Filter
Top Products
34-24
Cisco ASDM User Guide
OL-16647-01
Chapter 34 IKE
Configuring Network Admission Control Policies
• Uses, Requirements, and Limitations
• Fields
• What to Do Next
About NAC
NAC protects the enterprise network from intrusion and infection from worms, viruses, and rogue
applications by performing endpoint compliancy and vulnerability checks as a condition for production
access to the network. We refer to these checks as posture validation. You can configure posture
validation to ensure that the anti-virus files, personal firewall rules, or intrusion protection software on
a host with an AnyConnect or Clientless SSL VPN session are up-to-date before providing access to
vulnerable hosts on the intranet. Posture validation can include the verification that the applications
running on the remote hosts are updated with the latest patches. NAC occurs only after user
authentication and the setup of the tunnel. NAC is especially useful for protecting the enterprise network
from hosts that are not subject to automatic network policy enforcement, such as home PCs.
The establishment of a tunnel between the endpoint and the security appliance triggers posture
validation.
You can configure the security appliance to pass the IP address of the client to an optional audit server
if the client does not respond to a posture validation request. The audit server, such as a Trend server,
uses the host IP address to challenge the host directly to assess its health. For example, it may challenge
the host to determine whether its virus checking software is active and up-to-date. After the audit server
completes its interaction with the remote host, it passes a token to the posture validation server,
indicating the health of the remote host.
Following successful posture validation or the reception of a token indicating the remote host is healthy,
the posture validation server sends a network access policy to the security appliance for application to
the traffic on the tunnel.
In a NAC Framework configuration involving the security appliance, only a Cisco Trust Agent running
on the client can fulfill the role of posture agent, and only a Cisco Access Control Server (ACS) can
fulfill the role of posture validation server. The ACS uses dynamic ACLs to determine the access policy
for each client.
As a RADIUS server, the ACS can authenticate the login credentials required to establish a tunnel, in
addition to fulfilling its role as posture validation server.
Note Only a NAC Framework policy configured on the security appliance supports the use of an audit server.
In its role as posture validation server, the ACS uses access control lists. If posture validation succeeds
and the ACS specifies a redirect URL as part of the access policy it sends to the security appliance, the
security appliance redirects all HTTP and HTTPS requests from the remote host to the redirect URL.
Once the posture validation server uploads an access policy to the security appliance, all of the
associated traffic must pass both the Security Appliance and the ACS (or vice versa) to reach its
destination.
The establishment of a tunnel between a remote host and the security appliance triggers posture
validation if a NAC Framework policy is assigned to the group policy. The NAC Framework policy can,
however, identify operating systems that are exempt from posture validation and specify an optional
ACL to filter such traffic.