14-29
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 14 Network Admission Control
NAC Policies
Cisco Secure ACS evaluates a posture validation request using a NAC database
that has 10 local policies and one external policy, but the external NAC servers
associated with the external policy are not online, it is irrelevant that the 10 local
policies all return SPTs. The failure of the single external policy causes
Cisco Secure ACS to reject the posture validation request.
External Policy Configuration Options
On the External Policy Configuration page you can specify a NAC server (and an
optional second NAC server) that Cisco Secure ACS relies upon to apply the
policy and you can configure the set of credential types that Cisco Secure ACS
forwards. The options for configuring an external policy are as follows:
• Name—Specifies the name by which you want to identify the policy. When
selecting a policy for a NAC database, you select it by name, and the
description is not viewable on the policy selection page; therefore, you should
make the name as useful as possible.
Note The name can contain up to 32 characters. Leading and trailing spaces
are not allowed. Names cannot contain the following four characters:
[ ] , /
• Description—Specifies a text description of the policy, up to 255 characters.
For each NAC database using the policy, the text you type in the Description
box appears beside the policy on the Expected Host Configuration page. Use
the Description box to provide details that you could not convey in the name
of the policy. For example, you could describe its purpose or summarize its
rules.
Because you can apply the same policy to more than one NAC database, a
useful description could also help prevent accidental configuration errors
when someone modifies a policy without understanding which databases use
it.
• Server Configuration—You must specify a primary server. You have the
option to specify a secondary server for failover operation. For each posture
validation request that an external policy is applied to, Cisco Secure ACS
attempts to use the first enabled server configuration in the policy that is
enabled. If the first enabled server is the primary server and Cisco Secure