Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Difference in NAC between filter and certified devices

I cannot seem to figure what what the difference is between filters and certfied devices in the NAC CAM interface. Both seem to allow devices to bypass authentication and posture assesment. When would one be perferred over the other?


Re: Difference in NAC between filter and certified devices

This topic was confusing to me as well when I first started with NAC. Let me see if I can help...

Filters provide requirements for authentication and posture assessment. It enables end-point devices to be checked for authentication, posture assessment, both, or neither based on either MAC address or Role assignment depending on the filter

A good example for something that you would be it the Allow category would be Printers or IP phones. Because these devices cannot authenticate you would always want them to have access to the LAN without NAC interference. You would add them to an ALLOW filter. The devices remain filtered unless you manually remove them

Certified Devices bypass posture assessment only. Authentication will still be required. These are best used with timers. For example, PCs that successfully complete authentication and posture assessment once are place in the certified device list. We have a certified device timer setup in our enviroment so that a device is checked for posture assessment once every two weeks. Once the two week window has expired all desktop PCs are removed from posture assessment and will once again have to be checked for compliance

You can use both filters and certified devices as a way of create role assignments in an OOB deployment.



Re: Difference in NAC between filter and certified devices

Hi Joshua,

Good answer! A "5" in my book.



CreatePlease to create content