Procedures for Out-of-Band and Inline NAC
5-16 Design Procedures
User Overrides
Auseroverrideletsyoucreateaconfigurationforaspecificenduser,basedontheusername.For
example,youcouldcreateauseroverridethatgivesatrustedenduserimmediatenetworkaccess
withoutperforminganassessment.
Useroverridescanbeusedinnetworkscenariossimilartothosedescribed
forMACoverrides:
•Aspecificuserthatrequiresadistinctsetofparametersforauthentication,assessment,and
authorization.Forexample,auseroverridecanbeconfiguredforexecutivesofacorporation
topermitimmediatenetworkaccesswithoutassigningtheAssessmentPolicyduringend‐
systemassessment.
•Aspecificusercanberestrictednetwork
access(“blacklisted”)foraparticularSecurity
DomainorallSecurityDomains,byassociatingtheusernamewiththeAcceptPolicyof
“Quarantine”orbysendingaRADIUSAccess‐Rejectforthisuser.Forexample,anemployee
canberestrictedaccesstoacertainareaofthenetwork,orstudentscanbe
deniednetwork
accessduringanexam.
•Aspecificusercanbepermittedaspeciallevelofnetworkaccess(“whitelisted”)by
associatingtheusernamewiththeAcceptPolicyof“Administrator”toallowunlimited
networkaccess.
ItisimportanttonotethattheLayer3NACControllermaynotdeterminethetrueMACaddress
ofthedownstreamconnectedend‐system.Inthiscase,aMACoverrideconfiguredinNAC
A device, or class of devices,
needs to be permitted a special
level of network access
(“whitelisted”) in a particular
Security Domain or in all
Security Domains.
Permitting an unrestricted level of
access for end-systems that belong to
IT operations.
In NAC Manager, create a MAC override with the
following attributes:
• Specify either full MAC address or MAC
address OUI.
• Select the Security Domain or all Security
Domains for the MAC override scope.
For the assessment, authentication, and
authorization configuration, choose a NAC
Configuration or specify a custom configuration
with the following parameters:
• Select the “Proxy RADIUS request to a
RADIUS Server“ radio button.
• Check “Authorize MAC Authentication
Requests Locally“ so MAC authentication
attempts by these devices are assigned the
Accept Policy.
• Check “Replace RADIUS Attributes with
Accept Policy“ so the policy information
returned from the RADIUS server will be
overwritten by the Accept Policy.
• Specify “Administrator“ as the Accept Policy
to allow unlimited access for these devices.
• Uncheck the “Enable Assessment“ checkbox
so these devices are not assessed for
security posture compliance.
Table 5-3 MAC Override Configuration Guidelines (continued)
Network Scenario Examples Security Domain Configuration