Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 4.2 NAP - advanced filter


i must configure advanced filter in NAP setup on acs 4.2 and need grant access only user, in domain, that match the pofile.

must avoid access to external users that steel credential as "rogue users".

which is the value i must select for avoid tihs condition?

some ideas?

thx for all

best regards


Re: ACS 4.2 NAP - advanced filter

If a rogue user has access to a valid username/password its a challenge to detect this. You could use

  1. RSA tokens, probably the easiest method from ACS perspective... no passwords to steal and requires a PIN.
  2. NARs. Painful but if you knew the mac address(es) each user might use its possible to catch stolen credentials
  3. NAC, If valid users have a NAC aware client, ACS can interrogate the registry on the client to check for known keys/values

Neither 2 or 3 would handle a stolen laptop. No easy answers here Im afraid. The question is really "how would you determine if someone on the network was legit" - if you cant tell, ACS will not be able to either.

FWIW the advanced filtering on the NAP page is more intended as a method by which the desired network service can be determined, and therefore handled by the appropriate policy (WLAN, VPN, etc).

New Member

Re: ACS 4.2 NAP - advanced filter

i try to use eap-tls for certificate-authentication-machine, but i have a problem with CA(certification authority);

i must to trust the machine(computer) and no the user, becouse i need use the single computer for multi-client logging.

use certificate is only method for avoid steel credential i think

are you a case-study for example?

thx a lot

CreatePlease login to create content