Cisco Support Community
Community Member

NAC 4.1 Posture Validation


Whether Cisco NAC 4.1 does system check continuously after being logged in?


Re: NAC 4.1 Posture Validation

Hi Partha,

It all depends on what you mean by "check continuously" because this is a setting which can be set. Though I doubt anyone would set it so low that it would be checking all the time. Everyday or so is usually good enough, unless you notice a higher than normal number of problems on your network.

This is taken directly from the Cisco NAC Appliance Field Q&A:

"Yes. The administrator can set the length of time after which all users on the certified devices list will need to be rescanned. Most customers require rescanning between once daily and once weekly. Administrators can also manually reset the certified devices list in the event of high worm and virus activity."

Hope this helps.


Community Member

Re: NAC 4.1 Posture Validation

Hello Paul,

Where do you configure this? (timer for the certified devices to be rescanned)

The only option I've found is in "Certified Devices / timer" and then delete the X last certified devices every Y min.

This mean these devices have to go through an authentication/posture assessment again.

What I would like is a "silent" posture assessment every X min, and when the result is negative then disconnect the device.

Because in OOB Mode after a successful authentication / posture assessment, the users have then the possibility to do something "nasty".

Many thanks.




Re: NAC 4.1 Posture Validation

Hi Rishi,

The "Silent" Posture assessment sounds like a great feature request. Unfortunately, here is what the documentation states:

"In most OOB deployments (except L2 OOB Virtual Gateway where the Default Access VLAN is the Access VLAN in Port profile), the client, after posture assessment, needs to acquire a different IP address from the Access VLAN."

I don't see anyway around having end users go through the authentication/posture assessment again.

You are correct that in OOB mode end users have the ability to do something "nasty" after they have been allowed on the network.

I suppose another layer of security is what is needed in these cases, like a Cisco Security Agent to prevent Day Zero attacks.

Hope this helps.


CreatePlease to create content