Configuring The Default Acl For Nac - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 33
Configuring Network Admission Control
To inherit the NAC setting from the default group policy, access the alternative group policy from which
to inherit it, then issue the following command:
For example:
hostname(config-group-policy)# no nac
hostname(config-group-policy)#
Configuring the Default ACL for NAC
Each group policy points to a default ACL to be applied to hosts that match the policy and are eligible
for NAC. The security appliance applies the NAC default ACL before posture validation. Following
posture validation, the security appliance replaces the default ACL with the one obtained from the
Access Control Server for the remote host. It retains the default ACL if posture validation fails.
The security appliance also applies the NAC default ACL if clientless authentication is enabled (which
is the default setting).
Because NAC is disabled by default, VPN traffic traversing the security appliance is not subject to the
Note
NAC Default ACL until NAC is enabled.
Enter the following command in group-policy configuration mode to specify the ACL to be used as the
default ACL for NAC sessions:
acl-name is the name of the posture validation server group, as configured on the security appliance
using the aaa-server host command. The name must match the server-tag variable specified in that
command.
For example, enter the following command to specify acl-1 as the NAC default ACL:
hostname(config-group-policy)# nac-default-acl value acl-1
hostname(config-group-policy)
To inherit the ACL from the default group policy, access the alternative group policy from which to
inherit it and enter the following command.
For example:
hostname(config-group-policy)# no nac-default-acl
hostname(config-group-policy)
You also have the option of disinheriting the ACL from the default group policy and specifying no NAC
default ACL. To do so, enter the following command:
For example:
hostname(config-group-policy)# nac-default-acl none
hostname(config-group-policy)
OL-10088-01
no nac
nac-default-acl value acl-name
no nac-default-acl
nac-default-acl none
Cisco Security Appliance Command Line Configuration Guide
Configuring Basic Settings
33-3
Advertisement
Table of Contents
Troubleshooting
