Procedures for Out-of-Band and Inline NAC
5-12 Design Procedures
3. Identify Required MAC and User Overrides
MACanduseroverridesareusedtohandleend‐systemsthatrequireadifferentsetof
authentication,assessment,andauthorizationparametersfromtherestoftheend‐systemsina
SecurityDomain.AMACoruseroverridecanbedefinedwithinthescopeofaspecificSecurity
DomainorallSecurity
Domains.AnoverridescopedtoaspecificSecurityDomainletsyou
specifyhowanend‐systemisauthenticated,assessed,andauthorizedwhenevertheend‐system
connectstothenetworkinthatparticularSecurityDomain.Aglobaloverrideletsyouspecifyhow
anend‐systemisauthenticated,assessed,andauthorizedwhenever
theend‐sy stemconnectsto
anySecurityDomainonthenetwork.
UsethenetworkscenariosandexamplesprovidedinthissectiontodeterminewhatMACand
useroverridesarerequiredforyourNACdeployment.
MAC Overrides
AMACoverrideletsyoucreateaconfigurationforasingleend‐system(basedonafullMAC
address)orforagroupofend‐systems(basedonaMACOUI,aMACOUIGrouporaCustom
MACMask).Forexample,youcouldcreateaMACoverridethatallocatesVoIP
servicestocertain
IPphonesbasedonaMACOUIgroup.Or,youcoulddenyaspecificend‐systembycreatinga
MACoverridethatquarantinestheMACaddressofthatend‐systemandrestrictsitsnetwork
access.