9-31
Configuration Guide for Cisco Secure ACS 4.2
OL-14390-02
Chapter 9 NAC Configuration Scenario
Step 6: Configure an External Posture Validation Audit Server
Step 6: Configure an External Posture Validation Audit Server
A NAC-enabled network might include agentless hosts that do not have the NAC client software. ACS
can defer the posture validation of the agentless hosts to an audit server. The audit server determines the
posture credentials of a host without relying on the presence of a PA.
Configuring an external audit server involves two stages:
• Adding the posture attribute to the ACS internal dictionary.
• Configuring an external posture validation server (audit server).
Add the Posture Attribute to the ACS Dictionary
Before you can create an external posture validation server, you must add one or more vendor attributes
to the ACS internal data dictionary. To do this, you use the bin\CSUtil tool, which is located in the ACS
installation directory.
To add the posture attributes:
Step 1 Create a text file in the \Utils directory with the following format:
[attr#0]
vendor-id=[your vendor id]
vendor-name=[The name of you company]
application-id=6
application-name=Audit
attribute-id=00003
attribute-name=Dummy-attr
attribute-profile=out
attribute-type=unsigned integer
x x x 26 Vendor-Specific
Microsoft = 311
Key for Status Query: MS-MPPE-Recv-Key
Automatically sent by ACS.
x x x 27 Session-Timeout Sets Revalidation Timer (in seconds)
x x x 29 Termination-
Action
Action on Session Timeout
(0) Default: Terminate session
(1) Radius-Request: Re-authenticate
x 64 Tunnel-Type 13 = VLAN
x 65 Tunnel-Medium-Type 6 = 802
x x x 79 EAP Message EAP Request/Response Packet in Access
Request and Access Challenge:
- EAP Success in Access Accept
- EAP Failure in Access Reject
x x x 80 Message Authenticator HMAC-MD5 to ensure integrity of packet.
x 81 Tunnel-Pri-
vate-Group-ID
VLAN name
Table 9-1 Attributes That Can Be Sent in the RADIUS-Accept Response (continued)