https://community.cisco.com/t5/network-security/nac-and-subnets-management/m-p/1507351#M792283 <HTML><HEAD></HEAD><BODY><P>Hi A,</P><P></P><P>You could put in Subnet filters designating just the last octet of that big subnet to not be authenticated. Again this might or might not work since I don't have enough details to tell you one way or the other. Subnet filters are used to exempt devices from NAC'ing. Look under Filters -&gt; Subnets</P><P></P><P>HTH,</P><P>Faisal</P></BODY></HTML> Mon, 13 Sep 2010 13:10:27 GMT Faisal Sehbai 2010-09-13T13:10:27Z https://community.cisco.com/t5/network-security/nac-and-subnets-management/m-p/1507348#M792226 <P>Hi, excuse me I am new to NAC. Have to manage a remote /21. Cannot split more but last subnet of group must bypass NAC, keeping integrity of GW, route and /21. How can I setup this?</P><P></P><P>Thanks</P><P></P><P>A</P> Fri, 21 Feb 2020 12:04:50 GMT https://community.cisco.com/t5/network-security/nac-and-subnets-management/m-p/1507348#M792226 H0nizatin0 2020-02-21T12:04:50Z https://community.cisco.com/t5/network-security/nac-and-subnets-management/m-p/1507349#M792231 <HTML><HEAD></HEAD><BODY><P>Hi A,</P><P></P><P>NAC is all about engineering the traffic so during the authentication/posture-assessment/remediation phase traffic is always flowing through the CAS. Keeping that in mind you'll have to design your traffic flow. Without more details this is about as specific as I can get <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>HTH,</P><P>Faisal</P></BODY></HTML> Fri, 10 Sep 2010 17:22:28 GMT https://community.cisco.com/t5/network-security/nac-and-subnets-management/m-p/1507349#M792231 Faisal Sehbai 2010-09-10T17:22:28Z https://community.cisco.com/t5/network-security/nac-and-subnets-management/m-p/1507350#M792250 <HTML><HEAD></HEAD><BODY><P>Hello Faisal,</P><P>that's in fact is what I was afraid of..</P><P>Unfortunately I cannot split/design the traffic before the CAS. I would like to have the last /24 subnet of my /21 subnets' group exempted from authentication (It will be a bulk of servers which, of course need to autoupdate themselves,&nbsp; -while their security is managed by installed agents-).</P><P>So, I was wondering if there is any turnaround to avoid to manually input IP and MAC of each of these machines to make them bypass the NAC.</P><P>(Apologies...I hope my bad English does not create more confusion on this matter)</P><P>Thanks in advance for your patience</P><P>A (H0nizatin0)</P></BODY></HTML> Mon, 13 Sep 2010 08:01:02 GMT https://community.cisco.com/t5/network-security/nac-and-subnets-management/m-p/1507350#M792250 H0nizatin0 2010-09-13T08:01:02Z https://community.cisco.com/t5/network-security/nac-and-subnets-management/m-p/1507351#M792283 <HTML><HEAD></HEAD><BODY><P>Hi A,</P><P></P><P>You could put in Subnet filters designating just the last octet of that big subnet to not be authenticated. Again this might or might not work since I don't have enough details to tell you one way or the other. Subnet filters are used to exempt devices from NAC'ing. Look under Filters -&gt; Subnets</P><P></P><P>HTH,</P><P>Faisal</P></BODY></HTML> Mon, 13 Sep 2010 13:10:27 GMT https://community.cisco.com/t5/network-security/nac-and-subnets-management/m-p/1507351#M792283 Faisal Sehbai 2010-09-13T13:10:27Z https://community.cisco.com/t5/network-security/nac-and-subnets-management/m-p/1507352#M792317 <HTML><HEAD></HEAD><BODY><P>Hello Faisal,</P><P></P><P>thanks a lot for the suggestion !</P><P>As soon as we will start the process (we are NACing so many other subnets at the moment)</P><P>I will post more details about the (successful) operation.</P><P>Thanks again for your kind and quick support</P><P>A (nizatino)</P></BODY></HTML> Tue, 14 Sep 2010 07:19:43 GMT https://community.cisco.com/t5/network-security/nac-and-subnets-management/m-p/1507352#M792317 H0nizatin0 2010-09-14T07:19:43Z