Cisco 3.3 User Manual
Page 578
Chapter 14 Network Admission Control
Implementing Network Admission Control
14-6
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
To implement NAC, follow these steps:
Step 1
Install a server certificate. Cisco Secure ACS requires a server certificate for NAC
because NAC communication with an end-user client is protected by a TLS
tunnel. You can use a certificate acquired from a third-party certificate authority
(CA) or you can use a self-signed certificate.
For detailed steps about installing a server certificate, see
Cisco Secure ACS Server Certificate, page 10-35
. For detailed steps about
generating and installing a self-signed certificate, see
.
Note
If you use a self-signed certificate, you may need to export the certificate
from Cisco Secure ACS and import it as a trusted root CA certificate into
local storage on NAC-client computers.
Step 2
If you want to validate NAC clients with external policies and the following are
both true:
•
Cisco Secure ACS uses HTTPS to communicate with external NAC servers.
•
The external NAC servers use a different CA than the CA that issued the
Cisco Secure ACS server certificate installed in
then you must configure the Certificate Trust List (CTL). For detailed steps, see
Editing the Certificate Trust List, page 10-38
.
If the CA that issued the server certificates used by the external database servers
does not appear on the CTL, you must add the CA. For detailed steps, see
a Certificate Authority Certificate, page 10-37
.
Step 3
(Optional) If the Passed Authentications log is not enabled, consider enabling it.
Posture validation requests receiving an SPT of Healthy are logged to the Passed
Authentications log. You can configure the Passed Authentications log to record
useful NAC information, such as posture token-group mapping results. If you
enable the Passed Authentications log, be sure to move NAC-related attributes to
the Logged Attributes column on the Passed Authentications File Configuration
page.
For detailed steps about configuring this type of log, see