Filter
Top Products
34-25
Cisco ASDM User Guide
OL-16647-01
Chapter 34 IKE
Configuring Network Admission Control Policies
Uses, Requirements, and Limitations
When configured to support NAC, the security appliance functions as a client of a Cisco Secure Access
Control Server, requiring that you install a minimum of one Access Control Server on the network to
provide NAC authentication services.
Following the configuration of one or more Access Control Servers on the network, you must register
the Access Control Server group, using the Configuration > Remote Access VPN > Clientless SSL
VPN Access > Group Policies > Add or Edit External menu option. Then add the NAC policy.
ASA support for NAC Framework is limited to remote access IPsec and Clientless SSL VPN sessions.
The NAC Framework configuration supports only single mode.
NAC on the ASA does not support Layer 3 (non-VPN) and IPv6 traffic.
Fields
• Policy Name—Enter a string of up to 64 characters to name the new NAC policy.
Following the configuration of the NAC policy, the policy name appears next to the NAC Policy
attribute in the Network (Client) Access group policies. Assign a name that will help you to
distinguish its attributes or purpose from others that you may configure.
• Status Query Period—The security appliance starts this timer after each successful posture
validation and status query response. The expiration of this timer triggers a query for changes in the
host posture, referred to as a status query. Enter the number of seconds in the range 30 to 1800. The
default setting is 300.
• Revalidation Period—The security appliance starts this timer after each successful posture
validation. The expiration of this timer triggers the next unconditional posture validation. The
security appliance maintains posture validation during revalidation. The default group policy
becomes effective if the Access Control Server is unavailable during posture validation or
revalidation. Enter the interval in seconds between each successful posture validation. The range is
300 to 86400. The default setting is 36000.
• Default ACL— (Optional) The security appliance applies the security policy associated with the
selected ACL if posture validation fails. Select None or select an extended ACL in the list. The
default setting is None. If the setting is None and posture validation fails, the security appliance
applies the default group policy.
Use the Manage button to populate the drop-down list and view the configuration of the ACLs in the
list.
• Manage— Opens the ACL Manager dialog box. Click to view, enable, disable, and delete standard
ACLs and the ACEs in each ACL. The list next to the Default ACL attribute displays the ACLs.
• Authentication Server Group—Specifies the authentication server group to use for posture
validation. The drop-down list next to this attribute displays the names of all server groups of type
RADIUS configured on this security appliance that are available for remote access tunnels. Select
an ACS group consisting of at least one server configured to support NAC.
• Posture Validation Exception List—Displays one or more attributes that exempt remote computers
from posture validation. At minimum, each entry lists the operating system and an Enabled setting
of Yes or No. An optional filter identifies an ACL used to match additional attributes of the remote
computer. An entry that consists of an operating system and a filter requires the remote computer to
match both to be exempt from posture validation. The security appliance ignores the entry if the
Enabled setting is set to No.
• Add—Adds an entry to the Posture Validation Exception list.
• Edit—Modifies an entry in the Posture Validation Exception list.