Filter
Top Products
61-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 61 Configuring Identity Policies
Network Admission Control on Cisco IOS Routers
Network Admission Control on Cisco IOS Routers
Network Admission Control (NAC), an industry initiative sponsored by Cisco Systems, uses the network
infrastructure to enforce security-policy compliance on all devices seeking to access network computing
resources, thereby limiting damage from viruses and worms. By using NAC, organizations can provide
network access to endpoint devices such as PCs, PDAs, and servers that are verified to be fully compliant
with established security policy. NAC can also identify noncompliant devices and deny them access,
place them in a quarantined area, or give them restricted access to computing resources.
Network access decisions are made through a process of posture validation, which evaluates the posture
credentials presented by the endpoint device. These credentials can include such information as the
endpoint’s antivirus state, operating system version, operating system patch level, or Cisco Security
Agent version and settings.
You can use NAC to enforce security policy compliance in many types of deployments, including branch
offices, remote access, and dial-in access.
NAC policies in Security Manager enable a Cisco IOS router to act as a Network Access Device (NAD)
for enforcing policy compliance on devices seeking to access the network. The following topics describe
additional details about NAC:
• Understanding NAC Components, page 61-9
• Understanding NAC System Flow, page 61-9
The following topics describe the tasks you perform to create NAC policies on Cisco IOS routers:
• Defining NAC Setup Parameters, page 61-10
• Defining NAC Interface Parameters, page 61-11
• Defining NAC Identity Parameters, page 61-13
Router Platforms Supporting NAC
To configure NAC policies on a router, the router must be running Cisco IOS Software Release 12.3(8)T
images and higher (with the Advanced Security feature set). However, the following routers do not
support NAC:
• Cisco 7600 Series (7603, 7604, 7606, 7609, 7613)
• Cisco 7300 Series (7301, 7304)
• Cisco 7100 Series VPN Routers (7120, 7140, 7160)
• Cisco 3600 Series Multiservice Platforms (3620, 3631, 3661, 3662)
Supplicant period The number of seconds the router waits before retransmitting
EAP-Request/Identity packets to the supplicant (client PC). If the
router sends an EAP-Request/Identity packet to the client PC
(supplicant) and the supplicant does not respond, the router sends the
packet again after this interval elapses.
Valid values range from 1 to 65535 seconds. The default is 30 seconds.
Table 61-1 802.1x Page (Continued)
Element Description