70-12
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter70 Configuring Network Admission Control
Configuring a NAC Policy
Detailed Steps
Note When the command specifies an operating system, it does not overwrite the previously added entry to
the exception list; enter the command once for each operating system and ACL you want to exempt.
Command Purpose
Step1 nac-policy-nac-framework Switches to nac-policy-nac-framework
configuration mode.
Step2 exempt-list os "os-name" [ disable | filter acl-name
[ disable ]
Example:
hostname(config-group-policy)# exempt-list os
"Windows XP"
hostname(config-group-policy)
hostname(config-nac-policy-nac-framework)#
exempt-list os "Windows XP" filter acl-2
hostname(config-nac-policy-nac-framework)
hostname(config-nac-policy-nac-framework)# no
exempt-list os "Windows XP" filter acl-2
hostname(config-nac-policy-nac-framework)
Adds an entry to the list of remote computer types
that are exempt from NAC posture validation.
os-name is the operating system name. Use
quotation marks if the name includes a space
(for example, “Windows XP”).
filter applies an ACL to filter the traffic if the
computer’s operating system matches the os
name. The filter/acl-name pair is optional.
disable performs one of two functions, as
follows:
If you enter it after the "os-name," the ASA
ignores the exemption, and applies NAC
posture validation to the remote hosts that
are running that operating system.
If you enter it after the acl-name, ASA
exempts the operating system, but does not
apply the ACL to the associated traffic.
acl-name is the name of the ACL present in the
ASA configuration. When specified, it must
follow the filter keyword.
Adds all hosts running Windows XP to the list of
computers that are exempt from posture validation.
Exempts all hosts running Windows XP and applies
the ACL acl-2 to traffic from those hosts
Removes the same entry from the exemption list.
Step3 (Optional)
[no] exempt-list os "os-name" [ disable | filter
acl-name [ disable ] ]
Example:
hostname(config-nac-policy-nac-framework)# no
exempt-list
hostname(config-nac-policy-nac-framework)
Removes all exemptions from the NAC framework
policy. Specifying an entry when issuing the no form
of the command removes the entry from the
exemption list.
Removes all entries from the exemption list.