beautypg.com

Cisco 3.3 User Manual

Page 578

background image

Chapter 14 Network Admission Control

Implementing Network Admission Control

14-6

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

To implement NAC, follow these steps:

Step 1

Install a server certificate. Cisco Secure ACS requires a server certificate for NAC
because NAC communication with an end-user client is protected by a TLS
tunnel. You can use a certificate acquired from a third-party certificate authority
(CA) or you can use a self-signed certificate.

For detailed steps about installing a server certificate, see

Installing a

Cisco Secure ACS Server Certificate, page 10-35

. For detailed steps about

generating and installing a self-signed certificate, see

Generating a Self-Signed

Certificate, page 10-49

.

Note

If you use a self-signed certificate, you may need to export the certificate
from Cisco Secure ACS and import it as a trusted root CA certificate into
local storage on NAC-client computers.

Step 2

If you want to validate NAC clients with external policies and the following are
both true:

Cisco Secure ACS uses HTTPS to communicate with external NAC servers.

The external NAC servers use a different CA than the CA that issued the
Cisco Secure ACS server certificate installed in

Step 1

then you must configure the Certificate Trust List (CTL). For detailed steps, see

Editing the Certificate Trust List, page 10-38

.

If the CA that issued the server certificates used by the external database servers
does not appear on the CTL, you must add the CA. For detailed steps, see

Adding

a Certificate Authority Certificate, page 10-37

.

Step 3

(Optional) If the Passed Authentications log is not enabled, consider enabling it.
Posture validation requests receiving an SPT of Healthy are logged to the Passed
Authentications log. You can configure the Passed Authentications log to record
useful NAC information, such as posture token-group mapping results. If you
enable the Passed Authentications log, be sure to move NAC-related attributes to
the Logged Attributes column on the Passed Authentications File Configuration
page.

For detailed steps about configuring this type of log, see

Configuring a CSV Log,

page 11-19

.