Chapter 14 Network Admission Control
About Network Admission Control
User Guide for Cisco Secure ACS for Windows Server
6. Cisco Secure ACS sends the NAC-client computer the system posture token
and the results of each policy applied to the posture validation request, and
then ends the PEAP session.
7. Cisco Secure ACS sends the AAA client the RADIUS attributes as
configured in the mapped user group, including ACLs and attribute-value
pairs configured in the Cisco IOS/PIX RADIUS attribute cisco-av-pair.
8. Cisco Secure ACS logs the results of the posture validation request. If the
request resulted in a system posture token of Healthy, Cisco Secure ACS logs
the results in the Passed Authentications log (if it is enabled). Cisco Secure
ACS logs in the Failed Attempts log the result of a posture validation request
resulting in a posture token of anything other than Healthy.
The NAC client handles the results of the posture validation request according to
its configuration. The AAA client enforces network access as dictated by
Cisco Secure ACS in its RADIUS response. By configuring group mapping, you
define authorizations and, therefore, network access control, based on the system
posture token determined as a result of posture validation.
Posture Tokens
Posture tokens are symbols that represent the state of a NAC-client computer or a
NAC-compliant application installed on the computer. A token associated with
the state of the computer is a system posture token (SPT). A token associated with
the state of a NAC-compliant application is an application posture token (APT).
APTs are the result of applying a policy to the credentials received in a posture
validation request. Cisco Secure ACS determines the SPT of each request by
comparing the APTs from all policies applied to the request. The worst APT
becomes the SPT.
There are five predefined, non-configurable posture tokens, used for both SPTs
and APTs. Listed in order from best to worst, they are as follows:
• Healthy
• Checkup
• Quarantine
• Infected
• Unknown