Cisco Systems ASA 5510, ASA 5512-X, ASA 5515-X, ASA 5520, ASA 5525-X, ASA 5540, ASA 5545-X, ASA 5550, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505

68-32

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter68 Configuring IKE, Load Balancing, and NAC

Configuring Network Admission Control Policies

•Revalidation Period—The ASA starts this timer after each successful posture validation. The

expiration of this timer triggers the next unconditional posture validation. The ASA maintains

posture validation during revalidation. The default group policy becomes effective if the Access

Control Server is unavailable during posture validation or revalidation. Enter the interval in seconds

between each successful posture validation. The range is 300 to 86400. The default setting is 36000.

•Default ACL— (Optional) The ASA applies the security policy associated with the selected ACL if

posture validation fails. Select None or select an extended ACL in the list. The default setting is

None. If the setting is None and posture validation fails, the ASA applies the default group policy.

Use the Manage button to populate the drop-down list and view the configuration of the ACLs in the

list.

•Manage— Opens the ACL Manager dialog box. Click to view, enable, disable, and delete standard

ACLs and the ACEs in each ACL. The list next to the Default ACL attribute displays the ACLs.

•Authentication Server Group—Specifies the authentication server group to use for posture

validation. The drop-down list next to this attribute displays the names of all server groups of type

RADIUS configured on this ASA that are available for remote access tunnels. Select an ACS group

consisting of at least one server configured to support NAC.

•Posture Validation Exception List—Displays one or more attributes that exempt remote computers

from posture validation. At minimum, each entry lists the operating system and an Enabled setting

of Yes or No. An optional filter identifies an ACL used to match additional attributes of the remote

computer. An entry that consists of an operating system and a filter requires the remote computer to

match both to be exempt from posture validation. The ASA ignores the entry if the Enabled setting

is set to No.

•Add—Adds an entry to the Posture Validation Exception list.

•Edit—Modifies an entry in the Posture Validation Exception list.

•Delete—Removes an entry from the Posture Validation Exception list.

What to Do Next

Following the configuration of the NAC policy, you must assign it to a group policy for it to become

active. To do so, choose Configuration > Remote Access VPN> Network (Client) Access > Group

Policies > Add or Edit > General > More Options and the NAC policy name from the drop-down list

next to the NAC Policy attribute.

Modes

The following table shows the modes in which this feature is available:

Modes

The following table shows the modes in which this feature is available:

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

•—•——

Cisco Systems - page 1500