Configuring A Nac Policy; Specifying The Access Control Server Group; Setting The Query-For-Posture-Changes Timer - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 33
Configuring Network Admission Control
Configuring a NAC Policy
After you use the nac-policy command to name a NAC Framework policy, use the following sections to
assign values to its attributes before you assign it to a group policy.
Specifying the Access Control Server Group
You must configure at least one Cisco Access Control Server to support NAC. Use the aaa-server host
command to name the Access Control Server group even if the group contains only one server.
You can enter the following command to display the AAA server configuration:
For example:
hostname(config)# show running-config aaa-server
aaa-server acs-group1 protocol radius
aaa-server acs-group1 (outside) host 192.168.22.44
key secret
radius-common-pw secret
hostname(config)#
Enter the following command in nac-policy-nac-framework configuration mode to specify the group to
be used for NAC posture validation:
Use the no form of the command if you want to remove the command from the NAC policy.
server-group must match the server-tag variable specified in the aaa-server host command. It is optional
if you are using the no version of the command.
For example, enter the following command to specify acs-group1 as the authentication server group to
be used for NAC posture validation:
hostname(config-nac-policy-nac-framework)# authentication-server-group acs-group1
hostname(config-nac-policy-nac-framework)
Setting the Query-for-Posture-Changes Timer
After each successful posture validation, the security appliance starts a status query timer. The expiration
of this timer triggers a query to the remote host for changes in posture since the last posture validation.
A response indicating no change resets the status query timer. A response indicating a change in posture
triggers an unconditional posture revalidation. The security appliance maintains the current access
policy during revalidation.
By default, the interval between each successful posture validation and the status query, and each
subsequent status query, is 300 seconds (5 minutes). Enter the following command in
nac-policy-nac-framework configuration mode to change the status query interval:
OL-12172-03
show running-config aaa-server
[
] authentication-server-group server-group
no
[
] sq-period seconds
no
Cisco Security Appliance Command Line Configuration Guide
Configuring a NAC Policy
33-5
Advertisement
Table of Contents
Troubleshooting
