beautypg.com

Posture validation, Posture – Cisco 3.3 User Manual

Page 575

background image

14-3

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 14 Network Admission Control

About Network Admission Control

Posture Validation

Cisco Secure ACS determines the posture of a computer by using the credentials
received from a NAC-client computer. The following list provides an overview of
the steps and systems involved in posture validation. Details about various
concepts, such as posture tokens and policies, are provided in topics that follow.

1.

The NAC-client computer sends traffic on the network.

2.

The NAC-compliant AAA client receives the traffic and initiates an EAP
session, forwarding the EAP identity of the NAC-client computer to
Cisco Secure ACS.

3.

Cisco Secure ACS initiates a PEAP session with the NAC-client computer, so
that all NAC communications are encrypted and trusted.

4.

The NAC client sends to Cisco Secure ACS a posture validation request,
containing credentials from each NAC-compliant application installed on the
computer.

5.

Using the received credentials, Cisco Secure ACS does the following:

a.

Cisco Secure ACS uses the Unknown User Policy to determine which
NAC database to use to perform the posture validation, selecting the first
NAC database whose mandatory credential types are satisfied by the
credentials in the validation request.

Note

If the Unknown User Policy cannot find a NAC database whose
mandatory credential types are satisfied by the credentials in the
validation request, Cisco Secure ACS rejects the request.

b.

Cisco Secure ACS applies all policies associated with the selected NAC
database to derive application posture tokens, which are symbols
representing the state of the associated application.

c.

Cisco Secure ACS compares all derived application posture tokens and
uses the worst token as the system posture token, which symbolizes the
overall posture of the NAC-client computer.

d.

Cisco Secure ACS uses the system posture token and group mappings for
the selected NAC database to determine which user group contains the
authorizations applicable to the NAC-client computer.