Filter
Top Products
9-30
Configuration Guide for Cisco Secure ACS 4.2
OL-14390-02
Chapter 9 NAC Configuration Scenario
Step 5: Set Up Shared Profile Components
• Tunnel-Medium-Type (attribute 65)—Indicates which protocol to use over the tunnel. In the
sample RACs, this is set to type 6, which specifies an 802 protocol. In the NAC/NAP environment,
this is the 802.1x protocol.
• Tunnel-Private-Group-ID (attribute 81)—Indicates the group ID for the VLAN tunnel. In the
sample RAC, this is set to Quarantine, which denotes a quarantine VLAN to which devices are
assigned. In actual practice, you should set this value to a value that is configured on the switch.
For reference, Table 9-1 lists all of the possible attributes that ACS can send. An X in the
NAC-L2-802.1x, NAC-L2-IP, or NAC-L3-IP column indicates that ACS can send the specified attribute
in a RADIUS Accept-Response used with this technology.
Ta b l e 9-1 Attributes That Can Be Sent in the RADIUS-Accept Response
NAC-L2 -802.1x NAC-L2-IP NAC-L3-IP
Attribute
Number
Attribute Name Description
x 1 User-Name Copied from EAP Identity Response in
Access
Request
x x 8 Framed-IP-Address IP address of host
x x 26 Vendor-Specific
Cisco (9,1)
CiscoSecure-Defined-
ACL
ACL name.
ACS automatically sends this to the NAD as
part of the RADIUS packet.
x 26 Vendor-Specific
Cisco (9,1)
sec:pg
Policy-based ACL assignment. Only applies to
Catalyst 6000.
sec:pg = <group-name>
x x 26 Vendor-Specific
Cisco (9,1)
url-redirect
Redirection URL.
url-redirect = <URL>
x x 26 Vendor-Specific
Cisco (9,1)
url-redirect-acl
Apply the named ACL for the redirect URL;
ACL must be defined locally on the NAD.
Only works on switches with IOS.
url-redirect-acl =< ACL-Name>
x x x 26 Vendor-Specific
Cisco (9,1)
posture-token
Posture token/state name.
Automatically sent by ACS.
x x 26 Vendor-Specific
Cisco (9,1)
status-query-timeout
Sets Status Query timer
x x 26 Vendor-Specific
Cisco (9,1)
host-session-id
Session identifier used for auditing.
Automatically sent by ACS.