Cisco ASA 5505 Configuration Manual page 1306

Configuring Network Admission Control Policies
•
•
The Clientless Authentication area of the NAC pane lets you configure settings for hosts that are not
responsive to the EAPoUDP requests. Hosts for which there is no CTA running do not respond to these
requests.
•
•
•
•
•
•
Modes
The following table shows the modes in which this feature is available:
Firewall Mode
Routed
•
Configuring Network Admission Control Policies
The NAC Policies table displays the Network Admission Control (NAC) policies configured on the
adaptive security appliance.
Cisco ASA 5500 Series Configuration Guide using ASDM
63-26
Rechallenge Interval—The adaptive security appliance starts this timer when it sends an EAPoUDP
message to the host. A response from the host clears the timer. If the timer expires before the
adaptive security appliance receives a response, it resends the message. The setting is in seconds.
Enter a value in the range 1 to 60. The default setting is 3.
Wait before new PV Session—The adaptive security appliance starts this timer when it places the
NAC session for a remote host into a hold state. It places a session in a hold state if it does not receive
a response after sending EAPoUDP messages equal to the value of the "Retry if no response"
setting. The adaptive security appliance also starts this timer after it receives an Access Reject
message from the ACS server. When the timer expires, the adaptive security appliance tries to
initiate a new EAP over UDP association with the remote host. The setting is in seconds. Enter a
value in the range 60 to 86400. The default setting is 180.
Enable clientless authentication—Click to enable clientless authentication. The adaptive security
appliance sends the configured clientless username and password to the Access Control Server in
the form of a user authentication request. The ACS in turn requests the access policy for clientless
hosts. If you leave this attribute blank, the adaptive security appliance applies the default ACL for
clientless hosts.
Clientless Username—Username configured for clientless hosts on the ACS. The default setting is
clientless. Enter 1 to 64 ASCII characters, excluding leading and trailing spaces, pound signs (#),
question marks (?), single and double quotation marks (" " and "), asterisks (*), and angle brackets
(< and >).
Password—Password configured for clientless hosts on the ACS. The default setting is clientless.
Enter 4 – 32 ASCII characters.
Confirm Password—Password configured for clientless hosts on the ACS repeated for validation.
Enable Audit—Click to pass the IP address of the client to an optional audit server if the client does
not respond to a posture validation request. The audit server, such as a Trend server, uses the host
IP address to challenge the host directly to assess its health. For example, it may challenge the host
to determine whether its virus checking software is active and up-to-date. After the audit server
completes its interaction with the remote host, it passes a token to the posture validation server,
indicating the health of the remote host.
None—Click to disable clientless authentication and audit services.
Security Context
Transparent Single
—
•
Chapter 63
Multiple
Context System
— —
Configuring IKE, Load Balancing, and NAC
OL-20339-01