67-62
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Group Policies
The following example removes the same entry from the exemption list, regardless of whether it is
disabled:
hostname(config-group-policy)# no vpn-nac-exempt os "Windows 98" filter acl-1
hostname(config-group-policy)
The following example disables inheritance and specifies that all hosts will be subject to posture
validation:
hostname(config-group-policy)# no vpn-nac-exempt none
hostname(config-group-policy)
The following example removes all entries from the exemption list:
hostname(config-group-policy)# no vpn-nac-exempt
hostname(config-group-policy)
Step5 Enable or disable Network Admission Control by entering the following command:
hostname(config-group-policy)# nac {enable | disable}
hostname(config-group-policy)#
Toinherit the NAC setting from the default group policy, access the alternative group policy from which
to inherit it, then use the no form of this command:
hostname(config-group-policy)# no nac [enable | disable]
hostname(config-group-policy)#
By default, NAC is disabled. Enabling NAC requires posture validation for remote access. If the remote
computer passes the validation checks, the ACS server downloads the access policy for the ASA to
enforce. NAC is disabled by default.
An Access Control Server must be present on the network.
The following example enables NAC for the group policy:
hostname(config-group-policy)# nac enable
hostname(config-group-policy)#
Configuring Address Pools
Configure a list of address pools for allocating addresses to remote clients by entering the address-pools
command in group-policy attributes configuration mode:
hostname(config-group-policy)# address-pools value address_pool1 [...address_pool6]
hostname(config-group-policy)#
The address-pools settings in this command override the local pool settings in the group. You can specify
a list of up to six local address pools to use for local address allocation.
The order in which you specify the pools is significant. The ASA allocates addresses from these pools
in the order in which the pools appear in this command.
To remove the attribute from the group policy and enable inheritance from other sources of group policy,
use the no form of this command:
hostname(config-group-policy)# no address-pools value address_pool1 [...address_pool6]
hostname(config-group-policy)#
The command address-pools none disables this attribute from being inherited from other sources of
policy, such as the DefaultGrpPolicy: