Chapter 33 Configuring Network Admission Control; Overview - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring Network Admission Control
This chapter includes the following sections:
•
•
•
•
•
•
•
Overview
Network Admission Control protects the enterprise network from intrusion and infection from worms,
viruses, and rogue applications by performing endpoint compliancy and vulnerability checks as a
condition for production access to the network. We refer to these checks as posture validation. You can
configure posture validation to ensure that the anti-virus files, personal firewall rules, or intrusion
protection software on a host with an IPSec or WebVPN session are up-to-date before providing access
to vulnerable hosts on the intranet. Posture validation can include the verification that the applications
running on the remote hosts are updated with the latest patches. NAC occurs only after user
authentication and the setup of the tunnel. NAC is especially useful for protecting the enterprise network
from hosts that are not subject to automatic network policy enforcement, such as home PCs.
The establishment of a tunnel between the endpoint and the security appliance triggers posture
validation.
You can configure the security appliance to pass the IP address of the client to an optional audit server
if the client does not respond to a posture validation request. The audit server, such as a Trend server,
uses the host IP address to challenge the host directly to assess its health. For example, it may challenge
the host to determine whether its virus checking software is active and up-to-date. After the audit server
completes its interaction with the remote host, it passes a token to the posture validation server,
indicating the health of the remote host.
Following successful posture validation or the reception of a token indicating the remote host is healthy,
the posture validation server sends a network access policy to the security appliance for application to
the traffic on the tunnel.
OL-12172-03
Overview, page 33-1
Uses, Requirements, and Limitations, page 33-2
Viewing the NAC Policies on the Security Appliance, page 33-2
Adding, Accessing, or Removing a NAC Policy, page 33-4
Configuring a NAC Policy, page 33-5
Assigning a NAC Policy to a Group Policy, page 33-8
Changing Global NAC Framework Settings, page 33-8
C H A P T E R
Cisco Security Appliance Command Line Configuration Guide
33
33-1
Advertisement
Table of Contents
Troubleshooting
