Cisco PIX 500 Series Configuration Manual page 671
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 30
Configuring Connection Profiles, Group Policies, and Users
To inherit the value of the Revalidation Timer from the default group policy, access the alternative group
policy from which to inherit it, then use the no form of this command:
hostname(config-group-policy)# no nac-reval-period [ seconds ]
hostname(config-group-policy)#
The following example changes the revalidation timer to 86400 seconds:
hostname(config-group-policy)# nac-reval-period 86400
hostname(config-group-policy)
The following example inherits the value of the revalidation timer from the default group policy:
hostname(config-group-policy)# no nac-reval-period
hostname(config-group-policy)#
(Optional) Configure the default ACL for NAC. The security appliance applies the security policy
Step 3
associated with the selected ACL if posture validation fails. Specify none or an extended ACL. The
default setting is none. If the setting is none and posture validation fails, the security appliance applies
the default group policy.
To specify the ACL to be used as the default ACL for Network Admission Control sessions that fail
posture validation, use the nac-default-acl command in group-policy configuration mode:
hostname(config-group-policy)# nac-default-acl { acl-name | none}
hostname(config-group-policy)#
To inherit the ACL from the default group policy, access the alternative group policy from which to
inherit it, then use the no form of this command:
hostname(config-group-policy)# no nac-default-acl [ acl-name | none]
hostname(config-group-policy)#
The elements of this command are as follows:
acl-name—Specifies the name of the posture validation server group, as configured on the security
•
appliance using the aaa-server host command. The name must match the server-tag variable
specified in that command.
none—Disables inheritance of the ACL from the default group policy and does not apply an ACL
•
to NAC sessions that fail posture validation.
Because NAC is disabled by default, VPN traffic traversing the security appliance is not subject to the
NAC Default ACL until NAC is enabled.
The following example identifies acl-1 as the ACL to be applied when posture validation fails:
hostname(config-group-policy)# nac-default-acl acl-1
hostname(config-group-policy)
The following example inherits the ACL from the default group policy:
hostname(config-group-policy)# no nac-default-acl
hostname(config-group-policy)
The following example disables inheritance of the ACL from the default group policy and does not apply
an ACL to NAC sessions that fail posture validation:
hostname(config-group-policy)# nac-default-acl none
hostname(config-group-policy)#
Configure NAC exemptions for VPN. By default, the exemption list is empty.The default value of the
Step 4
filter attribute is none. Enter the vpn-nac-exempt once for each operating system (and ACL) to be
matched to exempt remote hosts from posture validation.
OL-12172-03
Cisco Security Appliance Command Line Configuration Guide
Group Policies
30-55
Advertisement
Table of Contents
Troubleshooting
