Setting the revalidation timer, Configuring the default acl for nac – Cisco ASA 5505 User Manual

Page 1550

Advertising
background image

70-10

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 70 Configuring Network Admission Control

Configuring a NAC Policy

Detailed Steps

Setting the Revalidation Timer

After each successful posture validation, the ASA starts a revalidation timer. The expiration of this timer
triggers the next unconditional posture validation. The ASA maintains the current access policy during
revalidation.

By default, the interval between each successful posture validation is 36000 seconds (10 hours). To
change it, enter the following command in nac-policy-nac-framework configuration mode:

Detailed Steps

Configuring the Default ACL for NAC

Each group policy points to a default ACL to be applied to hosts that match the policy and are eligible
for NAC. The ASA applies the NAC default ACL before posture validation. Following posture
validation, the ASA replaces the default ACL with the one obtained from the Access Control Server for
the remote host. The ASA retains the default ACL if posture validation fails.

The ASA also applies the NAC default ACL if clientless authentication is enabled (which is the default
setting).

Command

Purpose

Step 1

nac-policy-nac-framework

Switches to nac-policy-nac-framework
configuration mode.

Step 2

sq-period seconds

Example:

hostname(config-group-policy)# sq-period 1800

hostname(config-group-policy)

Changes the status query interval.

seconds must be in the range 30 to 1800 seconds (5
to 30 minutes).

Changes the query timer to 1800 seconds.

Step 3

(Optional)

[no] sq-period seconds

Turns off the status query timer.

Step 4

show running-config nac-policy

Displays a 0 next to the sq-period attribute, meaning
the timer is turned off.

Command

Purpose

Step 1

nac-policy-nac-framework

Switches to nac-policy-nac-framework.

Step 2

reval-period seconds

Example:

hostname(config-nac-policy-nac-framework)#

reval-period 86400

hostname(config-nac-policy-nac-framework)

Changes the interval between each successful
posture validation.

seconds must be in the range is 300 to 86400
seconds (5 minutes to 24 hours).

Step 3

(Optional)

[no] reval-period seconds

Turns off the status query timer.

Step 4

show running-config nac-policy

Displays a 0 next to the sq-period attribute, which
means the timer is turned off.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals