Uses, Requirements, And Limitations - Cisco FirePOWER ASA 5500 series Configuration Manual

Configuring Network Admission Control
This chapter includes the following sections.
•
•
•

Uses, Requirements, and Limitations

Network Admission Control (NAC) protects the enterprise network from intrusion and infection from
worms, viruses, and rogue applications by performing endpoint compliancy and vulnerability checks as
a condition for production access to the network. We refer to these checks as posture validation. You can
configure posture validation to ensure that the anti-virus files, personal firewall rules, or intrusion
protection software on a host establishing an IPSec session are up-to-date. Posture validation can include
the verification that the applications running on the remote hosts are updated with the latest patches.
NAC supplements the identity-based validation that IPSec and other access methods provide. It is
especially useful for protecting the enterprise network from hosts that are not subject to automatic
network policy enforcement, such as home PCs.
When configured to support NAC, the security appliance functions as a client of a Cisco Secure Access
Note
Control Server, requiring that you install a minimum of one Access Control Server on the network to
provide NAC authentication services.
Following the configuration of one or more Access Control Servers on the network, you must use the
aaa-server command to name the Access Control Server group. Then follow the instructions in
Configuring Basic Settings, page 33-2
ASA support for NAC is limited to remote access IPSec and L2TP over IPSec sessions. NAC on the ASA
does not support WebVPN, non-VPN traffic, IPv6, and multimode.
OL-10088-01
Uses, Requirements, and Limitations, page 33-1
Configuring Basic Settings, page 33-2
Changing Advanced Settings, page 33-5
C H A P T E R
to configure NAC.
Cisco Security Appliance Command Line Configuration Guide
33
33-1