Configuring Exemptions From Nac - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Configuring Basic Settings
Configuring Exemptions from NAC
The security appliance configuration stores a list of exemptions from NAC posture validation. You can
specify the operating systems that are exempt. If you specify an ACL, the client running the operating
system specified is exempt from posture validation and the client traffic is subject to the ACL.
To add an entry to the list of remote computer types that are exempt from NAC posture validation, enter
the following command in group-policy configuration mode:
This command does not overwrite the previously added entry to the exception list; enter the command
Note
once for each operating system and ACL you want to exempt.
os name is the operating system name. Use quotation marks if the name includes a space (for example,
"Windows XP").
For example, enter the following command to add all hosts running Windows XP to the list of computers
that are exempt from posture validation:
hostname(config-group-policy)# vpn-nac-exempt os "Windows XP"
hostname(config-group-policy)
The remaining keywords and arguments are optional:
•
•
•
For example, enter the following command to exempt all hosts running Windows 98 and apply the ACL
acl-1 to traffic from those hosts:
hostname(config-group-policy)# vpn-nac-exempt os "Windows 98" filter acl-1
hostname(config-group-policy)
The following example shows how to add the same entry to the exemption list, but disable it:
hostname(config-group-policy)# vpn-nac-exempt os "Windows 98" filter acl-1 disable
hostname(config-group-policy)
To disable inheritance and specify that all hosts are subject to posture validation, enter the following
command:
For example:
hostname(config-group-policy)# no vpn-nac-exempt none
hostname(config-group-policy)
To remove an entry from the exemption list, enter the following command, naming the operating system
(and ACL) in the exemption to be removed.
Cisco Security Appliance Command Line Configuration Guide
33-4
vpn-nac-exempt os "os name" [filter acl-name] [disable]
filter to apply an ACL to filter the traffic if the computer matches the os name.
acl-name is the name of the ACL present in the security appliance configuration.
disable to disable the entry in the exemption list without removing it from the list. Not entering this
keyword enables the entry.
vpn-nac-exempt none
no vpn-nac-exempt [os "os name"] [filter acl-name]
Chapter 33
Configuring Network Admission Control
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
