Uses, Requirements, And Limitations; Viewing The Nac Policies On The Security Appliance - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Uses, Requirements, and Limitations
In a NAC Framework configuration involving the security appliance, only a Cisco Trust Agent running
on the client can fulfill the role of posture agent, and only a Cisco Access Control Server (ACS) can
fulfill the role of posture validation server. The ACS uses dynamic ACLs to determine the access policy
for each client.
As a RADIUS server, the ACS can authenticate the login credentials required to establish a tunnel, in
addition to fulfilling its role as posture validation server.
Only a NAC Framework policy configured on the security appliance supports the use of an audit server.
Note
In its role as posture validation server, the ACS uses access control lists. If posture validation succeeds
and the ACS specifies a redirect URL as part of the access policy it sends to the security appliance, the
security appliance redirects all HTTP and HTTPS requests from the remote host to the redirect URL.
Once the posture validation server uploads an access policy to the security appliance, all of the
associated traffic must pass both the Security Appliance and the ACS (or vice versa) to reach its
destination.
The establishment of a tunnel between an IPSec or WebVPN client and the security appliance triggers
posture validation if a NAC Framework policy is assigned to the group policy. The NAC Framework
policy can, however, identify operating systems that are exempt from posture validation and specify an
optional ACL to filter such traffic.
Uses, Requirements, and Limitations
When configured to support NAC, the security appliance functions as a client of a Cisco Secure Access
Control Server, requiring that you install a minimum of one Access Control Server on the network to
provide NAC authentication services.
Following the configuration of one or more Access Control Servers on the network, you must use the
aaa-server command to name the Access Control Server group. Then follow the instructions in the
"Configuring a NAC Policy" procedure on page
ASA support for NAC Framework is limited to remote access IPSec and WebVPN client sessions. The
NAC Framework configuration supports only single mode.
NAC on the ASA does not support Layer 3 (non-VPN) traffic and IPv6 traffic.
Viewing the NAC Policies on the Security Appliance
Before configuring the NAC policies to be assigned to group policies, we recommend that you view any
that may already be set up on the security appliance. To do so, enter the following command in privileged
EXEC mode:
The default configuration does not contain NAC policies, however, entering this command is a useful
way to determine whether anyone has added any. If so, you may decide that the policies already
configured are suitable and disregard the section on configuring a NAC policy.
The following example shows the configuration of a NAC policy named nacframework1:
hostname# show running-config nac-policy
nac-policy nacframework1 nac-framework
Cisco Security Appliance Command Line Configuration Guide
33-2
show running-config nac-policy
Chapter 33
Configuring Network Admission Control
33-5.
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
