment uses a chain of SSL certificates that is incomplete, incorrect, or out of order, CAM/CAS communication may fail after upgrade to release 4.5 and later. You must correct your certificate chain to successfully upgrade to release 4.5 and later. For details on how to fix certificate errors on the CAM/CAS after upgrade to release 4.5 and later, refer to the How to Fix Certificate Errors on the CAM/CAS After Upgrade Troubleshooting Tech Note.

Step 4 If you are upgrading your Cisco NAC Appliance release, clean up Trusted Certificate Authorities on the CAM under Administration > CCA Manager > SSL > Trusted Certificate Authorities, and on the CAS under Administration > SSL > Trusted Certificate Authorities (see Manage Trusted Certificate Authorities and the "View and Remove Trusted Certificate Authorities" section in the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3), respectively).


Note If you use the Authorization feature in a CAM HA-pair, follow the guidelines in Backing Up and Restoring CAM/CAS Authorization Settings to ensure you are able to exactly duplicate your Authorization settings from one CAM to its high availability counterpart.



Enable Authorization and Specify Authorized Clean Access Servers

To enable authorization and specify CASs authorized to communicate with the CAM:


Step 1 Go to Device Management > Clean Access Servers > Authorization (Figure 2-3).

Figure 2-3 Device Management > Clean Access Servers > Authorization

Step 2 Click Enable CCA Server Authorization to turn on the Cisco NAC Appliance authorization feature.


Warning Do not click the Enable CCA Server Authorization option without also entering one or more full distinguished names of CASs you want to authorize to communicate securely with the CAM. If you enable this feature and have not specified any CAS distinguished names, you will not be able to communicate with any of the CASs in your network.

Step 3 Click the plus icon "+" and enter the full distinguished name of a CAS you want to authorize to communicate securely with the CAM. For example, enter a text string like "CN=110.21.5.123, OU=cca, O=cisco, L=sj, ST=ca, C=us" in the Distinguished Name field.


Note Distinguished names require exact syntax. Therefore, Cisco recommends copying the CAS DN from the top of the list of entries in the Administration > SSL > X509 Certificate CAS web console page and pasting it into the CAM's Authorization page to ensure you specify the exact name for the CAS on the CAM.


Step 4 If you want to first test whether or not the CAM is able to authorize and connect to the CAS(s) in your network, click Test CCA Server Authorization to test connection with the CASs you include in the Authorized CCA Servers list. The CAM generates SSL Connection log messages that you can view in the CAM Monitoring > Event Logs web console page after you click Update in step 5.

Step 5 Click Update to ensure the CAS(s) you have added become part of the group of servers authorized to communicate back-and-forth with the CAM.

When you click Update, the CAM restarts services between the CAM and all CASs in the Authorized CCA Server list, which may cause brief network interruptions to users logged into the Cisco NAC Appliance system.

If you enabled the Test CCA Server Authorization option and there are one or more Clean Access Servers in the Authorized CCA Server list to which the CAM is unable to connect, warning (yellow flag) messages appear in the event log.

If you did not enable the Test CCA Server Authorization option and there are one or more Clean Access Servers in the Authorized CCA Server list to which the CAM is unable to connect, error (red flag) messages appear in the event log.

See View Logs for more information.


Check Clean Access Server Status

The operational status of each Clean Access Server appears in the Status column:

Connected—The CAM can reach the CAS successfully.

Not connected—The CAS is rebooting, or the network connection between the CAM and CAS is broken.

If the Clean Access Server has a status of Not connected unexpectedly (that is, it is not down for standard maintenance, for example), try clicking the Manage icon to force a connection attempt. If successful, the status changes to Connected. Otherwise, check for a connection problem between the CAM and CAS and make sure the CAS is running. If necessary, try rebooting the CAS.


Note The Clean Access Manager monitors the connection status of all configured Clean Access Servers. The CAM will try to connect a disconnected CAS every 3 minutes.


Disconnect a Clean Access Server

When a Clean Access Server is disconnected, it displays Not Connected status but remains in the Clean Access Manager domain. You can always click Manage to connect the CAS and configure it.

Additionally, if at any point the Clean Access Server is out of sync with the Clean Access Manager, you can disconnect the Clean Access Server then reconnect it. The Clean Access Manager will again publish the data configured for the Clean Access Server and keep the CAS in sync.

In contrast, if you delete the Clean Access Server, all secondary configuration settings are lost.

Reboot the Clean Access Server

You can perform a graceful reboot of a Clean Access Server by clicking the Reboot icon in the List of Servers tab. In a graceful reboot, the Clean Access Server performs all normal shutdown procedures before restarting, such as writing logging data to disk.

Remove the Clean Access Server from the Managed Domain

Deleting a Clean Access Server in the List of Servers tab removes it from the List of Servers and the system. To remove a Clean Access Server, click the Delete icon next to the CAS. In order to reuse a Clean Access Server that you have deleted, you have to re-add it to the Clean Access Manager.

Note that when the Clean Access Server is removed, any secondary configuration settings specific to the CAS are deleted. Secondary settings are settings that are not configured at installation time or through the service perfigo config script, and include policy filters, traffic routing, and encryption parameters.

