Posture validation use of the unknown user policy – Cisco 3.3 User Manual
Page 621
15-11
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 15 Unknown User Policy
Posture Validation and the Unknown User Policy
Creating different user accounts for the same NAC-client computer enables you
to determine from Cisco Secure ACS logs who was logged into a NAC-client
computer during posture validation. Because the NAC-compliant applications
running on a computer can differ depending upon who is logged into the
computer, knowing who is logged in helps you troubleshoot posture validation
issues.
Using the Unknown User Policy for posture validation requests provides these
advantages:
•
Creates user accounts for NAC clients automatically, thereby preventing
data-entry errors inherent to adding user accounts manually, such as
misspelling the username.
•
Supports changes to your NAC implementation by applying the Unknown
User Policy to all posture validation requests, regardless of user type.
•
Supports the use of a default NAC database, which has no mandatory
credential types and therefore applies to all posture validation requests that
no other NAC databases can process.
Posture Validation Use of the Unknown User Policy
If you configured the Unknown User Policy in Cisco Secure ACS, Cisco Secure
ACS uses the Selected Databases list of the Unknown User Policy to find a NAC
database that can support the posture validation request. A NAC database can
perform posture validation only for requests whose credentials satisfy the
mandatory credential types of that database. In addition, because you can create
a NAC database that has no mandatory credential types, you can use such a
database as a default for posture validation requests that cannot be processed by
any other NAC database added to your Unknown User Policy.
Because posture validation requests can be processed by one and only one NAC
database, Cisco Secure ACS associates the request with the first NAC database in
the Selected Databases list whose mandatory credential types are satisfied by the
credentials included in the posture validation request. Regardless of the results of
posture validation, Cisco Secure ACS never attempts posture validation with
subsequent databases in the Selected Databases list. Satisfying the mandatory
credential types is the sole criterion used to determine whether a posture
validation request is associated with a NAC database. For more information about
the order of NAC databases in the Selected Databases list, see