NAC is all about engineering the traffic so during the authentication/posture-assessment/remediation phase traffic is always flowing through the CAS. Keeping that in mind you'll have to design your traffic flow. Without more details this is about as specific as I can get :-)
Unfortunately I cannot split/design the traffic before the CAS. I would like to have the last /24 subnet of my /21 subnets' group exempted from authentication (It will be a bulk of servers which, of course need to autoupdate themselves, -while their security is managed by installed agents-).
So, I was wondering if there is any turnaround to avoid to manually input IP and MAC of each of these machines to make them bypass the NAC.
(Apologies...I hope my bad English does not create more confusion on this matter)
You could put in Subnet filters designating just the last octet of that big subnet to not be authenticated. Again this might or might not work since I don't have enough details to tell you one way or the other. Subnet filters are used to exempt devices from NAC'ing. Look under Filters -> Subnets
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...