Settings that are configured at installation time, such as interface addresses, are kept on the Clean Access Server and are restored if the CAS is later re-added to the CAM's administrative domain.

Removing an active CAS has the following effect on users accessing the network through the CAS at the time it is deleted:

If the CAS and CAM are connected when the CAS is deleted, the network connections for active users are immediately dropped. Users are no longer able to access the network. (This is because the CAM is able to delete the CAS's configuration immediately, so that the IP addresses assigned to active users are no longer valid in relation to any security policies applicable to the CASs.) New users will be unable to log into the network.

If the connection between the CAS and CAM is broken at the time the CAS is deleted, active users will be able to continue accessing the network until the connection is reestablished. This is because the CAM cannot delete the CAS's configuration immediately. New users will be unable to log into the network.

Troubleshooting when Adding the Clean Access Server

See "Troubleshooting when Adding the Clean Access Server" in the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for troubleshooting details.

Global and Local Administration Settings

The CAM web admin console has the following types of settings:

Clean Access Manager administration settings are relevant only to the CAM itself. These include its IP address and host name, SSL certificate information, and High-Availability (failover) settings.

Global administration settings are set in the Clean Access Manager and pushed from the CAM to all Clean Access Servers. These include authentication server information, global device/subnet filter policies, user roles, and Cisco NAC Appliance configuration.

Local administration settings are set in the CAS management pages for a Clean Access Server and apply only to that CAS. These include CAS network settings, SSL certificates, DHCP and 1:1 NAT configuration, VPN concentrator configuration, IPSec key changes, local traffic control policies, and local device/subnet filter policies.

The global or local scope of a setting is indicated in the Clean Access Server column in the web admin console, as shown in Figure 2-4.

Figure 2-4 Scope of Settings

GLOBAL—The entry was created using a global form in the CAM web admin console and applies to all Clean Access Servers in the CAM's domain.

<IP Address>The entry was created using a local form from the CAS management pages and applies only for the CAS with this IP address.

In general, pages that display global settings (referenced by GLOBAL) also display local settings (referenced by CAS IP address) for convenience. These local settings can usually be edited or deleted from global pages; however, they can only be added from the local CAS management pages for a particular Clean Access Server.

Global and Local Settings

Global (defined in CAM for all CASs) and local (CAS-specific) settings often coexist on the same CAS. If a global and local setting conflict, either the local setting overrides the global setting, or the priority of the policy determines which global or local policy to enforce.

For device filter policies affecting a range of MAC addresses and traffic control policies, the priority of the policy (higher or lower in Device Management > Filters > Devices > Order) determines which global or local policy to enforce. Any device filter policy for an individual MAC address takes precedence over a filter policy (either global or local) for a range of addresses that includes the individual MAC address.

For subnet filter policies where one subnet filter specifies a subset of an address range in a broader subnet filter, the CAM determines the priority of the filter based on the size of the subnet address range. The smaller the subnet (like a /30 or /28 subnet mask), the higher the priority in the subnet filter hierarchy.

Some features must be enabled both on the CAS (via the CAS management pages) and/or configured in the CAM console, for example:

L3 support (for multi-hop L3 deployments) is enabled per CAS, but may require login page/Agent configuration on CAM

Bandwidth Management is enabled per CAS but can be configured for all roles on the CAM

Active Directory SSO is configured per CAS but requires Auth Provider on CAM

Cisco VPN Concentrator SSO is configured per CAS but requires Auth Provider on CAM

Agent requirements and network scanning plugins are configured globally from the CAM and apply to all CASs.

Global Device and Subnet Filtering

This section describes the following:

Overview

Device Filters and User Count License Limits

Adding Multiple Entries

Corporate Asset Authentication and Posture Assessment by MAC Address

Device Filters for In-Band Deployment

Device Filters for Out-of-Band Deployment

Device Filters for Out-of-Band Deployment Using IP Phones

In-Band and Out-of-Band Device Filter Behavior Comparison

Device Filters and Gaming Ports

Global vs. Local (CAS-Specific) Filters

Global Device Filter Lists from Cisco NAC Profiler

Configure Device Filters

Configure Subnet Filters

Overview

By default, Cisco NAC Appliance forces user devices on the untrusted side of the CAS to authenticate (log in) when attempting to access the network. If you need to allow devices on the untrusted side to bypass authentication, you can configure device or subnet filters.

Filter lists (configured under Device Management > Filters) can be set by MAC, IP, or subnet address, and can automatically assign user roles to devices. Filters allow devices (user or non-user) to bypass both authentication and (optionally) posture assessment. This section describes how to configure device and subnet filters.

Device filters are specified by MAC address (and optionally IP for In-Band deployments) of the device, and can be configured for either In-Band (IB) or Out-of-Band (OOB) deployments. The MAC addresses are input and authenticated through the CAM, but the CAS is the device that performs the actual filtering action. For OOB, the use of device filters must also be enabled in the Port Profile (see Add Port Profile). For both IB and OOB, devices put in the filter list bypass authentication. In both Layer 2 and Layer 3 deployments, Out-of-Band device filters rely only on client MAC address when determining whether or not to act upon MAC notification messages from an associated switch. (Device filters do not take client IP addresses into account for Out-of-Band client machines because the CAM cannot reliably verify Out-of-Band client IP addresses.)

