beautypg.com

About local policies – Cisco 3.3 User Manual

Page 590

background image

Chapter 14 Network Admission Control

NAC Policies

14-18

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

About Local Policies

Local policies consist of one or more rules that you that define in Cisco Secure
ACS. When Cisco Secure ACS applies a local policy, it uses the policy rules to
evaluate credentials received with the posture validation request. Each rule is
associated with an APT, a credential type, and an action. The credential type
determines which NAC-compliant application the APT and action are associated
with.

Cisco Secure ACS applies each rule in the order they appear on the Policy
Configuration page (from top to bottom), resulting in one of the following two
possibilities:

A configurable rule matches—When all elements of a rule are satisfied by
the credentials received in a posture validation request, the result of applying
the policy is the result credential type, APT, and action associated with the
rule. Cisco Secure ACS does not evaluate the credentials with any additional
rules.

No configurable rule matches—When the attributes included in the posture
validation request satisfy no policy rules, Cisco Secure ACS uses the result
credential type, application posture token, and action associated with the
default rule as the result of the policy.

Note

Applying a policy to a posture validation request always results in a match, either
to one of the configurable rules or to the default rule.

When you specify the order of rules in a policy, determine the likelihood of each
rule to be true and then order the rules so that the rule most likely to be true is first
and the rule least likely to be true is last. Doing so makes rule processing more
efficient; however, determining how likely a rule is to be true can be challenging.
For example, one rule may be true for the posture of twice as many NAC clients
as a second rule, but posture validation may occur more than twice as often for
NAC clients whose posture matches the second rule; therefore, the second rule
should be listed first.