Filter
Top Products
Chapter 14 Network Admission Control
Implementing Network Admission Control
14-8
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
b. Create SPT-to-user-group mappings. Each NAC database has its own group
mappings.
For detailed steps, see Configuring NAC Group Mapping, page 16-13.
Step 9 Configure the Unknown User Policy to include NAC databases. When unknown
user processing is enabled, Cisco Secure ACS uses the Unknown User Policy to
determine if it has a NAC database whose mandatory credential types are satisfied
by the attributes received from the NAC client. Of the NAC databases included in
the Selected Databases list on the Configure Unknown User Policy page,
Cisco Secure ACS uses the first one whose mandatory credential types are
satisfied to process the posture validation request.
For detailed steps, see Configuring the Unknown User Policy, page 15-16.
Note You may want to create a default NAC database and place it at the bottom
of the Selected Databases list. A default NAC database has no mandatory
credential types and therefore can perform posture validation for any
request, regardless of the credentials included in the request.
Step 10 For each SPT, create a downloadable IP ACL set that limits network access
appropriately. If you have more than one NAC database and need to control
network access differently for the same SPT for each NAC, you must create
downloadable IP ACLs per SPT per NAC database. For example, if you have two
NAC databases, one for NAI posture validation and one for Symantec posture
validation, you may want separate downloadable IP ACLs for a Quarantine SPT,
one that allows access only to a Symantec anti-virus server and one that allows
access only to a NAI anti-virus server.
For detailed steps, see Adding a Downloadable IP ACL, page 5-10.
Step 11 For each group to which you have mapped an SPT, follow these steps:
a. Assign the appropriate ACLs to the group. For example, to the group intended
to authorize NAI NAC clients whose posture validation returned an Infected
SPT, assign the ACL you created to control access of NAI NAC clients whose
system posture is Quarantine.
For detailed steps, see Assigning a Downloadable IP ACL to a Group,
page 6-30.