Subnet filters can be configured for IB deployments only and are specified by subnet address and subnet mask (in CIDR format).

You can configure device or subnet filters to do the following:

IB: Bypass login/posture assessment and allow all traffic for the device/subnet.
OOB: Bypass login/posture assessment and assign the Default Access VLAN to the device.

IB: Block network access to the device/subnet.
OOB: Block network access and assign the Auth VLAN to the device.

IB: Bypass login/posture assessment and assign a user role to the device/subnet.
OOB: Bypass login/posture assessment and assign the Out-of-Band User Role VLAN to the device (the Access VLAN configured in the user role).


Note Because a device in a Filter entry is allowed/denied access without authentication, the device will not appear in the Online Users list in a Layer 2 deployment. (They can, however, still be tracked on the In-Band network through the Active Layer 2 Device Filters List.) See View Active Layer 2 Device Filter Policies for more information.


Some uses of device filters include:

For printers on user VLANs, you can set up an "allow" device filter for the printer's MAC address to allow the printer to communicate with Windows servers. Cisco recommends configuring device filters for printers in OOB deployment also. This prevents a user from connecting to a printer port in order to bypass authentication.

For In-Band Cisco NAC Appliance L3/VPN concentrator deployment, you can configure a device or subnet filter to allow traffic from an authentication server on the trusted network to communicate with the VPN concentrator on the untrusted network.

For very large numbers of non-NAC network devices (IP phones, printers, fax machines, etc.), you can add them to the device filter list to ensure they bypass Cisco NAC Appliance authentication, posture assessment, and remediation functions.


Note Device filter lists can also be automatically created and updated on the CAM using Cisco NAC Profiler. See Global Device Filter Lists from Cisco NAC Profiler for details.



Note The Policy Sync feature exports all global device filters created on the Master CAM to the Receiver CAMs. Any MAC address which is in the Master CAM's global Device Filter list will be exported, including Cisco NAC Profiler generated filters. See Policy Import/Export for details.



Note Device filter settings and/or subnet filter settings take precedence over the CAS Fallback Policy. While in CAS fallback mode, CAS device filter settings determine behavior based on the client MAC address. If device filter settings do not apply (for example, if the CAS is a Layer 3 gateway and cannot determine the client MAC address), the CAS also looks for applicable subnet filter settings before applying the CAS Fallback Policy. See Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for details.



Note In wireless deployments, when you are adding a client to the filter list, make sure that the client is not connected to the WLC and authenticated by NAC. If the client machine is already connected to WLC and authenticated, adding it to the filter list does not work. You need to disconnect the client machine and reconnect it to enable the filter.


Device Filters and User Count License Limits

MAC addresses specified with the "ALLOW" option in the Device Filter list (bypass authentication/posture assessment/remediation) do not count towards the user count license limit.

MAC addresses specified with the "CHECK" option in the Device Filter list (bypass authentication but go through posture assessment/remediation) do count towards the user count license limit.


Note The maximum number of (non-user) devices that can be filtered is based on memory limitations and is not directly connected to user count license restrictions. A CAS can safely support approximately 5,000 MAC addresses per 1 GB of memory.

Device filters and user/endpoint count license limits related to Cisco NAC Profiler depend upon the Cisco NAC Profiler system deployment. For specific information, see Cisco NAC Appliance Service Contract / Licensing Support and Cisco NAC Profiler Installation and Configuration Guide.


Adding Multiple Entries

You can enter a large number of MAC addresses into the device filter list by:

1. Specifying wildcards and MAC address ranges when configuring device filters.

2. Copying and pasting individual MAC addresses (one per line) into the New Device Filter form and adding all of them with one click.

3. Using the API (cisco_api.jsp) addmac function to add the MAC addresses programmatically. See API Support for details.


Note You can automate the management of large number of endpoints by deploying the Cisco NAC Profiler solution. When configured, the Cisco NAC Profiler Server/Collector automatically populates and maintains global device filters on the CAM for profiled endpoints. See Global Device Filter Lists from Cisco NAC Profiler for more information.


Corporate Asset Authentication and Posture Assessment by MAC Address

Cisco NAC Appliance can perform MAC-based authentication and posture assessment of client machines without requiring the user to log into Cisco NAC Appliance. This feature is implemented through the "CHECK" device filter control for global and local device filters and the Agent. The Cisco NAC Web Agent performs posture assessment, but does not provide a medium for remediation. The user must manually fix/update the client machine and "Re-Scan" to fulfill posture assessment requirements with the Web Agent.


Note The CHECK feature only applies to Cisco NAC Appliance Agents which support posture assessment.


The following Device Filter configuration options are available:

CHECK and IGNORE device filter options.

ROLE and CHECK filters require choosing a User Role from the dropdown menu.

IGNORE is for OOB only. For IB, checking this option has no effect.

