Configuring Exemptions From Nac - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 33
Configuring Network Admission Control
The following example identifies acl-2 as the ACL to be applied before posture validation succeeds:
hostname(config-nac-policy-nac-framework)# default-acl acl-2
hostname(config-nac-policy-nac-framework)
Configuring Exemptions from NAC
The security appliance configuration stores a list of exemptions from NAC posture validation. You can
specify the operating systems that are exempt. If you specify an ACL, the client running the operating
system specified is exempt from posture validation and the client traffic is subject to the ACL.
To add an entry to the list of remote computer types that are exempt from NAC posture validation, enter
the following command in nac-policy-nac-framework configuration mode:
The no exempt-list command removes all exemptions from the NAC Framework policy. Specifying an
entry when issuing the no form of the command removes the entry from the exemption list.
Note
When the command specifies an operating system, it does not overwrite the previously added entry to
the exception list; enter the command once for each operating system and ACL you want to exempt.
os exempts an operating system from posture validation.
os-name is the operating system name. Use quotation marks if the name includes a space (for example,
"Windows XP").
filter applies an ACL to filter the traffic if the computer's operating system matches the os name.
The filter/acl-name pair is optional.
disable performs one of two functions, as follows:
•
•
acl-name is the name of the ACL present in the security appliance configuration. When specified, it must
follow the filter keyword.
For example, enter the following command to add all hosts running Windows XP to the list of computers
that are exempt from posture validation:
hostname(config-group-policy)# exempt-list os "Windows XP"
hostname(config-group-policy)
The following example exempts all hosts running Windows XP and applies the ACL acl-2 to traffic from
those hosts:
hostname(config-nac-policy-nac-framework)# exempt-list os "Windows XP" filter acl-2
hostname(config-nac-policy-nac-framework)
The following example removes the same entry from the exemption list:
hostname(config-nac-policy-nac-framework)# no exempt-list os "Windows XP" filter acl-2
hostname(config-nac-policy-nac-framework)
OL-12172-03
[no] exempt-list os "os-name" [ disable | filter acl-name [ disable ] ]
If you enter it after the "os-name," the security appliance ignores the exemption, and applies NAC
posture validation to the remote hosts that are running that operating system.
If you enter it after the acl-name, security appliance exempts the operating system, but does not
apply the ACL to the associated traffic.
Cisco Security Appliance Command Line Configuration Guide
Configuring a NAC Policy
33-7
Advertisement
Table of Contents
Troubleshooting
