61-11
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter6 1 Configuring Identity Policies
Network Admission Control on Cisco IOS Routers
Step 2 Enter the name of the AAA server group containing the AAA server that performs posture validation, or
click Select to select the server group from a list or to create a new one. The selected AAA server group
must contain ACS devices running RADIUS.
Note Each AAA server in the selected group must be configured to communicate with an interface
that exists on the router; otherwise, validation fails.
Step 3 (Optional) Select up to two AAA server groups as backups to the main server group. If all the servers in
the main server group go down, the servers in the backup server group perform NAC.
Both backup server groups must consist of ACS devices running RADIUS.
Step 4 (Optional) Under EAP over UDP, select one or both of the following Allow parameters:
a. Select the Allow IP Station ID check box to include IP addresses in the RADIUS requests sent to
the ACS.
b. Select the Allow Clientless check box to provide access to devices that do not have the CTA
installed. In such cases, the ACS authenticates these devices by checking the username and
password against a predefined list.
If you do not select this check box, devices without CTA are prevented from accessing the network
if their traffic matches the Intercept ACL. This is because without CTA, posture validation cannot
be performed.
Note This feature is not supported on routers running Cisco IOS Software Release 12.4(6)T or
later.
Step 5 (Optional) Under EAP over UDP, modify the default settings related to the EAP over UDP (EoU)
protocol, if required. See Table 61-2 on page 61-15 for details.
Defining NAC Interface Parameters
You configure NAC interface parameters by selecting the interfaces on which NAC is performed. You
must also define the Intercept ACL, which determines which traffic on these interfaces is subject to
posture validation. Additionally, you can optionally override the device-level setting for initiating EAP
over UDP sessions and subject all sessions to periodic revalidation (see Defining NAC Setup Parameters,
page 61-10).
A NAC policy must include at least one interface definition to function.
Before You Begin
Select the AAA server group containing the ACS device performing posture validation. See
Defining NAC Setup Parameters, page61-10.
Define an ACL object that defines the traffic to subject to posture validation in NAC policies. See
Creating Access Control List Objects, page 6-49.
Define an ACL object that defines the default access on the selected interface (default ACL). See
Creating Access Control List Objects, page 6-49.