IGNORE is for global filters only. It does not appear on CAS New/Edit filter pages.

IGNORE device filters are intended to replace "allow" device filters that were specified for IP phones in previous releases.


Note Administrators should reconfigure their device filters for IP phones to use the IGNORE option in order to avoid creating unnecessary MAC notification traps. For more information, see Device Filters for Out-of-Band Deployment Using IP Phones.


Device filter policies have different applicability in L2 deployments (deployments where the CAS is in L2 proximity to the end points/user devices) versus L3 deployments (where the CAS may be one or more hops away from the end points/user devices). Note that in an L3 deployment, the endpoint needs to access the network using a web browser (Java Applet/ActiveX) or the Agent for Cisco NAC Appliance to be able to obtain the end point's MAC address. The behavior in L2 and L3 deployments is different, as described in Table 2-1.

Table 2-1 CAM L2/L3 Device Filter Options 

Option
L2
L3

ALLOW

Allows all traffic from the end-point - no authentication or posture assessment is required

Allows all traffic from the end-point once the MAC address is known until which time traffic from the end-point is subject to policies in Unauthenticated Role - no authentication or posture assessment is required

DENY

Denies all traffic from the end-point

Denies all traffic from the end-point once the MAC address is known until which time traffic from the end-point is subject to policies in Unauthenticated Role

ROLE

Allows traffic from the end-point without any authentication or posture assessment as specified by role traffic policies (for backward compatibility with Cisco NAC Appliance 3.x, this will continue to behave the same way)

Once MAC address is known, posture assessment is performed if configured following which traffic is allowed as per role traffic policies

CHECK

Performs posture assessment as specified for the Role following which traffic is allowed as per role traffic policies

(Same as above)

IGNORE

For OOB only - ignores SNMP traps from managed switch ports for the specified MAC address(es)

For OOB only - ignores SNMP traps from managed switch ports for the specified MAC address(es)



Note In both Layer 2 and Layer 3 deployments, Out-of-Band device filters rely only on client MAC address when determining whether or not to act upon MAC notification messages from an associated switch. (Device filters do not take client IP addresses into account for Out-of-Band client machines because the CAM cannot reliably verify Out-of-Band client IP addresses.)



Note When you are changing the behavior of the MAC address for Role-Based device filters, the change is not dynamic. The CAM should receive Linkup or MAC Notification in case of wired network. The CAM should receive Association/ Disassociation traps in case of wireless network. This is mandatory to avoid first time Posture Assessment when the NAC Agent popup is closed at the client end.


Device Filters for In-Band Deployment

Cisco NAC Appliance assigns user roles to users either by means of authentication attributes, or through device/subnet filter policies. As a result, a key feature of device/subnet filter policy configuration is the ability to assign a system user role to a specified MAC address or subnet. Cisco NAC Appliance processing uses the following order of priority for role assignment:

1. MAC address

2. Subnet/IP address

3. Login information (login ID, user attributes from auth server, VLAN ID of user machine, etc.)

Therefore, if a MAC address associates the client with "Role A," but the user's login ID associates him or her to "Role B," "Role A" is used.

For complete details on user roles, see Chapter 6 "User Management: Configuring User Roles and Local Users."


Note For more information on In-Band vs. Out-of-Band client machine behavior based on specified Device Filter type, see In-Band and Out-of-Band Device Filter Behavior Comparison.



Note For management of Access Points (APs) from the trusted side, you can ensure the APs are reachable from the trusted side (i.e. through SNMP, HTTP, or whatever management protocol is used) by configuring a filter policy through Device Management > Filters > Devices.


Device Filters for Out-of-Band Deployment

The Clean Access Manager respects the global Device Filters list for Out-of-Band deployments. As is the case for In-Band deployments, for OOB, the rules configured for MAC addresses on the global Device Filter list will have the highest priority for user/device processing. In both Layer 2 and Layer 3 deployments, Out-of-Band device filters rely only on client MAC address when determining whether or not to act upon MAC notification messages from an associated switch. (Device filters do not take client IP addresses into account for Out-of-Band client machines because the CAM cannot reliably verify Out-of-Band client IP addresses.)

For OOB, the order of priority for rule processing is as follows:

1. Device Filters (if configured with a MAC address, and if enabled for OOB)

2. Certified Devices List

3. Out-of-Band Online User List

MAC address device filters configured for OOB have the following options and behavior:

ALLOW—Bypass login and posture assessment and assign Default Access VLAN to the port

DENY—Bypass login and posture assessment and assign Auth VLAN to the port

ROLE—Bypass login and L2 posture assessment and assign User Role VLAN to the port

CHECK—Bypass login, apply posture assessment, and assign User Role VLAN to the port

IGNORE—Ignore SNMP traps from managed switches (IP Phones)


NoteTo use global device filters for OOB, you must enable the Change VLAN according to global device filter list option for the Port Profile (under OOB Management > Profiles > Port > New or Edit). See Add Port Profile for details.

This feature applies to global device filters only. Cisco strongly recommends you do not configure any local (CAS-specific) device filters when deployed in an Out-of-Band environment.

