Filter
Top Products
9-52
Configuration Guide for Cisco Secure ACS 4.2
OL-14390-02
Chapter 9 NAC Configuration Scenario
Step 8: Set Up Templates to Create NAPs
This template automatically sets Advanced Filtering and Authentication properties with NAC Layer 2
IP Configuration.
ACS and Attribute-Value Pairs
When you enable NAC Layer 2 IP validation, ACS provides NAC AAA services by using RADIUS. ACS
gets information about the antivirus credentials of the endpoint system and validates the antivirus
condition of the endpoint.
You can set these Attribute-Value (AV) pairs on ACS by using the RADIUS cisco-av-pair vendor-
specific attributes (VSAs).
• Cisco Secure-Defined-ACL—Specifies the names of the downloadable ACLs on the ACS. The
switch gets the ACL name from the Cisco Secure-Defined-ACL AV pair in this format:
#ACL#-IP-name-number
where name is the ACL name and number is the version number, such as 3f783768.
ACS uses the Auth-Proxy posture code to check if the switch has downloaded access-control entries
(ACEs) for the specified downloadable ACL. If the switch has not downloaded the ACES, ACS
sends an AAA request with the downloadable ACL name as the username so that the switch
downloads the ACEs. The downloadable ACL is then created as a named ACL on the switch. This
ACL has ACEs with a source address of Any and does not have an implicit Deny statement at the
end. When the downloadable ACL is applied to an interface after posture validation is complete, the
source address is changed from any to the host source IP address. The ACEs are prepended to the
downloadable ACL that is applied to the switch interface to which the endpoint device is connected.
If traffic matches the Cisco Secure-Defined-ACL ACEs, ACS takes appropriate actions required
by
NAC.
• url redirect and url-redirect-acl—Specifies the local URL policy on the switch. The switches use
these cisco-av-pair VSAs:
— url-redirect = <HTTP or HTTPS URL>
— url-redirect-acl = switch ACL name
These AV pairs enable the switch to intercept an HTTP or Secure HTTP (HTTPS) request from the
endpoint device and forward the client web browser to the specified redirect address from which the
latest antivirus files can be downloaded. The
url-redirect AV pair on the ACS contains the URL
to which the web browser will be redirected. The
url-redirect-acl AV pair contains the name of
an ACL which specifies the HTTP or HTTPS traffic to be redirected. The ACL must be defined on
the switch. Traffic which matches a permit entry in the redirect ACL will be redirected.
If the host’s posture is not healthy, ACS might send these AV pairs.
For more information about AV pairs that Cisco IOS software supports, see the documentation about the
software releases that run on the AAA clients.
Default ACLs
If you configure NAC Layer 2 IP validation on a switch port, you must also configure a default port ACL
on a switch port. You should also apply the default ACL to IP traffic for hosts that have not completed
posture validation.