33-4
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 33 Configuring Network Admission Control
Configuring Basic Settings
Configuring Exemptions from NAC
The security appliance configuration stores a list of exemptions from NAC posture validation. You can
specify the operating systems that are exempt. If you specify an ACL, the client running the operating
system specified is exempt from posture validation and the client traffic is subject to the ACL.
To add an entry to the list of remote computer types that are exempt from NAC posture validation, enter
the following command in group-policy configuration mode:
vpn-nac-exempt os "os name" [filter acl-name] [disable]
Note This command does not overwrite the previously added entry to the exception list; enter the command
once for each operating system and ACL you want to exempt.
os name is the operating system name. Use quotation marks if the name includes a space (for example,
“Windows XP”).
For example, enter the following command to add all hosts running Windows XP to the list of computers
that are exempt from posture validation:
hostname(config-group-policy)# vpn-nac-exempt os "Windows XP"
hostname(config-group-policy)
The remaining keywords and arguments are optional:
• filter to apply an ACL to filter the traffic if the computer matches the os name.
• acl-name is the name of the ACL present in the security appliance configuration.
• disable to disable the entry in the exemption list without removing it from the list. Not entering this
keyword enables the entry.
For example, enter the following command to exempt all hosts running Windows 98 and apply the ACL
acl-1 to traffic from those hosts:
hostname(config-group-policy)# vpn-nac-exempt os "Windows 98" filter acl-1
hostname(config-group-policy)
The following example shows how to add the same entry to the exemption list, but disable it:
hostname(config-group-policy)# vpn-nac-exempt os "Windows 98" filter acl-1 disable
hostname(config-group-policy)
To disable inheritance and specify that all hosts are subject to posture validation, enter the following
command:
vpn-nac-exempt none
For example:
hostname(config-group-policy)# no vpn-nac-exempt none
hostname(config-group-policy)
To remove an entry from the exemption list, enter the following command, naming the operating system
(and ACL) in the exemption to be removed.
no vpn-nac-exempt [os "os name"] [filter acl-name]
To Next Page
Loading...