See Out-of-Band User Role VLAN for details on VLAN assignment via the user role.



NoteWhen you are changing the behavior of the MAC address device filters from ALLOW to DENY, the change is not dynamic. As the client traffic is directed to default Access VLAN initially, when the behavior changes to DENY, the traffic should be directed to Authentication VLAN. You should manually remove the MAC address from CDL/OUL to apply the DENY rule to the MAC address device filters.

When you are changing the behavior of the MAC address device filters from DENY to ALLOW, the change is dynamic. When the client traffic reaches the eth1 interface of the CAS, it checks the Device filter rules and allows the user though the behavior has been moved from DENY to ALLOW.



Note For more information on In-Band vs. Out-of-Band client machine behavior based on specified Device Filter type, see In-Band and Out-of-Band Device Filter Behavior Comparison.


For further details, see Chapter 3 "Switch Management: Configuring Out-of-Band Deployment."

Device Filters for Out-of-Band Deployment Using IP Phones

You must create a Global Device filter list of MAC addresses designed to ignore IP phones through which client machines connect to your network. You can define a list of MAC addresses by compiling a collection of individual MAC addresses (Cisco recommends this method only for small deployments), specify a range of MAC addresses using range delimiters and/or wildcard characters, and you can also extract a list of MAC addressees from an existing IP phone management application like Cisco CallManager.

Once you build a list of the applicable IP phone MAC addresses, ensure that Cisco NAC Appliance ignores them by enabling the Change VLAN according to global device filter list option for the Port Profile (under OOB Management > Profiles > Port > New or Edit) when you configure your Cisco NAC Appliance system for OOB. This ensures that the IP phones MAC notification behavior cannot initiate a switch from one VLAN to another (from Access to Authentication VLAN, for example), thus inadvertently terminating the associated client machine's connection. See Configure OOB Switch Management on the CAM for details.

In-Band and Out-of-Band Device Filter Behavior Comparison

VLAN assignments and whether or not the users appear in the Online Users list and associated client machines appear in the Certified Devices List differ depending on which filter type (ALLOW, DENY, ROLE, CHECK, or IGNORE) you configure. The following general guidelines apply when determining client traffic behavior for In-Band and Out-of-Band deployments:

In-Band traffic is subject to both global and CAS-specific filter assignments, depending on the hierarchy defined in Device Management > Filters > Devices > Order.

If the Port Profile has the Change VLAN according to global device filter list option enabled, the CAM directs the switch to follow global device filter configuration when assigning VLANs to ports.

Out-of-Band client machines associated with a specific Port Profile are only governed by global device filters.

Table 2-2 Layer 2 and Layer 3 In-Band and Out-of-Band MAC Address FIlter Behavior

Device Filter Type
Layer 2 In-Band
(Global and CAS)
Layer 3 In-Band
(Global and CAS)
Out-of-Band without Port Profile option (Global)—Out-of-Band (CAS)
Out-of-Band with Port Profile option (Global only)

ALLOW

Allow traffic

Allow traffic (add Online Users list/Certified Devices List entries, no posture assessment)

Allow traffic in In-Band mode

Client traffic is directed to default Access VLAN

DENY

Deny traffic

Deny traffic once MAC address is known

Deny traffic in In-Band mode

Client traffic is directed to Authentication VLAN

ROLE

Put in role and apply role policies

Do posture assessment, add Online Users list/Certified Devices List entries, put in role and apply role policies

Put in role and apply role policies in In-Band mode

Client traffic is directed to Access VLAN (based on Port Profile)

CHECK (device in Certified Devices List)

Put in role and apply role policies (no Online Users list entry)

Do posture assessment, add Online Users list/Certified Devices List entries, put in role and apply role policies

Put in role and apply role policies in In-Band mode (no Online Users list entry)

Client traffic is directed to Access VLAN (based on Port Profile and no Online Users list entry)

CHECK (device not in Certified Devices List)

Do posture assessment (In-Band Online Users list entry in Temporary role) and add Certified Devices List entry after posture assessment (no Online Users list entry)

(Same as above)

Do posture assessment (In-Band Online Users list entry in Temporary role), add Certified Devices List entry after posture (Out-of-Band Online Users list entry) and assign to Access VLAN (based on Port Profile)

Do posture assessment (In-Band Online Users list entry in temp role), add Certified Devices List entry after posture (Out-of-Band Online Users list entry) and assign to Access VLAN (based on Port Profile)

IGNORE

No effect (normal behavior)

No effect (normal behavior)

No effect (normal behavior)

SNMP traps are ignored


The Require users to be certified at every web login option only applies to the In-Band Online Users list. When this option is enabled and the Online Users list entry is deleted, the corresponding Certified Devices List entry is deleted if there are no other Online Users list (either In-Band or Out-of-Band) entries with the same MAC address.

