beautypg.com

Cisco 3.3 User Manual

Page 579

background image

14-7

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 14 Network Admission Control

Implementing Network Admission Control

Step 4

Configure the Failed Attempts log to include NAC attributes. Posture validation
requests receiving an SPT other than Healthy are logged to the Failed Attempts
log. Including NAC attributes in this log can help you debug errors in your NAC
implementation. For example, a local policy may return a result that you did not
anticipate because of errors in the rules that compose the policy. Using the Failed
Attempts log, you can see the contents of the attributes received in the request
from the NAC client and sent in the reply to the NAC client.

For detailed steps about configuring this type of log, see

Configuring a CSV Log,

page 11-19

.

Step 5

On the Global Authentication Setup page, enable NAC by selecting “Enable
CNAC” under PEAP.

For detailed steps, see

Configuring Authentication Options, page 10-33

.

Step 6

If the AAA clients supporting NAC are not already configured in the Network
Configuration section, do so now.

For detailed steps, see

Adding a AAA Client, page 4-16

.

Step 7

Select the user groups that you want to use for NAC. You are likely to want a
separate user group for each possible SPT; therefore, select five user groups. If
possible, choose groups that have not been configured to authorize users.
Additionally, consider using groups widely separated from groups used to
authorize users. For example, assuming that the lowest numbered groups have
been used for user authorization, consider using groups 494 through 499.

Tip

To avoid confusion between groups intended to authorize users and
groups intended to authorize NAC clients, consider renaming the groups
with an easily understood name. For example, if you selected group 499
to contain authorizations related to the Unknown SPT, you could rename
the group “NAC Unknown”. For detailed steps, see

Renaming a User

Group, page 6-55

.

Step 8

For each NAC-client configuration (and, therefore, each unique set of credential
types) that you want to validate, follow these steps:

a.

Create a NAC database, including configuring mandatory credential types
and policies.

For detailed steps, see

Configuring a NAC Database, page 14-14

.