Posture validation and the unknown user policy, Nac and the unknown user policy, Posture – Cisco 3.3 User Manual

Page 620: Posture validation and the unknown

Advertising
background image

Chapter 15 Unknown User Policy

Posture Validation and the Unknown User Policy

15-10

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Posture Validation and the Unknown User Policy

This section contains the following topics:

NAC and the Unknown User Policy, page 15-10

Posture Validation Use of the Unknown User Policy, page 15-11

Required Use for Posture Validation, page 15-12

NAC and the Unknown User Policy

For posture validation requests, the Unknown User Policy automates the
association of users to a NAC database that applies to the posture validation
request. This occurs regardless of user type; however, if the username sent in the
PEAP EAP-Identity field from the NAC client is unknown, Cisco Secure ACS
also creates the user account in the CiscoSecure user database.

The value sent in the PEAP EAP-Identity field is determined by the NAC client,
which is Cisco Trust Agent (CTA); therefore, Cisco Secure ACS is not in control
of the username associated with a posture validation request. CTA sends in the
EAP-Identity field a string in the following format:

hostname

:

username

where hostname is the name of the NAC-client computer and username identifies
the user logged into the NAC-client computer at the time that CTA sends the
posture validation request. For example, while the user cyril.yang is logged into
the computer named yang-laptop01, posture validation requests received by
Cisco Secure ACS contain the string yang-laptop01:cyril.yang in the
EAP-Identity field. As a result of the behavior of the Unknown User Policy,
Cisco Secure ACS creates a user account named yang-laptop01:cyril.yang.

Because the username is part of the EAP-Identity field value in posture validation
requests, Cisco Secure ACS can create multiple user accounts for the same NAC
client. Continuing the example of the computer named yang-laptop01, if the user
david.fry is logged into the computer at the time of a subsequent posture
validation request, the EAP-Identity field contains the string
yang-laptop01:david.fry and Cisco Secure ACS creates a user account named
yang-laptop01:david.fry.

Advertising