About nac credentials and attributes, About nac credentials and – Cisco 3.3 User Manual

Page 583

Advertising
background image

14-11

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

Chapter 14 Network Admission Control

NAC Databases

mandatory credential types. This design enables you to create a default
database so that no posture validation request is rejected due to missing
credential types.

Credential validation policies—A NAC database has one or more credential
validation policies. When Cisco Secure ACS uses a NAC database to evaluate
a posture validation request, it applies each policy associated with the NAC
database to the attributes received in the request.

About NAC Credentials and Attributes

For posture validation, credentials are the sets of attributes sent from the NAC
client to Cisco Secure ACS. Also known as inbound attributes, these attributes
contain data used during posture validation to determine the posture of the
computer. Cisco Secure ACS considers attributes from each NAC-compliant
application and from CTA to be different types of credentials.

With local policies, the rules you create use the content of inbound attributes to
determine the APT returned by applying the policy. With external policies,
Cisco Secure ACS forwards the credential types you specify to the external NAC
server. In either case, the contents of inbound attributes provide the information
used to determine posture and thus to control network admission for the computer.

Cisco Secure ACS uses NAC attributes in its response to the NAC client. These
attributes are known as outbound attributes. For example, APTs and the SPT are
sent to the NAC client in attributes.

Credential types are uniquely identified by the combination of two identifiers:
vendor ID and application ID. The vendor ID is the number assigned to the vendor
in the

IANA Assigned Numbers RFC

. For example, vendor ID 9 corresponds to

Cisco Systems, Inc. Vendors assign numbers to the NAC applications they
provide. For example, with Cisco Systems, Inc. applications, application ID 1
corresponds to CTA. In the HTML interface, when you specify result credential
types for a local policy, credential types are identified by the names assigned to
the vendor and application. For example, the credential type for CTA is Cisco:PA
(“PA” refers to “posture agent”, another term for CTA). In a posture validation
response, Cisco Secure ACS would use the numeric identifiers 9 and 1, which are
the identifiers for Cisco and CTA.

Attributes are uniquely identified by the combination of three identifiers: vendor
ID, application ID, and attribute ID. For each unique combination of vendor and
application, there are set of attributes that each have numbers as well. When

Advertising