Support User Manuals

Cisco Systems CL-28826-01 Security Camera User Manual

Open as PDF

of 2616

61-15

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter 61 Configuring Identity Policies

Network Admission Control Policy Page

Field Reference

Table 61-2 Network Admission Control Setup Tab

Element Description

AAA Server Group The AAA server group used for NAC authentication. You must select a

server group consisting of Cisco Secure Access Control Server (ACS)

devices running the RADIUS protocol. Enter the name of a AAA server

group object, or click Select to select the object from a list or to create

a new one.

Note Each AAA server in the selected group must be configured to

communicate with an interface that exists on the router;

otherwise, validation fails.

Backup AAA Server Group 1 The backup AAA server group in case the AAA servers in the main

group are down.

Backup AAA Server Group 2 The secondary backup AAA server group in case the AAA servers in

the main group and the first backup group are down.

EAP over UDP (EoU) settings

Allow IP Station ID When selected, enables an IP address to be included in the

calling-station-id field of RADIUS requests sent to the ACS.

When deselected, IP addresses are not included in the calling-station-id

field of RADIUS requests sent to the ACS.

Allow Clientless When selected, enables devices that do not have the Cisco Trust Agent

(CTA) installed to be authenticated through the use of a username and

password configured on the ACS.

If you select this check box, enter the username and password

(including confirmation) in the fields provided.

When deselected, NAC prevents devices lacking the CTA from

accessing the network, if their traffic matches the intercept ACL (see

NAC Interface Configuration Dialog Box, page 61-17).

Note This feature is not supported on routers running Cisco IOS

Software Release 12.4(6)T or later.

Max Retry The maximum number of retries that all NAC interfaces on this router

should make when initiating an EAP over UDP session with a

connecting device.

Valid values range from 1 to 3. The default is 3.

Note You can override this global value on a specific interface, if

required. See Network Admission Control Page—Interfaces

Tab, page 61-16.

Rate Limit The number of EAP over UDP posture validations that the router can

handle simultaneously. Additional devices cannot be validated until

one or more devices drop off.

Valid values range from 1 to 200. The default is 20. If you set this value

to 0, rate limiting is turned off.

previous next