Chapter 14 Network Admission Control
NAC Policies
14-22
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
–
$ (dollar)—The $ operator matches the end of a string. For example, co$
would match the string
Cisco or the string Tibco.
• days-since-last-update—The rule element is true if the attribute contains a
date and if the difference in days between that date and the current date is less
than or equal to the number that you specify. For example, in the following
rule element:
Symantec:AV:DAT-Date days-since-last-update 14
the rule element is true for posture validation requests whose
Symantec:AV:DAT-Date attribute contain a date that is no more than 14 days
in the past.
• mask—The rule element is true if the attribute contains an IP address and if
that address belongs to the subnet identified by the netmask and IP address
that you specify as the rule element value. The format for the rule element
value is:
mask/IP
For example, using the mask operator with a value of
255.255.255.0/192.168.73.8 would match an attribute containing an IP
address of 192.168.73.0 to 192.168.73.255. Any mask is permissible and
Cisco Secure ACS determines the set of IP addresses matching the value
specified using standard subnet masking logic.
Local Policy Configuration Options
On the Local Policy Configuration page you can specify the rules that make up a
policy, including their order. The options for configuring a local policy are as
follows:
• Name—Specifies the name by which you want to identify the policy. When
selecting a policy for a NAC database, you select it by name, and the
description is not viewable on the policy selection page; therefore, you should
make the name as useful as possible.
Note The name can contain up to 32 characters. Leading and trailing spaces
are not allowed. Names cannot contain the following four characters:
[ ] , /