beautypg.com

Local policy configuration options – Cisco 3.3 User Manual

Page 594

background image

Chapter 14 Network Admission Control

NAC Policies

14-22

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

$ (dollar)—The $ operator matches the end of a string. For example,

co$

would match the string

Cisco

or the string

Tibco

.

days-since-last-update—The rule element is true if the attribute contains a
date and if the difference in days between that date and the current date is less
than or equal to the number that you specify. For example, in the following
rule element:

Symantec:AV:DAT-Date days-since-last-update 14

the rule element is true for posture validation requests whose
Symantec:AV:DAT-Date attribute contain a date that is no more than 14 days
in the past.

mask—The rule element is true if the attribute contains an IP address and if
that address belongs to the subnet identified by the netmask and IP address
that you specify as the rule element value. The format for the rule element
value is:

mask/IP

For example, using the mask operator with a value of

255.255.255.0/192.168.73.8

would match an attribute containing an IP

address of 192.168.73.0 to 192.168.73.255. Any mask is permissible and
Cisco Secure ACS determines the set of IP addresses matching the value
specified using standard subnet masking logic.

Local Policy Configuration Options

On the Local Policy Configuration page you can specify the rules that make up a
policy, including their order. The options for configuring a local policy are as
follows:

Name—Specifies the name by which you want to identify the policy. When
selecting a policy for a NAC database, you select it by name, and the
description is not viewable on the policy selection page; therefore, you should
make the name as useful as possible.

Note

The name can contain up to 32 characters. Leading and trailing spaces
are not allowed. Names cannot contain the following four characters:
[ ] , /