4-26
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter4 Common Scenarios Usin g ACS
ACS and Cisco Security Group Access
To configure an NDAC policy for a device:
Step1 Choose Access Policies > Security Group Access Control > Security Group Access > Network
Device Access > Authorization Policy.
Step2 Click Customize to select which conditions to use in the NDAC policy rules.
The Default Rule provides a default rule when no rules match or there are no rules defined. The default
security group tag for the Default Rule result is Unknown.
Step3 Click Create to create a new rule.
Step4 Fill in the fields in the NDAC Policy Properties page.
Step5 Click Save Changes.
Configuring EAP-FAST Settings for Security Group Access
Since RADIUS information is retrieved from the PAC, you must define the amount of time for the
EAP-FAST tunnel PAC to live. You can also refresh the time to live for an active PAC.
To configure the EAP-FAST settings for the tunnel PAC:
Step1 Choose Access Policies > Security Group Access Control > > Network Device Access.
Step2 Fill in the fields in the Network Device Access EAP-FAST Settings page.
Step3 Click Submit.
Creating an Access Service for Security Group Access
You create an access service for endpoint admission control policies for endpoint devices, and t hen you
add the service to the service selection policy.
Note The NDAC policy is a service that is automatically applied to Security Group Access devices. You do
not need to create an access service for Security Group Access devices.
To create an access service:
Step1 Choose Access Policies > Access Service, and click Create. See Configuring Access Services,
page 10-11, for more information.
Step2 Fill in the fields in the Access Service Properties—General page as required.
Step3 In the Service Structure section, choose User selected policy structure.
Step4 Select Network Access, and check Identity and Authorization.
Step5 Click Next.
The Access Services Properties page appears.
Step6 In the Authentication Protocols area, check the relevant protocols for your access service.