Chapter30 Network Admission Con trol
Create NAC Tab
30-4
Cisco Router and Security Device Manager 2.5 User’s Guide
OL-4015-12
Configure a NAC exception list—Hosts such as printers, IP phones, and hosts
without NAC posture agents installed may need to bypass the NAC process.
Hosts with static IP addresses and other devices can be identified in an
exception list, and be handled using an associated exception policy. Hosts can
also be identified by their MAC address, or by their device type.
Configure an agentless host policy—If you want to use a policy residing on a
Cisco Secure ACS server to handle hosts without an installed posture agent,
you can do so. When the Cisco Secure ACS server receives a packet from an
agentless host, it responds by sending the agentless host policy. Configuring
an agentless host policy is useful when there are agentless hosts that are
dynamically addressed, such as DHCP clients.
Configuring NAC for remote access—Hosts using Cisco SDM to manage the
router must be allowed access. The wizard lets you specify IP addresses for
remote management so that Cisco SDM can modify the NAC ACL to allow
the hosts with those addresses access to the router.
Configuring NAC on the router is the last step in a NAC configuration. Before you
configure the router with this feature, Complete the steps described in the
following link: Other Tasks in a NAC Implementation.
NAC Policy Servers
NAC admission control policies are configured and stored in a policy database
residing on RADIUS servers running Cisco Secure ACS version 3.3. The router
must validate the credentials of network hosts by communicating with the
RADIUS server. Use this window to provide the information the router needs to
contact the RADIUS servers. Each RADIUS server that you specify must have
Cisco Secure Cisco Access Control Server (ACS) software version 3.3 installed
and configured.

Choose the RADIUS client source

Configuring the RADIUS source allows you to specify the source IP address to be
sent in RADIUS packets bound for the RADIUS server. If you need more
information about an interface, choose the interface and click the Details button.
The source IP address in the RADIUS packets sent from the router must be
configured as the NAD IP address in the Cisco ACS version 3.3 or later.