This documentation has been moved
Tag and Template
Downloads: This chapterpdf (PDF - 171.0KB) The complete bookPDF (PDF - 5.42MB) | Feedback

Tag and Template

Table Of Contents

Tag and Template

Finding Feature Information

Contents

Prerequisites for Tag and Template

Requirements for Tag and Template

Information About Tag and Template

Tag and Template Overview

How to Configure Tag and Template

Defining a Class Map for a Specific Type and Associating Match Conditions with It

What to Do Next

Associating the Class Map with the Policy Map and Applying Actions for Classes That Match

What to Do Next

Associating the Service Policy with a Specific IP Admission Rule

Monitoring the Template Configuration

Verifying the Template Configuration

Configuration Examples for Tag and Template

Example: Typical Tag and Template Configuration

Where to Go Next

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Feature Information for Tag and Template


Tag and Template


First Published: February 27, 2006
Last Updated: July 17, 2009

The Tag and Template feature allows network administrators to define enforcement policies on a local device and have a RADIUS server specify the policy selector to be enforced. This feature can be applied to a Network Admission Control (NAC) architecture.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Tag and Template" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Tag and Template

Requirements for Tag and Template

Information About Tag and Template

How to Configure Tag and Template

Configuration Examples for Tag and Template

Where to Go Next

Additional References

Feature Information for Tag and Template

Prerequisites for Tag and Template

You must have a Cisco IOS image that supports the Modular Quality of Service (QoS) command-line interface (CLI).

Requirements for Tag and Template

To apply the enforcement policies, the identity policy and access groups that are associated with the identity policy have to be configured for Tag and Template.

Information About Tag and Template

Tag and Template Overview

Tag and Template Overview

In a typical Network Admission Control deployment, an access control server (ACS) or a RADIUS server is used for validating the user posture information and for applying the policies on the network access device (NAD). A centralized ACS can be used to support multiple NADs. This solution has inherent problems associated with it, namely:

Version control of policies. Typically, a specific NAD that is running a Cisco IOS image may support some ACLs, and another NAD may support a different version. Managing different versions can be a problem.

Users connect on different interfaces to the NAD, and on the basis of the interface type, the policies that can be applied to the user can change, and the NAD can determine the policies to be applied. In the current architecture, the ACS sends the same set of policies to all the NADs when a profile is matched, which does not give enough control to the administrator to configure the polices on the basis of the NAD configuration.

To overcome the above problems, the Tag and Template concept has been introduced. The concept is that the ACS maps users to specific groups and associates a tag with them. For example, the Usergroup1 user group may have a tag with the name "usergroup1." When the NAD queries the ACS for the policies, the ACS can return the tag that is associated with the user group. When this tag is received at the NAD, the NAD can map the tag to a specific template that can have a set of policies that are associated with the user group. This mapping provides administrators with the flexibility to configure the template on a NAD basis, and the policies can change from NAD to NAD even though the tag is the same.

In summary, a template must be configured on the NAD, and the template must be associated with a tag. When the ACS sends the policies back to the NAD, the template that matches the tag that was received from the ACS is used.

How to Configure Tag and Template

Defining a Class Map for a Specific Type and Associating Match Conditions with It

Associating the Class Map with the Policy Map and Applying Actions for Classes That Match

Associating the Service Policy with a Specific IP Admission Rule

Monitoring the Template Configuration

Verifying the Template Configuration

Defining a Class Map for a Specific Type and Associating Match Conditions with It

To define a class map and associate match conditions with it, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type tag [match-all | match-any] class-map-name

4. match port-type {routed | switched}

5. match tag tag-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

class-map type tag [match-all | match-any] class-map-name

Example:

Router (config)# class-map tag match-all group1_class

Creates a class map to be used for matching packets to a specified class and enters class-map configuration mode.

Step 4 

match port-type {routed | switched}

Example:

Router (config-cmap)# match port-type routed

Matches the access policy on the basis of the port for a class map.

Step 5 

match tag tag-name

Example:

Router (config-cmap)# match tag group1_class

Specifies the tag to be matched for a tag type of class map.

What to Do Next

Associate the class map with the policy map and apply actions for classes that match.

Associating the Class Map with the Policy Map and Applying Actions for Classes That Match

To associate the class map with the policy map and apply actions for classes that match, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type control tag policy-map-name

4. class type tag {class-name} [insert-before {class-name}]

5. identity policy policy-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

policy-map type control tag policy-map-name

Example:

Router (config)# policy-map type control tag usergroup1_pmap

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy and enters policy-map configuration mode.

Step 4 

class type tag {class-name} [insert-before {class-name}]

Example:

Router (config-pmap)# class type tag usergroup1_class

Associates a class map with a policy map.

Step 5 

identity policy policy-name

Example:

Router (config-pmap)# identity policy usergroup1_iden_policy

Associates an identity policy with the class map.

What to Do Next

Associate the service policy with a specific IP admission table.

Associating the Service Policy with a Specific IP Admission Rule

The policy map defined above can be associated with an IP authentication proxy or IP admission rule. To associate the map with the IP authentication proxy or IP admission rule, perform the following steps.