Device Filters and Gaming Ports

To allow gaming services, such as Microsoft Xbox Live, Cisco recommends creating a gaming user role and adding a filter for the device MAC addresses (under Device Management > Filters > Devices > New) to place the devices into that gaming role. You can then create traffic policies for the role to allow traffic for gaming ports. For additional details, see:

Allowing Gaming Ports

http://www.cisco.com/warp/customer/707/ca-mgr-faq2.html#q16

Adding a New User Role

Global vs. Local (CAS-Specific) Filters

You can add device/subnet filter policies at a global level for all Clean Access Servers in the Clean Access Manager Filters pages, or for a specific Clean Access Server through the CAS management pages. The CAM stores both types of access filters and distributes the global filter policies to all Clean Access Servers and the local filter policies to the relevant CAS.

For subnet filter policies (in Device Management > Filters > Subnet) where one subnet filter specifies a subset of an address range in a broader subnet filter, the CAM determines the priority of the filter based on the size of the subnet address range. The smaller the subnet (like a /30 or /28 subnet mask), the higher the priority in the subnet filter hierarchy. For example, a subnet filter policy allowing traffic from the 192.168.128.0/28 address range would take precedence over another subnet filter policy denying traffic from the from the 192.168.128.0/24 address range. Whether the subnet filter policy is global or local makes no difference when determining the priority.

For device filter policies specifying a range of MAC addresses where two or more policies potentially affect the same MAC address, the priority of the policy (in Device Management > Filters > Devices > Order) determines which global or local policy to enforce. However, any device filter specifying an individual MAC address takes precedence over a filter policy (either global or local) defining a range of addresses that includes the individual MAC address.

See Global and Local Administration Settings for more information.

This section describes the forms and the steps to add global access filter policies. See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for how to add local access filter policies.


Note The CAM prioritizes the global Device Filters list (not CAS-specific filters) for OOB deployments.


Global Device Filter Lists from Cisco NAC Profiler

To create and manage large numbers of non-user endpoint devices, such as network printers, IP phones, UPS devices, HVAC sensors, and wireless access controllers, you can deploy Cisco NAC Profiler. The Cisco NAC Profiler system enables you to automatically discover, categorize, and monitor hundreds or even thousands of endpoints for which user authentication and/or posture assessment does not apply.

The Cisco NAC Profiler solution consists of two primary components:

Cisco NAC Profiler Server—The Cisco NAC Profiler Server manages the Cisco NAC Profiler Collector component enabled on each Clean Access Server. The Cisco NAC Profiler Server populates entries on the CAM's global device filter list (Device Management > Filters > Devices > List) for the endpoints it profiles and monitors. Clicking the Description link for a Profiler entry brings up the NAC Profiler Server's Endpoint Summary data right inside the CAM web console, as shown in Figure 2-5 and Figure 2-6. The Cisco NAC Profiler Server is configured and managed via its own web console interface, as described in the Cisco NAC Profiler Installation and Configuration Guide.

Cisco NAC Profiler Collector—The Cisco NAC Profiler Collector is a service that can be enabled on a NAC-3310 or NAC-3350 Clean Access Server running Release 4.1(3) or later. You must purchase a Cisco NAC Profiler Server appliance and obtain and install Cisco NAC Profiler/Collector licenses on the Cisco NAC Profiler Server to deploy the Cisco NAC Profiler solution. See the "CLI Commands for Cisco NAC Profiler" section of the Cisco NAC Appliance Hardware Installation Guide for details.


Note Refer to the Release Notes for Cisco NAC Profiler for release compatibility information.


Figure 2-5 Cisco NAC Profiler Entries in CAM Device Filters

Figure 2-6 Endpoint Summary


Note The Policy Sync feature exports all global device filters created on the Master CAM to the Receiver CAMs. Any MAC address which is in the Master CAM's global Device Filter list will be exported, including Cisco NAC Profiler generated filters. See Policy Import/Export for details.


Configure Device Filters

This section describes the following:

Add Global Device Filter

Display/Search/Import/Export Device Filter Policies

Edit Device Filter Policies

Delete Device Filter Policies

Add Global Device Filter

If there is a MAC address entry in the Device Filter list, the machine can also be checked per Cisco NAC Appliance policies (e.g., Agent-based checks, network scanner checks). The device is authenticated based on MAC address but will still have to go through scanning (network and/or Agent).

A device filter set up as described in the following steps applies across all Clean Access Servers in the CAM domain.


Note For more information on In-Band vs. Out-of-Band client machine behavior based on specified Device Filter type, see In-Band and Out-of-Band Device Filter Behavior Comparison.



Step 1 Go to Device Management > Filters > Devices > New.

Figure 2-7 New Device Filter

Step 2 In the New Device Filter form, enter the MAC address of the device(s) for which you want to create a policy in the text field. Type one entry per line using the following format:

<MAC>/<optional_IP> <optional_entry_description>
 
   

Note the following:

You can use wildcards "*" or a range "-" to specify multiple MAC addresses.

Separate multiple devices with a return.

As an option, you can enter an IP address with the MAC to make sure no one spoofs the MAC address to gain network access. If you enter both a MAC and an IP address, the client must match both for the rule to apply.

You can specify a description by device or for all devices. A description specific to a particular device (in the MAC Address field) supersedes a description that applies all devices in the Description (all entries) field. There cannot be spaces within the description in the device entry (see Figure 2-7).

