EasyManuals Logo

Cisco FirePOWER ASA 5500 series User Manual

Cisco FirePOWER ASA 5500 series
989 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #657 background imageLoading...
Page #657 background image
33-3
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 33 Configuring Network Admission Control
Configuring Basic Settings
To inherit the NAC setting from the default group policy, access the alternative group policy from which
to inherit it, then issue the following command:
no nac
For example:
hostname(config-group-policy)# no nac
hostname(config-group-policy)#
Configuring the Default ACL for NAC
Each group policy points to a default ACL to be applied to hosts that match the policy and are eligible
for NAC. The security appliance applies the NAC default ACL before posture validation. Following
posture validation, the security appliance replaces the default ACL with the one obtained from the
Access Control Server for the remote host. It retains the default ACL if posture validation fails.
The security appliance also applies the NAC default ACL if clientless authentication is enabled (which
is the default setting).
Note Because NAC is disabled by default, VPN traffic traversing the security appliance is not subject to the
NAC Default ACL until NAC is enabled.
Enter the following command in group-policy configuration mode to specify the ACL to be used as the
default ACL for NAC sessions:
nac-default-acl value acl-name
acl-name is the name of the posture validation server group, as configured on the security appliance
using the aaa-server host command. The name must match the server-tag variable specified in that
command.
For example, enter the following command to specify acl-1 as the NAC default ACL:
hostname(config-group-policy)# nac-default-acl value acl-1
hostname(config-group-policy)
To inherit the ACL from the default group policy, access the alternative group policy from which to
inherit it and enter the following command.
no nac-default-acl
For example:
hostname(config-group-policy)# no nac-default-acl
hostname(config-group-policy)
You also have the option of disinheriting the ACL from the default group policy and specifying no NAC
default ACL. To do so, enter the following command:
nac-default-acl none
For example:
hostname(config-group-policy)# nac-default-acl none
hostname(config-group-policy)

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco FirePOWER ASA 5500 series and is the answer not in the manual?

Cisco FirePOWER ASA 5500 series Specifications

General IconGeneral
BrandCisco
ModelFirePOWER ASA 5500 series
CategoryFirewall
LanguageEnglish

Related product manuals