beautypg.com

Cisco 3.3 User Manual

Page 603

background image

14-31

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 14 Network Admission Control

NAC Policies

Password—Specifies the password for the username in the Username
box.

Timeout (Sec)—The number of seconds that Cisco Secure ACS waits for
a reply from a server after it forwards the credentials.

If a secondary server is configured, requests to the primary server that
timeout are forwarded to the secondary server.

If no secondary server is configured or if a request to the secondary
server also times out, Cisco Secure ACS cannot apply the external policy
and the posture validation request is rejected.

For each posture validation request, Cisco Secure ACS always tries the
primary server first, regardless of whether previous requests timed out.

Trusted Root CA—The certificate authority (CA) that issued the server
certificate used by the server. If the protocol is HTTPS, Cisco Secure
ACS forwards credentials to a server only if the certificate it presents is
issued by the CA specified on this list. If Cisco Secure ACS cannot
forward the request to the primary or secondary NAC server because the
trusted root CAs did not issue the server certificates, the external policy
cannot be applied and, therefore, the posture validation request is
rejected.

If the CA that issued a NAC server certificate is not present on the
Trusted Root CA list, you must add the CA certificate to Cisco Secure
ACS. For more information, see

Adding a Certificate Authority

Certificate, page 10-37

.

Note

Cisco Secure ACS does not check NAC server certificates against
certificate revocation lists, regardless of whether you have configured
a CRL issuer for the CA of the NAC server certificate.

Tip

Be sure you select the correct certificate type for the CA, not just the name of the
CA. For example, if the server presents a VeriSign Class 1 Primary CA certificate
and VeriSign Class 1 Public Primary CA is selected on the Trusted Root CA list,
Cisco Secure ACS does not forward the credentials to the server when HTTPS is
in use.