Posture validation and the unknown user policy, Nac and the unknown user policy, Posture – Cisco 3.3 User Manual
Page 620: Posture validation and the unknown
Chapter 15 Unknown User Policy
Posture Validation and the Unknown User Policy
15-10
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Posture Validation and the Unknown User Policy
This section contains the following topics:
•
NAC and the Unknown User Policy, page 15-10
•
Posture Validation Use of the Unknown User Policy, page 15-11
•
Required Use for Posture Validation, page 15-12
NAC and the Unknown User Policy
For posture validation requests, the Unknown User Policy automates the
association of users to a NAC database that applies to the posture validation
request. This occurs regardless of user type; however, if the username sent in the
PEAP EAP-Identity field from the NAC client is unknown, Cisco Secure ACS
also creates the user account in the CiscoSecure user database.
The value sent in the PEAP EAP-Identity field is determined by the NAC client,
which is Cisco Trust Agent (CTA); therefore, Cisco Secure ACS is not in control
of the username associated with a posture validation request. CTA sends in the
EAP-Identity field a string in the following format:
hostname
:
username
where hostname is the name of the NAC-client computer and username identifies
the user logged into the NAC-client computer at the time that CTA sends the
posture validation request. For example, while the user cyril.yang is logged into
the computer named yang-laptop01, posture validation requests received by
Cisco Secure ACS contain the string yang-laptop01:cyril.yang in the
EAP-Identity field. As a result of the behavior of the Unknown User Policy,
Cisco Secure ACS creates a user account named yang-laptop01:cyril.yang.
Because the username is part of the EAP-Identity field value in posture validation
requests, Cisco Secure ACS can create multiple user accounts for the same NAC
client. Continuing the example of the computer named yang-laptop01, if the user
david.fry is logged into the computer at the time of a subsequent posture
validation request, the EAP-Identity field contains the string
yang-laptop01:david.fry and Cisco Secure ACS creates a user account named
yang-laptop01:david.fry.