Step 3 Choose the policy for the device from the Access Type choices:

ALLOW
IB - bypass login, bypass posture assessment, allow access
OOB - bypass login, bypass posture assessment, assign Default Access VLAN

DENY
IB - bypass login, bypass posture assessment, deny access
OOB - bypass login, bypass posture assessment, assign Auth VLAN

ROLE
IB - bypass login, bypass L2 posture assessment, assign role
OOB - bypass login, bypass L2 posture assessment, assign User Role VLAN. The Out-of-Band User Role VLAN is the Access VLAN configured in the user role. See Chapter 6 "User Management: Configuring User Roles and Local Users" for details.

CHECK
IB - bypass login, apply posture assessment, assign role
OOB - bypass login, apply posture assessment, assign User Role VLAN

IGNORE
OOB (only) - ignore SNMP traps from managed switches (IP Phones)


Note For OOB, you must also enable the use of global device filters at the Port Profile level under OOB Management > Profiles > Port > New or Edit. See Add Port Profile for details.


Step 4 Click Add to save the policy.

Step 5 The List page under the Devices tab appears.

The following examples are all valid entries (that can be entered at the same time):

00:16:21:11:4D:67/10.1.12.9 pocket_pc 
00:16:21:12:* group1 
00:16:21:13:4D:12-00:16:21:13:E4:04 group2 

Note If bandwidth management is enabled, devices allowed without specifying a role will use the bandwidth of the Unauthenticated Role. See Control Bandwidth Usage for details.



Note Troubleshooting Tip: If you see ERROR: "Adding device MAC failed" and you are unable to add any devices in the filter list (regardless of which option is checked, or whether an IP address/description is included), check the Event Logs. If you see "xx:xx:xx:xx:xx:xx could not be added to the MAC list", this can indicate that one of the CASs is disconnected.



Display/Search/Import/Export Device Filter Policies

Priorities can be defined for ranges (via the Order page).

A single MAC address device filter (e.g. 00:14:6A:6B:6C:6D) always takes precedence on the filter List over a wildcard/range device filter (e.g. 00:14:6A:6B:*, or 00:14:6A:*).

New wildcard/range device filters are always put at the end of the List page. To change the priority, go to the Order page.

The role assignment for a single MAC address device filter always takes precedence over other filters. You can check the role assignment to be used for a MAC address using the Test page.

The Test page shows which filter will take effect for the MAC address entered.

To filter the list of known devices:


Step 1 You can narrow the number of devices displayed in the filter list (under Device Management > Filters > Devices > List) using the following search criteria and respective modifiers available in the Filter dropdown list:

Filter Type
Modifier
Filter Entry

MAC Address

is, is not, contains, starts with, ends with

Any full or partial MAC address in format AA:BB:CC:DD:EE:FF

IP Address

is, is not, contains, starts with, ends with

Any full or partial IP address in format A.B.C.D

Clean Access Server

is, is not

(Dropdown menu options) 
GLOBAL, <CAS_IP_address>

Description

is, is not, contains, starts with, ends with

Any text string

Access Type

is, is not

(Dropdown menu options) 
Allow, Deny, Role-Based, Check-Based, 
Ignore

Priority

is, is not, contains, starts with, ends with

Any number


Figure 2-8 Device Filter List—Access Type Modifiers

Step 2 Click the Filter button after entering the search criteria to display the filtered results.

The Clean Access Server column in the list shows the scope of the policy. If the policy was configured locally in the CAS management pages, this field displays the IP address of the originating Clean Access Server. If the policy was configured globally for all Clean Access Servers in the Device Management > Filters module of the admin console, the field displays GLOBAL.

The filter list can be sorted by column by clicking on the column heading label (MAC Address, IP Address, Clean Access Server, Description, Access Type, or Priority).

See Global and Local Administration Settings and the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for more information.

Clicking Reset negates any of the optional search criteria from the filter dropdown menu and resets the list to display all entries (default).

Clicking Delete Selected removes the devices selected in the check column to the far left of the page. (You can select one or more device entries to remove from the display.)

Clicking Delete All Filtered removes the devices that remain in the list after you have used the Filter tool to display a subset of all devices. (You can use this function to remove up to 100 devices at a time.)

Import/Export Device Filter Policies

You can use the Export button to save CSV files containing device data to your local hard drive to search, view, and manipulate whenever needed for troubleshooting or statistical analysis purposes.


Note Due to limits native to the Microsoft Excel application, you can only export up to 65534 MAC address entries using this function.


You can also use the Browse and Import buttons to locate and load a compilation of device entries from a previously saved CSV file.


Order Device Filter Wildcard/Range Policies

The Order page is for wildcard/range device filters only. The Order page is used to change the priority of wildcard/range device filters.

For example:

If the Order page is configured with filters as follows:

1. 00:14:6A:* — Access Type: DENY

2. 00:14:6A:6B:* — Access Type: IGNORE

A device with MAC address 00:14:6A:6B:60:60 will be denied.

