Cisco ASA 5505 User Manual
Page 1486
67-60
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 67 Configuring Connection Profiles, Group Policies, and Users
Group Policies
hostname(config-group-policy)# nac-reval-period seconds
hostname(config-group-policy)#
To inherit the value of the Revalidation Timer from the default group policy, access the alternative group
policy from which to inherit it, then use the no form of this command:
hostname(config-group-policy)# no nac-reval-period [seconds]
hostname(config-group-policy)#
The following example changes the revalidation timer to 86400 seconds:
hostname(config-group-policy)# nac-reval-period 86400
hostname(config-group-policy)
The following example inherits the value of the revalidation timer from the default group policy:
hostname(config-group-policy)# no nac-reval-period
hostname(config-group-policy)#
Step 3
(Optional) Configure the default ACL for NAC. The security appliance applies the security policy
associated with the selected ACL if posture validation fails. Specify none or an extended ACL. The
default setting is none. If the setting is none and posture validation fails, the security appliance applies
the default group policy.
To specify the ACL to be used as the default ACL for Network Admission Control sessions that fail
posture validation, use the nac-default-acl command in group-policy configuration mode:
hostname(config-group-policy)# nac-default-acl {acl-name | none}
hostname(config-group-policy)#
To inherit the ACL from the default group policy, access the alternative group policy from which to
inherit it, then use the no form of this command:
hostname(config-group-policy)# no nac-default-acl [acl-name | none]
hostname(config-group-policy)#
The elements of this command are as follows:
•
acl-name—Specifies the name of the posture validation server group, as configured on the ASA
using the aaa-server host command. The name must match the server-tag variable specified in that
command.
•
none—Disables inheritance of the ACL from the default group policy and does not apply an ACL
to NAC sessions that fail posture validation.
Because NAC is disabled by default, VPN traffic traversing the ASA is not subject to the NAC Default
ACL until NAC is enabled.
The following example identifies acl-1 as the ACL to be applied when posture validation fails:
hostname(config-group-policy)# nac-default-acl acl-1
hostname(config-group-policy)
The following example inherits the ACL from the default group policy:
hostname(config-group-policy)# no nac-default-acl
hostname(config-group-policy)
The following example disables inheritance of the ACL from the default group policy and does not apply
an ACL to NAC sessions that fail posture validation:
hostname(config-group-policy)# nac-default-acl none
hostname(config-group-policy)#