33-6
Cisco Security Appliance Command Line Configuration Guide
OL-12172-03
Chapter 33 Configuring Network Admission Control
Configuring a NAC Policy
Use the
no
form of the command if you want to turn off the status query timer. If you turn off this timer
and enter
show running-config nac-policy
, the CLI displays a
0
next to the
sq-period
attribute, which
means the timer is turned off.
seconds
must be in the range 30 to 1800 seconds (5 to 30 minutes). It is optional if you are using the
no
version of the command.
The following example changes the status query timer to 1800 seconds:
hostname(config-group-policy)#
sq-period 1800
hostname(config-group-policy)
Setting the Revalidation Timer
After each successful posture validation, the security appliance starts a revalidation timer. The expiration
of this timer triggers the next unconditional posture validation. The security appliance maintains the
current access policy during revalidation.
By default, the interval between each successful posture validation is 36000 seconds (10 hours). To
change it, enter the following command in nac-policy-nac-framework configuration mode:
[
no
]
reval-period
seconds
Use the
no
form of the command if you want to turn off the status query timer. If you turn off this timer
and enter
show running-config nac-policy
, the CLI displays a
0
next to the
sq-period
attribute, which
means the timer is turned off.
seconds
must be in the range is 300 to 86400 seconds (5 minutes to 24 hours). It is optional if you are
using the
no
version of the command.
For example, enter the following command to change the revalidation timer to 86400 seconds:
hostname(config-nac-policy-nac-framework)#
reval-period 86400
hostname(config-nac-policy-nac-framework)
Configuring the Default ACL for NAC
Each group policy points to a default ACL to be applied to hosts that match the policy and are eligible
for NAC. The security appliance applies the NAC default ACL before posture validation. Following
posture validation, the security appliance replaces the default ACL with the one obtained from the
Access Control Server for the remote host. The security appliance retains the default ACL if posture
validation fails.
The security appliance also applies the NAC default ACL if clientless authentication is enabled (which
is the default setting).
Enter the following command in nac-policy-nac-framework configuration mode to specify the ACL to
be used as the default ACL for NAC sessions:
[
no
]
default-acl
acl-name
Use the
no
form of the command if you want to remove the command from the NAC Framework policy.
In that case, specifying the
acl-name
is optional.
acl-name
is the name of the access control list to be applied to the session.
Summary of Contents for 500 Series
Page 38: ...Contents xxxviii Cisco Security Appliance Command Line Configuration Guide OL 12172 03 ...
Page 45: ...P A R T 1 Getting Started and General Information ...
Page 46: ......
Page 277: ...P A R T 2 Configuring the Firewall ...
Page 278: ......
Page 561: ...P A R T 3 Configuring VPN ...
Page 562: ......
Page 891: ...P A R T 4 System Administration ...
Page 892: ......
Page 975: ...P A R T 5 Reference ...
Page 976: ......