Filter
Top Products
61-10
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 61 Configuring Identity Policies
Network Admission Control on Cisco IOS Routers
3. The CTA sends its posture credentials to the NAD using EAP over UDP.
4. The NAD sends these posture credentials to the ACS using RADIUS.
5. The ACS performs posture validation, which determines whether to allow the device to access the
network. (If necessary, the ACS requests additional posture validation from a third-party server. For
example, if the CTA forwards credentials that are specific to a particular antivirus application, the
ACS forwards this information via the HCAP protocol to a vendor server for validation.) If the
device is a clientless host, the ACS checks the username and password it receives against its locally
stored list.
6. The ACS directs the NAD to enforce the appropriate access policy on the requesting device. Access
may be granted, denied, redirected, or restricted.
Figure 61-2 NAC System Flow
Related Topics
• Understanding NAC Components, page 61-9
• Network Admission Control on Cisco IOS Routers, page 61-8
Defining NAC Setup Parameters
You configure NAC setup parameters by selecting the AAA server groups that obtain and validate the
posture credentials received from devices trying to connect to the network. You can configure an option
that allows devices lacking the Cisco Trust Agent (CTA) to be authenticated by a predefined username
and password stored on a Cisco Secure Access Control Server (ACS). Additionally, you can modify
default settings for EAP over UDP. This is the protocol used for posture validation communications
between the Cisco IOS router serving as the network access device (NAD) and the device trying to access
your network.
Related Topics
• Defining NAC Interface Parameters, page 61-11
• Defining NAC Identity Parameters, page 61-13
• Network Admission Control on Cisco IOS Routers, page 61-8
Step 1 Do one of the following:
• (Device view) Select Platform > Identity > Network Admission Control from the Policy selector,
then click the Setup tab in the work area.
• (Policy view) Select Router Platform > Identity > Network Admission Control from the Policy
Type selector. Select an existing policy or create a new one, and then click the Setup tab.
The NAC Setup tab is displayed. See Table 61-2 on page 61-15 for a description of the fields on this tab.
EAPoUDP RADIUS HCAP
CTA client Network Access
Device
ACS (AAA Server) Vendor Policy Server
(Optional)
144751