Setting The Revalidation Timer; Configuring The Default Acl For Nac - Cisco PIX 500 Series Configuration Manual

Configuring a NAC Policy
Use the no form of the command if you want to turn off the status query timer. If you turn off this timer
and enter show running-config nac-policy, the CLI displays a
means the timer is turned off.
seconds must be in the range 30 to 1800 seconds (5 to 30 minutes). It is optional if you are using the no
version of the command.
The following example changes the status query timer to 1800 seconds:
hostname(config-group-policy)# sq-period 1800
hostname(config-group-policy)

Setting the Revalidation Timer

After each successful posture validation, the security appliance starts a revalidation timer. The expiration
of this timer triggers the next unconditional posture validation. The security appliance maintains the
current access policy during revalidation.
By default, the interval between each successful posture validation is 36000 seconds (10 hours). To
change it, enter the following command in nac-policy-nac-framework configuration mode:
Use the no form of the command if you want to turn off the status query timer. If you turn off this timer
and enter show running-config nac-policy, the CLI displays a
means the timer is turned off.
seconds must be in the range is 300 to 86400 seconds (5 minutes to 24 hours). It is optional if you are
using the no version of the command.
For example, enter the following command to change the revalidation timer to 86400 seconds:
hostname(config-nac-policy-nac-framework)# reval-period 86400
hostname(config-nac-policy-nac-framework)

Configuring the Default ACL for NAC

Each group policy points to a default ACL to be applied to hosts that match the policy and are eligible
for NAC. The security appliance applies the NAC default ACL before posture validation. Following
posture validation, the security appliance replaces the default ACL with the one obtained from the
Access Control Server for the remote host. The security appliance retains the default ACL if posture
validation fails.
The security appliance also applies the NAC default ACL if clientless authentication is enabled (which
is the default setting).
Enter the following command in nac-policy-nac-framework configuration mode to specify the ACL to
be used as the default ACL for NAC sessions:
Use the no form of the command if you want to remove the command from the NAC Framework policy.
In that case, specifying the acl-name is optional.
acl-name is the name of the access control list to be applied to the session.
Cisco Security Appliance Command Line Configuration Guide
33-6
[ ] reval-period seconds
no
[ ] default-acl acl-name
no
Chapter 33 Configuring Network Admission Control
next to the
0 sq-period
next to the
0 sq-period
attribute, which
attribute, which
OL-12172-03