Non-responsive nac-client computers, Implementing network admission control – Cisco 3.3 User Manual
Page 577
14-5
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Chapter 14 Network Admission Control
Implementing Network Admission Control
From the perspective of Cisco Secure ACS, the meaning of an SPT is determined
by which groups you map each SPT to and how you configure those groups. In
other words, the SPTs for each NAC database are associated with configurable
network authorizations.
Posture validation requests resulting in an SPT of Healthy are logged in the
Passed Authentications log. Posture validation requests resulting in an SPT of
anything other than Healthy are logged in the Failed Attempts log.
Aside from being used to determine the SPT, APTs are not meaningful to
Cisco Secure ACS, but the NAC client receiving the results of the posture
validation can use them based on their meanings to the relevant NAC-compliant
application.
Non-Responsive NAC-Client Computers
NAC-compliant AAA clients can handle NAC for computers that do not respond
to attempts to start a posture validation session with CTA. This occurs if CTA is
not installed on the computer or is unreachable for other reasons. To account for
this scenario, IOS enables you to define a username and password that it uses for
authorization requests on behalf of all non-responsive computers.
In Cisco Secure ACS, you must create the corresponding user account and use one
of the following features to control network access for non-responsive computers:
•
Downloadable IP ACLs—You can create a downloadable IP ACL set that
limits sessions originating from all non-responsive computers.
•
Network Access Restrictions—You can create a non-shared network access
restriction that disallows any network access for sessions originating from
non-responsive computers.
•
Disabled Account—You can disable the user account used to assign
authorization to non-responsive computers, thus disallowing any network
access from non-responsive computers.
Implementing Network Admission Control
This procedure provides steps for implementing NAC support in Cisco Secure
ACS, with references to more detailed procedures for each step.