Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
0
Helpful
2
Replies

Exempt Devices in NAC 4.1

Go to solution
estelamathew
Level 2
Level 2

‎05-10-2010 10:25 PM - edited ‎02-21-2020 03:57 AM

Hello friends,

I m setting up layer2 virtual gateway mode,i m little bit confuse regarding which would be the Exempt devices in the layer2 virtual gateway mode.

whenever any device in the authentication vlan it will pass through NAC Server but if i moved the port to normal access vlan in the switch by "switchport mode accces vlan" than the device is out of flow from NAC.

From my knowledge whatever the vlan mapping is done in NAC between authentication and access vlan only those vlan will be affected rest are all out of flow from NAC,they will flow as normal traffic.

Also all my switches in Management vlan so if i dont create mapping for management vlan than they will not flow through NAC.Am i correct ???????

please suggest me what other devices shld be exempted from the networks, for example: printers,  and what else ???

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Faisal Sehbai
Level 7
Level 7

‎05-14-2010 12:48 PM

Estela,

You're correct in most of your assumptions. The key thing with NAC is to follow the flow of the traffic and make sure that in unauthenticated state the flow of the traffic always goes through the CAS. This follows that if a port is not in a VLAN on your untrusted side, it would never be impacted by NAC. For your unauthenticated VLANs, you have to make sure that the traffic path they're allowed is only through the CAS. Keeping this simple design rule in mind, look at your VLANs again and you'll get most of the answers you're looking for.

HTH,

Faisal

View solution in original post

0 Helpful
2 Replies 2

Go to solution
estelamathew
Level 2
Level 2

‎05-13-2010 11:03 AM

Hello Friends,

Can anybody reply to the below query.

Thanks

0 Helpful

Go to solution
Faisal Sehbai
Level 7
Level 7

‎05-14-2010 12:48 PM

Estela,

You're correct in most of your assumptions. The key thing with NAC is to follow the flow of the traffic and make sure that in unauthenticated state the flow of the traffic always goes through the CAS. This follows that if a port is not in a VLAN on your untrusted side, it would never be impacted by NAC. For your unauthenticated VLANs, you have to make sure that the traffic path they're allowed is only through the CAS. Keeping this simple design rule in mind, look at your VLANs again and you'll get most of the answers you're looking for.

HTH,

Faisal

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card