61-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 61 Configuring Identity Policies
Network Admission Control on Cisco IOS Routers
Related Topics
• Defining NAC Setup Parameters, page 61-10
• Defining NAC Identity Parameters, page 61-13
• Network Admission Control on Cisco IOS Routers, page 61-8
Step 1 Do one of the following:
• (Device view) Select Platform > Identity > Network Admission Control from the Policy selector,
then click the Interfaces tab in the work area.
• (Policy view) Select Router Platform > Identity > Network Admission Control from the Policy
Type selector. Select an existing policy or create a new one, and then click the Interfaces tab.
The NAC Interfaces tab is displayed. See Table 61-3 on page 61-16 for a description of the fields on this
tab.
Step 2 On the NAC Interfaces tab, select an interface definition from the table, then click Edit, or click Add to
create a definition. The NAC Interface Configuration dialog box appears. See Table 61-4 on page 61-17
for a description of the fields in this dialog box.
Step 3 Enter the name of the interface or interface role on which NAC is performed, or click Select to select an
interface role from a list or to create a new one. For more information, see Specifying Interfaces During
Policy Definition, page 6-70.
Step 4 (Optional) Enter the name of the ACL object that acts as the intercept ACL, or click Select to select it
from a list or to create a new object.
The intercept ACL determines which traffic on the selected interfaces is subject to posture validation
before being granted access to the network. If you do not select an ACL, all traffic on the selected
interfaces is subject to posture validation.
Note If you defined an authentication proxy on the same interface as a NAC interface, you must use
the same intercept ACL in both policies. Otherwise, deployment might fail. For more
information about authentication proxies, see Configuring AAA Rules for IOS Devices,
page 15-7.
Step 5 (Optional) To override the device-level value defined for maximum attempts to initiate an EAP over UDP
session, enter a new value in the EAP over UDP Max Retries field.
Step 6 (Optional) Deselect the Enable EOU Session Revalidation check box if you do not want the NAD to
periodically revalidate all EAP over UDP sessions.
Note Subinterfaces support default values only for the options described in Step 5 and Step 6.
Step 7 Click OK to save your definitions locally on the client and close the dialog box. Your interface
definitions appear in the table on the NAC Interfaces tab.