NAC and subnets management

Unanswered Question
Sep 10th, 2010

Hi, excuse me I am new to NAC. Have to manage a remote /21. Cannot split more but last subnet of group must bypass NAC, keeping integrity of GW, route and /21. How can I setup this?

Thanks

A

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Faisal Sehbai Fri, 09/10/2010 - 10:22

Hi A,

NAC is all about engineering the traffic so during the authentication/posture-assessment/remediation phase traffic is always flowing through the CAS. Keeping that in mind you'll have to design your traffic flow. Without more details this is about as specific as I can get :-)

HTH,

Faisal

H0nizatin0 Mon, 09/13/2010 - 01:01

Hello Faisal,

that's in fact is what I was afraid of..

Unfortunately I cannot split/design the traffic before the CAS. I would like to have the last /24 subnet of my /21 subnets' group exempted from authentication (It will be a bulk of servers which, of course need to autoupdate themselves,  -while their security is managed by installed agents-).

So, I was wondering if there is any turnaround to avoid to manually input IP and MAC of each of these machines to make them bypass the NAC.

(Apologies...I hope my bad English does not create more confusion on this matter)

Thanks in advance for your patience

A (H0nizatin0)

Faisal Sehbai Mon, 09/13/2010 - 06:10

Hi A,

You could put in Subnet filters designating just the last octet of that big subnet to not be authenticated. Again this might or might not work since I don't have enough details to tell you one way or the other. Subnet filters are used to exempt devices from NAC'ing. Look under Filters -> Subnets

HTH,

Faisal

H0nizatin0 Tue, 09/14/2010 - 00:19

Hello Faisal,

thanks a lot for the suggestion !

As soon as we will start the process (we are NACing so many other subnets at the moment)

I will post more details about the (successful) operation.

Thanks again for your kind and quick support

A (nizatino)

Actions

This Discussion