9-25
Configuration Guide for Cisco Secure ACS 4.2
OL-14390-02
Chapter 9 NAC Configuration Scenario
Step 5: Set Up Shared Profile Components
Figure 9-15 Downloadable ACL Contents List with New Content
Step 5 From the drop-down list in the Network Access Filtering column of the ACL Contents table, choose the
correct NAF for this ACL.
You can choose the default NAF (All AAA Clients), or you can specify a NAF that you have configured
to control how access is set up for different devices or groups of devices.
For example, the syntax of an ACE on routers differs from the syntax on a Project Information Exchange
(PIX) firewall. By using a NAF, you can assign the same ACL to a PIX and a router, even though the
actual ACE that is downloaded is different.
Step 6 Click Submit.
The new ACL appears on the list of downloadable ACLs.
Saving the dACL
When you finish adding ACEs to the dACL, click Submit to save the dACL and submit it.
Configure Radius Authorization Components
Shared RADIUS Authorization Components (RACs) are sets of RADIUS attributes that ACS applies to
Network Access Devices (NADs) during network authorization. Each RAC can contain one or more
vendor RADIUS attributes, including Cisco IOS.PIX 6.0, IETF, and Ascend attributes.
By setting up RACs, you can dynamically assign RADIUS attributes to user sessions based on a policy.
For example, you can create a RAC that gathers RADIUS attributes to define a VLAN. Users who access
the network through a switch; for example, are then given access to specified VLANs based on how they
are authorized and authenticated.
The sample RACs in this section provide RADIUS configurations to handle the most important services
in the NAC environment:
• EoU (NAC L2 IP)
• NAC L2 802.1x