Filter
Top Products
9-7
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 9 Managing Policy Elements
Managing Policy Conditions
Note The filters in ACS 5.4 are similar to the NARs in ACS 4.x. In ACS 4.x, the NARs were based on either
the user or user group. In 5.4, the filters are independent conditions that you can reuse across various
rules and policies.
ACS offers three types of filters:
• End Station Filter—Filters end stations, such as a laptop or printer that initiates a connection based
on the end station’s IP address, MAC address, CLID number, or DNIS number.
The end station identifier can be the IP address, MAC address, or any other string that uniquely
identifies the end station. It is a protocol-agnostic attribute of type string that contains a copy of the
end station identifier:
–
In a RADIUS request, this identifier is available in Attribute 31 (Calling-Station-Id).
–
In a TACACS request, ACS obtains this identifier from the remote address field of the start
request (of every phase). It takes the remote address value before the slash (/) separator, if it is
present; otherwise, it takes the entire remote address value.
The end station IP address is either an IPv4 or IPv6 of the end station identifier. The end station
MAC is a normalized MAC address of the end station identifier.
• Device Filter—Filters a network device (AAA client) that acts as a Policy Enforcement Point (PEP)
to the end station based on the network device’s IP address or name, or the network device group
that it belongs to.
The device identifier can be the IP address or name of the device, or it can be based on the network
device group to which the device belongs.
The IP address is a protocol-agnostic attribute of type IPv4 or IPv6, which contains a copy of the
device IP address that is obtained from the request:
–
In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present, ACS obtains the IP address
from Attribute 4; otherwise, if Attribute 32 (NAS-Identifier) is present, ACS obtains the IP
address from Attribute 32, or it obtains the IP address from the packet that it receives.
–
In a TACACS request, the IP address is obtained from the packet that ACS receives.
The device name is an attribute of type string that contains a copy of the device name derived from
the ACS repository.
The device dictionary (the NDG dictionary) contains network device group attributes such as
Location, Device Type, or other dynamically created attributes that represent NDGs. These
attributes, in turn, contain the groups that the current device is related to.
• Device Port Filter—Filters the physical port of the device that the end station is connected to.
Filtering is based on the device’s IP address, name, NDG it belongs to, and port.
The device port identifier is an attribute of type string:
–
In a RADIUS request, if Attribute 5 (NAS-Port) is present in the request, ACS obtains the value
from Attribute 5; or, if Attribute 87 (NAS-Port-Id) is present in the request, ACS obtains the
request from Attribute 87.
–
In a TACACS request, ACS obtains this identifier from the port field of the start request (of
every phase).
The device name is an attribute of type string that contains a copy of the device name derived from
the ACS repository.