Chapter 30
Configuring Tunnel Groups, Group Policies, and Users
Group Policies
The following example disables inheritance and specifies that all hosts will be subject to posture
validation:
hostname(config-group-policy)# no vpn-nac-exempt none
hostname(config-group-policy)
The following example removes all entries from the exemption list:
hostname(config-group-policy)# no vpn-nac-exempt
hostname(config-group-policy)
Enable or disable Network Admission Control by entering the following command:
Step 5
hostname(config-group-policy)# nac {enable | disable}
hostname(config-group-policy)#
To inherit the NAC setting from the default group policy, access the alternative group policy from which
to inherit it, then use the no form of this command:
hostname(config-group-policy)# no nac [enable | disable]
hostname(config-group-policy)#
By default, NAC is disabled. Enabling NAC requires posture validation for remote access. If the remote
computer passes the validation checks, the ACS server downloads the access policy for the security
appliance to enforce. NAC is disabled by default.
An Access Control Server must be present on the network.
The following example enables NAC for the group policy:
hostname(config-group-policy)# nac enable
hostname(config-group-policy)#
Configuring Address Pools
Configure a list of address pools for allocating addresses to remote clients by entering the address-pools
command in group-policy attributes configuration mode:
hostname(config-group-policy)# address-pools value address_pool1 [...address_pool6]
hostname(config-group-policy)#
The address-pools settings in this command override the local pool settings in the group. You can specify
a list of up to six local address pools to use for local address allocation.
The order in which you specify the pools is significant. The security appliance allocates addresses from
these pools in the order in which the pools appear in this command.
To remove the attribute from the group policy and enable inheritance from other sources of group policy,
use the no form of this command:
hostname(config-group-policy)# no address-pools value address_pool1 [...address_pool6]
hostname(config-group-policy)#
The command address-pools none disables this attribute from being inherited from other sources of
policy, such as the DefaultGrpPolicy:
hostname(config-group-policy)# address-pools none
hostname(config-group-policy)#
Cisco Security Appliance Command Line Configuration Guide
30-53
OL-10088-01