beautypg.com

Cisco 3.3 User Manual

Page 580

background image

Chapter 14 Network Admission Control

Implementing Network Admission Control

14-8

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

b.

Create SPT-to-user-group mappings. Each NAC database has its own group
mappings.

For detailed steps, see

Configuring NAC Group Mapping, page 16-13

.

Step 9

Configure the Unknown User Policy to include NAC databases. When unknown
user processing is enabled, Cisco Secure ACS uses the Unknown User Policy to
determine if it has a NAC database whose mandatory credential types are satisfied
by the attributes received from the NAC client. Of the NAC databases included in
the Selected Databases list on the Configure Unknown User Policy page,
Cisco Secure ACS uses the first one whose mandatory credential types are
satisfied to process the posture validation request.

For detailed steps, see

Configuring the Unknown User Policy, page 15-16

.

Note

You may want to create a default NAC database and place it at the bottom
of the Selected Databases list. A default NAC database has no mandatory
credential types and therefore can perform posture validation for any
request, regardless of the credentials included in the request.

Step 10

For each SPT, create a downloadable IP ACL set that limits network access
appropriately. If you have more than one NAC database and need to control
network access differently for the same SPT for each NAC, you must create
downloadable IP ACLs per SPT per NAC database. For example, if you have two
NAC databases, one for NAI posture validation and one for Symantec posture
validation, you may want separate downloadable IP ACLs for a Quarantine SPT,
one that allows access only to a Symantec anti-virus server and one that allows
access only to a NAI anti-virus server.

For detailed steps, see

Adding a Downloadable IP ACL, page 5-10

.

Step 11

For each group to which you have mapped an SPT, follow these steps:

a.

Assign the appropriate ACLs to the group. For example, to the group intended
to authorize NAI NAC clients whose posture validation returned an Infected
SPT, assign the ACL you created to control access of NAI NAC clients whose
system posture is Quarantine.

For detailed steps, see

Assigning a Downloadable IP ACL to a Group,

page 6-30

.