Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Setting Global NAC Parameters

68-29

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter68 Configuring IKE, Load Balancing, and NAC

Setting Global NAC Parameters

Setting Global NAC Parameters

The ASA uses Extensible Authentication Protocol (EAP) over UDP (EAPoUDP) messaging to validate

the posture of remote hosts. Posture validation involves checking a remote host for compliancy with

safety requirements before the assignment of a network access policy. An Access Control Server must

be configured for Network Admission Control before you configure NAC on the ASA.

Fields

The NAC pane lets you set attributes that apply to all NAC communications. The following global

attributes at the top of the pane apply to EAPoUDP messaging between the ASA and remote hosts:

•Port—Port number for EAP over UDP communication with the Cisco Trust Agent (CTA) on the

host. This number must match the port number configured on the CTA. Enter a value in the range

1024 to 65535. The default setting is 21862.

•Retry if no response—Number of times the ASA resends an EAP over UDP message. This attribute

limits the number of consecutive retries sent in response to Rechallenge Interval expirations. The

setting is in seconds. Enter a value in the range 1 to 3. The default setting is 3.

•Rechallenge Interval—The ASA starts this timer when it sends an EAPoUDP message to the host.

A response from the host clears the timer. If the timer expires before the ASA receives a response,

it resends the message. The setting is in seconds. Enter a value in the range 1 to 60. The default

setting is 3.

•Wait before new PV Session—The ASA starts this timer when it places the NAC session for a remote

host into a hold state. It places a session in a hold state if it does not receive a response after sending

EAPoUDP messages equal to the value of the “Retry if no response” setting. The ASA also starts

this timer after it receives an Access Reject message from the ACS server. When the timer expires,

the ASA tries to initiate a new EAP over UDP association with the remote host. The setting is in

seconds. Enter a value in the range 60 to 86400. The default setting is 180.

The Clientless Authentication area of the NAC pane lets you configure settings for hosts that are not

responsive to the EAPoUDP requests. Hosts for which there is no CTA running do not respond to these

requests.

•Enable clientless authentication—Click to enable clientless authentication. The ASA sends the

configured clientless username and password to the Access Control Server in the form of a user

authentication request. The ACS in turn requests the access policy for clientless hosts. If you leave

this attribute blank, the ASA applies the default ACL for clientless hosts.

•Clientless Username—Username configured for clientless hosts on the ACS. The default setting is

clientless. Enter 1 to 64 ASCII characters, excluding leading and trailing spaces, pound signs (#),

question marks (?), single and double quotation marks (“ ” and "), asterisks (*), and angle brackets

(< and >).

•Password—Password configured for clientless hosts on the ACS. The default setting is clientless.

Enter 4 – 32 ASCII characters.

•Confirm Password—Password configured for clientless hosts on the ACS repeated for validation.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems Setting Global NAC Parameters

Models: ASA 5510 ASA 5512-X ASA 5515-X ASA 5520 ASA 5525-X ASA 5540 ASA 5545-X ASA 5550 ASA 5555-X ASA 5580 ASA 5585-X ASA 5505