1-72
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Connection Profiles, Group Policies, and Users
Group Policies
The elements of this command are as follows:
• acl-name—Specifies the name of the posture validation server group, as configured on the ASA
using the aaa-server host command. The name must match the server-tag variable specified in that
command.
• none—Disables inheritance of the ACL from the default group policy and does not apply an ACL
to NAC sessions that fail posture validation.
Because NAC is disabled by default, VPN traffic traversing the ASA is not subject to the NAC Default
ACL until NAC is enabled.
The following example identifies acl-1 as the ACL to be applied when posture validation fails:
hostname(config-group-policy)# nac-default-acl acl-1
hostname(config-group-policy)
The following example inherits the ACL from the default group policy:
hostname(config-group-policy)# no nac-default-acl
hostname(config-group-policy)
The following example disables inheritance of the ACL from the default group policy and does not apply
an ACL to NAC sessions that fail posture validation:
hostname(config-group-policy)# nac-default-acl none
hostname(config-group-policy)#
Step 4 Configure NAC exemptions for VPN. By default, the exemption list is empty.The default value of the
filter attribute is none. Enter the vpn-nac-exempt command once for each operating system (and ACL)
to be matched to exempt remote hosts from posture validation.
To add an entry to the list of remote computer types that are exempt from posture validation, use the
vpn-nac-exempt command in group-policy configuration mode:
hostname(config-group-policy)# vpn-nac-exempt os "os name" [filter {acl-name | none}]
[disable]
hostname(config-group-policy)#
To disable inheritance and specify that all hosts are subject to posture validation, use the none keyword
immediately following vpn-nac-exempt:
hostname(config-group-policy)# vpn-nac-exempt none
hostname(config-group-policy)#
To remove an entry from the exemption list, use the no form of this command and name the operating
system (and ACL) in the entry to be removed:
hostname(config-group-policy)# no vpn-nac-exempt [os "os name"] [filter {acl-name | none}]
[disable]
hostname(config-group-policy)#
To remove all entries from the exemption list associated with this group policy and inherit the list from
the default group policy, use the no form of this command without specifying additional keywords:
hostname(config-group-policy)# no vpn-nac-exempt
hostname(config-group-policy)#
The syntax elements for these commands are as follows:
• acl-name—Name of the ACL present in the ASA configuration.
• disable—Disables the entry in the exemption list without removing it from the list.
• filter—(Optional) filter to apply an ACL to filter the traffic if the computer matches the os name.