beautypg.com

Cisco 3.3 User Manual

Page 581

background image

14-9

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 14 Network Admission Control

Implementing Network Admission Control

b.

(Optional) If AAA clients participating in NAC are configured to make use
of NAC-related attribute-value (AV) pairs in the RADIUS (Cisco IOS/PIX)
cisco-av-pair attribute, configure the RADIUS (Cisco IOS/PIX) cisco-av-pair
attribute with the applicable AV pairs. NAC-related AV pairs include:

url-redirect

posture-token

status-query-timeout

Caution

The posture-token AV pair is the only way that Cisco Secure ACS notifies the
AAA client of the SPT returned by posture validation. Because you manually
configure the posture-token AV pair, errors in configuring posture-token can
result in the incorrect SPT being sent to the AAA client or, if the AV pair name is
mistyped, the AAA client not receiving the SPT at all.

Note

The AV pair names above are case sensitive.

For detailed steps about configuring the RADIUS (Cisco IOS/PIX)
cisco-av-pair attribute in a group profile, see

Configuring Cisco IOS/PIX

RADIUS Settings for a User Group, page 6-40

. For more information about

the RADIUS (Cisco IOS/PIX) cisco-av-pair attribute, see

About the

cisco-av-pair RADUIS Attribute, page C-7

.

Cisco Secure ACS is configured to process posture validation requests, return the
results to the NAC client, and send the applicable ACLs to the AAA client.

Step 12

Create a user account to support NAC in the event of a non-responsive computer.
For more information, see

Non-Responsive NAC-Client Computers, page 14-5

.

Cisco Secure ACS is configured to support NAC of non-responsive computers.