If the Order page is configured as follows:

1. 00:14:6A:6B:* — Access Type: IGNORE

2. 00:14:6A:* — Access Type: DENY

A device with MAC address 00:14:6A:6B:60:60 will have access type IGNORE.

However, if a device filter exists for the exact MAC address 00:14:6A:6B:60:60, the rules of that filter apply instead, and any existing wildcard/range filters are not used.

1. Go to Device Management > Filters > Devices > Order.

Figure 2-9 Order

2. Click the arrows in the Priority column to move the priority of the wildcard/range filter up or down.

3. Click Commit to apply the changes. (Click Reset to cancel the changes.)


Note For more information on In-Band vs. Out-of-Band client machine behavior based on specified Device Filter type, see In-Band and Out-of-Band Device Filter Behavior Comparison.


Test Device Filter Policies

The Test page control allows administrators to determine which device filter and access type will be applied to the specified MAC address for a particular Clean Access Server.

1. Go to Device Management > Filters > Devices > Test.

2. Type the MAC address of the device in the MAC Address field.

3. Choose CAS to test against from the Clean Access Server dropdown menu.

4. Click Submit. The Access Type specified for the corresponding device filter appears in the list below.

Figure 2-10 Test

View Active Layer 2 Device Filter Policies

The Active Layer 2 In-Band Device Filters list displays all clients currently connected to the CAS, sending packets, and with their MAC addresses in a device filter. This list is especially useful in cases where users are configured to bypass authentication (via device filters) and/or posture assessment (such as when no requirements are enforced). Though by definition these users will not appear in the Online Users list or Certified Devices List, they can still be tracked on the In-Band network through the Active Layer 2 Device Filters List.


Note For more information on In-Band vs. Out-of-Band client machine behavior based on specified Device Filter type, see In-Band and Out-of-Band Device Filter Behavior Comparison.


To view active Layer 2 devices in filter policies across all Clean Access Servers:


Step 1 Go to Device Management > Filters > Devices > Active.

Step 2 Click the Show All button first to populate the Active page with the information from all clients currently connected to the CAS, sending packets, and with their MAC addresses in a device filter.

You can also perform a Search on a client IP or MAC address to populate the page with the result. By default, the Search parameter performed is equivalent to "contains" for the value entered in the Search IP/MAC Address field.


Note For performance considerations, the Active page only displays the most current device information when you refresh the page by clicking Show All or Search.


Figure 2-11 Active


Note To view active devices for an individual CAS, go Device Management > CCA Servers > Manage [CAS_IP] > Filter > Devices > Active.



Edit Device Filter Policies


Step 1 Click the Edit icon next to device filter policy in the filter list. The Edit page appears.

Step 2 You can edit the IP Address, Description, Access Type, and Role used. Click Save to apply the changes.


Note Note that the MAC address is not an editable property of the filter policy. To modify a MAC address, create a new filter policy and delete the existing policy (as described below).



Delete Device Filter Policies

There are three ways to delete a device access policy or policies:

Select the checkbox next to it in the List and click the Delete Selected button. Up to 25 device access policies per page can be selected and deleted in this way.

Use the Delete All Filtered button to remove devices that remain in the list after you have used the Filter tool to display a subset of all devices.

Use the search criteria to select the desired device filter policies and click Delete List. This removes all devices filtered by the search criteria across the number of applicable pages. Devices can be selectively removed using any of the search criteria used to display devices. The "filtered devices indicator" shown in Figure 2-8 displays the total number of filtered devices that will be removed when Delete List is clicked.

Configure Subnet Filters

The Subnets tab (Figure 2-12) allows you to specify authentication and access filter rules for an entire subnet. All devices accessing the network on the subnet are subject to the filter rule.

To set up subnet-based access controls:


Step 1 Go to Device Management > Filters > Subnets.

Figure 2-12 Subnet Filters

Step 2 In the Subnet Address/Netmask fields, enter the subnet address and subnet mask in CIDR format.

Step 3 Optionally, type a Description of the policy or device.

Step 4 Choose the network Access Type for the subnet:

allow - Enables devices on the subnet to access the network without authentication.

deny - Blocks devices on the subnet from accessing the network.

use role - Allows access without authentication and applies a role to users accessing the network from the specified subnet. If you select this option, also select the role to apply to these devices. See Chapter 6 "User Management: Configuring User Roles and Local Users" for details on user roles.

Step 5 Click Add to save the policy.

The policy takes effect immediately and appears at the top of the filter policy list.


Note If bandwidth management is enabled, devices allowed without specifying a role will use the bandwidth of the Unauthenticated Role. See Control Bandwidth Usage for details.


After a subnet filter is added, you can remove it using the Delete icon or edit it by clicking the Edit icon. Note that the subnet address is not an editable property of the filter policy. To modify a subnet address, you need to create a new filter policy and delete the existing one.

The Clean Access Server column in the list of policies shows the scope of the policy. If the policy was configured as a local setting in a Clean Access Server, this field identifies the CAS by IP address. If the policy was configured globally in the Clean Access Manager, the field displays GLOBAL.

The filter list can be sorted by column by clicking on the column heading label (Subnet, Clean Access Server, Description, Access Type).