Ryan, Clean Access uses it's Layer 3 capabilities to support VPN clients, so MAC address filtering doesn't work. In Layer 2 mode, the CAS can see the MAC address of the client on its un-trusted interface and lets it through. In Layer 3 mode, the CAS only sees the MAC address of the router, or in this case the VPN concentrator. It can only filter by IP address.
The floating device entry for the VPN concentrator was needed because all of the clients will have the same MAC address but different IPs. Doug DOUGLAS R. COOPER Systems Administrator, CCNA Information Technology Services Trinity University 210-999-7437 (w) 210-643-8811 (m) [email protected] http://www.trinity.edu/ From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Richter, Ryan Sent: Tuesday, May 26, 2009 2:22 PM To: [email protected] Subject: VPN SSO and MAC Filters We're currently testing the use of CCA over VPN. One of the things we rely on in our normal non-VPN CCA deployment is the ability to create device filters by MAC address. However, when I set up a filter to allow one of my VPN test machines to bypass CCA the filter has no effect. I create a filter to ALLOW my test machine's MAC, but that machine is still forced to use the agent when I connect to the VPN. (I've tried both the physical NIC's MAC and the MAC of the virtual NIC created by Cisco's VPN client.) Interestingly, when I set the filter to DENY it seems to work. All traffic times out on my test machine until I remove the filter. Does anyone have any insight into this problem? Or are MAC filters simply not supported with VPN SSO? Thanks, -Ryan Ryan Richter ResNet and Lab Services Student Computing California State University, Chico
