CHAPTER
33-1
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
33
Configuring Network Admission Control
This chapter includes the following sections.
• Uses, Requirements, and Limitations, page 33-1
• Configuring Basic Settings, page 33-2
• Changing Advanced Settings, page 33-5
Uses, Requirements, and Limitations
Network Admission Control (NAC) protects the enterprise network from intrusion and infection from
worms, viruses, and rogue applications by performing endpoint compliancy and vulnerability checks as
a condition for production access to the network. We refer to these checks as posture validation. You can
configure posture validation to ensure that the anti-virus files, personal firewall rules, or intrusion
protection software on a host establishing an IPSec session are up-to-date. Posture validation can include
the verification that the applications running on the remote hosts are updated with the latest patches.
NAC supplements the identity-based validation that IPSec and other access methods provide. It is
especially useful for protecting the enterprise network from hosts that are not subject to automatic
network policy enforcement, such as home PCs.
Note When configured to support NAC, the security appliance functions as a client of a Cisco Secure Access
Control Server, requiring that you install a minimum of one Access Control Server on the network to
provide NAC authentication services.
Following the configuration of one or more Access Control Servers on the network, you must use the
aaa-server command to name the Access Control Server group. Then follow the instructions in
Configuring Basic Settings, page 33-2 to configure NAC.
ASA support for NAC is limited to remote access IPSec and L2TP over IPSec sessions. NAC on the ASA
does not support WebVPN, non-VPN traffic, IPv6, and multimode.
To Next Page
Loading...
Need help?
General