Cisco Systems 3.3

Chapter 14 Network Admission Control

Implementing Network Admission Control

14-6

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

To implement NAC, follow these steps:

Step 1 Install a server certificate. Cisco Secure ACS requires a server certificate for NAC

because NAC communication with an end-user client is protected by a TLS

tunnel. You can use a certificate acquired from a third-party certificate authority

(CA) or you can use a self-signed certificate.

For detailed steps about installing a server certificate, see Installing a

Cisco Secure ACS Server Certificate, page 10-35. For detailed steps about

generating and installing a self-signed certificate, see Generating a Self-Signed

Certificate, page 10-49.

Note If you use a self-signed certificate, you may need to export the certificate

from Cisco Secure ACS and import it as a trusted root CA certificate into

local storage on NAC-client computers.

Step 2 If you want to validate NAC clients with external policies and the following are

both true:

•Cisco Secure ACS uses HTTPS to communicate with external NAC servers.

•The external NAC servers use a different CA than the CA that issued the

Cisco Secure ACS server certificate installed in Step 1

then you must configure the Certificate Trust List (CTL). For detailed steps, see

Editing the Certificate Trust List, page 10-38.

If the CA that issued the server certificates used by the external database servers

does not appear on the CTL, you must add the CA. For detailed steps, see Adding

a Certificate Authority Certificate, page 10-37.

Step 3 (Optional) If the Passed Authentications log is not enabled, consider enabling it.

Posture validation requests receiving an SPT of Healthy are logged to the Passed

Authentications log. You can configure the Passed Authentications log to record

useful NAC information, such as posture token-group mapping results. If you

enable the Passed Authentications log, be sure to move NAC-related attributes to

the Logged Attributes column on the Passed Authentications File Configuration

page.

For detailed steps about configuring this type of log, see Configuring a CSV Log,

page 11-19.