Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Traffic Policies IN NAC

Hello friends,

For host remediation we shld allow for access to a particular destination or by default it is accessible?????

OR

traffic policies are applied after a host passes posture assessment and remediation.??? to limit network access.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Traffic Policies IN NAC

Estela,

Correct on your first question. In the temporary role you will have to allow access to the remediation resources (AV servers, WU servers etc)

For the second question, you can apply those access lists on the end role in which the user will be placed. For example if your user ends up in the Staff role, then you can define the traffic patterns that are allowed for the staff role and the user would be allowed access only to those sites which you allow in that role.

HTH,

Faisal

7 REPLIES

Re: Traffic Policies IN NAC

Estela,

Whatever hosts you allow in your "Temporary Role" are allowed while the agent is in remediation phase.

If your setup is In-Band, then whatever hosts you allow in your final role, your users will be limited to those. If it's OOB, then users would be limited only by any filtering you do on your firewall or proxy, but none by NAC.

HTH,

Faisal

New Member

Re: Traffic Policies IN NAC

Hello Faisal,

Thanks for reponse,

My setup is IN-band virtual mode.

From ur mail what i understand is if the host want to succeed posture assesment he has to be permited for the particular destination.

for example: host is not updated with full AV then he has to permit access to AV server for the updates in the temporary role,

access-list will be like : permit tcp any host 10.10.10.10 (AV Server) eq (port)

correct me if i m wrong  ?????

2) After host get success in host posture assessment after that also we can limit the host for a particular destination.

where is option that we can specify such access-list.

Thanks

Re: Traffic Policies IN NAC

Estela,

Correct on your first question. In the temporary role you will have to allow access to the remediation resources (AV servers, WU servers etc)

For the second question, you can apply those access lists on the end role in which the user will be placed. For example if your user ends up in the Staff role, then you can define the traffic patterns that are allowed for the staff role and the user would be allowed access only to those sites which you allow in that role.

HTH,

Faisal

New Member

Re: Traffic Policies IN NAC

Thanks Faisal,

Message was edited by: estela mathew

New Member

Re: Traffic Policies IN NAC

Hi Faisal,

I need to be clear about default hosts policy

If we have the internal antivirus and patch management server do we nedd to enable default host policies?

my understanding is if client has to go to the internet for the update at that time we need or configure host based policy am i correct?

Please advise me

Thank you

Re: Traffic Policies IN NAC

Laxman,

That is correct. If you know the internal server's IP addresses (which one would assume you'd know since you control them) then you can just add those entries in the IP section of the traffic policies. The host section comes in handy when you don't know what the IP address is, or if the IP address changes for the remediation servers on the internet. When you enable hosts in the hosts section, CAS is listening for the DNS traffic and it picks up the IP addresses that get returned from the DNS query and then opens traffic to them.

Makes sense?

Faisal

New Member

Re: Traffic Policies IN NAC

Faisal,

Understood,

Thanks again.

--Laxman

358
Views
0
Helpful
7
Replies
CreatePlease login to create content