Prerequisites for nac, Guidelines and limitations – Cisco ASA 5505 User Manual

Page 1544

Advertising
background image

70-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 70 Configuring Network Admission Control

Prerequisites for NAC

Prerequisites for NAC

When configured to support NAC, the ASA functions as a client of a Cisco Secure Access Control
Server, requiring that you install a minimum of one Access Control Server on the network to provide
NAC authentication services.

Guidelines and Limitations

Following the configuration of one or more Access Control Servers on the network, you must use the
aaa-server command to name the Access Control Server group. Then follow the instructions in the

“Configuring a NAC Policy” procedure on page 70-8

.

ASA support for NAC Framework is limited to remote access IPsec and WebVPN client sessions. The
NAC Framework configuration supports only single mode.

NAC on the ASA does not support Layer 3 (non-VPN) traffic and IPv6 traffic.

ASA 5555-X

AnyConnect Premium license:

Base License: 2 sessions.

Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, or 5000
sessions.

Optional Shared licenses

3

: Participant or Server. For the Server license, 500-50,000 in increments

of 500 and 50,000-545,000 in increments of 1000.

ASA 5585-X with
SSP-10

AnyConnect Premium license:

Base License: 2 sessions.

Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, or 5000
sessions.

Optional Shared licenses

3

: Participant or Server. For the Server license, 500-50,000 in increments

of 500 and 50,000-545,000 in increments of 1000.

ASA 5585-X with
SSP-20, -40, and -60

AnyConnect Premium license:

Base License: 2 sessions.

Optional permanent or time-based licenses: 10, 25, 50, 100, 250, 500, 750, 1000, 2500, 5000, or
10000 sessions.

Optional Shared licenses

3

: Participant or Server. For the Server license, 500-50,000 in increments

of 500 and 50,000-545,000 in increments of 1000.

1.

If you start a clientless SSL VPN session and then start an AnyConnect client session from the portal, 1 session is used in total. However, if you start the
AnyConnect client first (from a standalone client, for example) and then log into the clientless SSL VPN portal, then 2 sessions are used.

2.

The maximum combined VPN sessions of all types cannot exceed the maximum sessions shown in this table.

3.

A shared license lets the ASA act as a shared license server for multiple client ASAs. The shared license pool is large, but the maximum number of sessions
used by each individual ASA cannot exceed the maximum number listed for permanent licenses.

Model

License Requirement

1,2

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals