Cisco ASA 5505 Configuration Manual page 1308

Configuring Network Admission Control Policies
to the redirect URL. Once the posture validation server uploads an access policy to the adaptive security
appliance, all of the associated traffic must pass both the Security Appliance and the ACS (or vice versa)
to reach its destination.
The establishment of a tunnel between a remote host and the adaptive security appliance triggers posture
validation if a NAC Framework policy is assigned to the group policy. The NAC Framework policy can,
however, identify operating systems that are exempt from posture validation and specify an optional
ACL to filter such traffic.
Uses, Requirements, and Limitations
When configured to support NAC, the adaptive security appliance functions as a client of a Cisco Secure
Access Control Server, requiring that you install a minimum of one Access Control Server on the
network to provide NAC authentication services.
Following the configuration of one or more Access Control Servers on the network, you must register
the Access Control Server group, using the Configuration > Remote Access VPN > Clientless SSL
VPN Access > Group Policies > Add or Edit External menu option. Then add the NAC policy.
ASA support for NAC Framework is limited to remote access IPsec and Clientless SSL VPN sessions.
The NAC Framework configuration supports only single mode.
NAC on the ASA does not support Layer 3 (non-VPN) and IPv6 traffic.
Fields
•
•
•
•
•
•
Cisco ASA 5500 Series Configuration Guide using ASDM
63-28
Policy Name—Enter a string of up to 64 characters to name the new NAC policy.
Following the configuration of the NAC policy, the policy name appears next to the NAC Policy
attribute in the Network (Client) Access group policies. Assign a name that will help you to
distinguish its attributes or purpose from others that you may configure.
Status Query Period—The adaptive security appliance starts this timer after each successful posture
validation and status query response. The expiration of this timer triggers a query for changes in the
host posture, referred to as a status query. Enter the number of seconds in the range 30 to 1800. The
default setting is 300.
Revalidation Period—The adaptive security appliance starts this timer after each successful posture
validation. The expiration of this timer triggers the next unconditional posture validation. The
adaptive security appliance maintains posture validation during revalidation. The default group
policy becomes effective if the Access Control Server is unavailable during posture validation or
revalidation. Enter the interval in seconds between each successful posture validation. The range is
300 to 86400. The default setting is 36000.
Default ACL— (Optional) The adaptive security appliance applies the security policy associated
with the selected ACL if posture validation fails. Select None or select an extended ACL in the list.
The default setting is None. If the setting is None and posture validation fails, the adaptive security
appliance applies the default group policy.
Use the Manage button to populate the drop-down list and view the configuration of the ACLs in the
list.
Manage— Opens the ACL Manager dialog box. Click to view, enable, disable, and delete standard
ACLs and the ACEs in each ACL. The list next to the Default ACL attribute displays the ACLs.
Authentication Server Group—Specifies the authentication server group to use for posture
validation. The drop-down list next to this attribute displays the names of all server groups of type
RADIUS configured on this adaptive security appliance that are available for remote access tunnels.
Select an ACS group consisting of at least one server configured to support NAC.
Chapter 63 Configuring IKE, Load Balancing, and NAC
OL-20339-01