Note There can be multiple policy maps, and each one can be associated with a different IP admission rule even though an IP admission rule can have only one instance of the policy map.


SUMMARY STEPS

1. enable

2. configure terminal

3. ip admission name admission-name [eapoudp | proxy {ftp | http | telnet} | service-policy type tag {service-policy-name} ] [list {acl | acl-name}]

or

ip auth-proxy name auth-proxy-name {ftp | http | telnet}[inactivity-timer min] [absolute-timer min] [list {acl | acl-name}] [service-policy type tag {service-policy-name} ]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip admission name admission-name [eapoudp | proxy {ftp | http | telnet} | service-policy type tag {service-policy-name} ] [list {acl | acl-name}]


or


ip auth-proxy name auth-proxy-name {ftp | http | telnet}[inactivity-timer min] [absolute-timer min] [list {acl | acl-name}] [service-policy type tag {service-policy-name} ]

Example:

Router (config)# ip admission name nac eapoudp service-policy type tag usergroup1_iden_policy


or


Router (config)# ip auth-proxy name nac eapoudp service-policy type tag usergroup1_iden_policy

Associates the policy map with an IP network admission control rule.

The service policy name must be the same as the policy map name.

or

Associates the policy map with an authentication proxy rule.

Monitoring the Template Configuration

To monitor the template configuration, perform the following steps.

SUMMARY STEPS

1. enable

2. debug tag-template event

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

debug tag-template event

Example:

Router# debug tag-template event

Displays the tag application on a session (an Authentication Proxy or Extensible Authentication Protocol over UDP [EAPoUDP] session).

Verifying the Template Configuration

To verify the template configuration, perform the following steps. The show commands can be used individually or together.

SUMMARY STEPS

1. enable

2. show class-map type tag class-map-name

3. show epm session {interface type number | ip {ip-address [client client-type] | all} | mac {mac-address [client client-type] | all} | summary}

4. show policy-map type control tag type-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show class-map type tag class-map-name

Example:

Router# show class-map type tag map1

Displays all class maps and their matching criteria.

Step 3 

show epm session {interface type number | ip {ip-address [client client-type] | all} | mac {mac-address [client client-type] | all} | summary}

Example:

Router# show epm session summary

Displays whether tag policies or authentication, authorization, and accounting (AAA) policies are actually applied to a service policy application.

Step 4 

show policy-map type control tag type-name

Example:

Router# show policy-map type control tag type1

Displays a template configuration when applying access policies on Layer 2 and Layer 3 interfaces.

Configuration Examples for Tag and Template

Example: Typical Tag and Template Configuration

Example: Typical Tag and Template Configuration

In the following service policy (Tag and Template) example, tags named "healthy" and "non_healthy" can be received from an AAA server, the policy map is defined on the NAD, and the tag policy type is associated with the IP admission name "greentree."

Class Map Definition for the "healthy class" Type Tag

Router (config)# class-map type tag healthy_class
Router(config-cmap)# match tag healthy
Router(config-cmap)# end

Class Map Definition for the "non_healthy_class" Type Tag

Router (config)# class-map type tag non_healthy_class
Router (config-cmap)# match tag non_healthy
Router (config-cmap)# end

Policy Map Is Defined

! The following line will be associated with the IP admission name.
Router (config)# policy-map type control tag global_class
! The following line refers to the class map that was defined above.
Router (config-pmap)# class healthy_class
Router (config-pmap-c)# identity policy healthy_policy
Router(config-pmap-c)# exit
The following line refers to the non_healthy class that was defined above.
Router (config-pmap)# class non_healthy_class
Router(config-pmap-c)# identity policy non_healthy_policy
Router (config-pmap-c)# end

Identity Policy Can Be Defined As Follows

Router (config)# identity policy healthy_policy
! The following line is the IP access list for healthy users.
Router (config-identity-policy)# access-group healthy
Router (config-identity-policy)# end
Router (config)# identity policy non_healthy_policy
Router (config-identity-policy)# access-group non_healthy 
Router (config-identity-policy)# end

Access Lists Can Be Defined As Follows

Router (config)# ip access-list extended healthy_class
! The following line can be anything, but as an example, traffic is being allowed.
Router (config-ext-nacl)# permit ip any any
Router (config-ext-nac)# end
Router (config)# ip access-list extended non_healthy_class
! The following line is only an example. In practical cases, you could prevent a user from 
accessing specific networks.
Router (config-ext-nacl)# deny ip any any
Router (config-ext-nac)# end

Policy Map That Was Defined Above Is Associated with the IP Admission Name

Router (config)# ip admission name greentree service-policy type tag global_class 
! In the next line, the admission name can be associated with the interface.
Router (config)# interface fastethernet 1/0
Router (config-if)# ip admission greentree

In the above configuration, if the AAA server sends a tag named "healthy" or "non_healthy" for any host, the policies that are associated with the appropriate identity policy will be applied on the host.

Where to Go Next

The tag attribute must be configured in the RADIUS profile using the following Cisco attribute-value (AV) pair: tag-name={tag string}.

For information about configuring RADIUS AV pairs, see the subsection "Configuring Cisco AV Pairs" in the section "Related Documents."

Additional References

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Configuring Cisco RADIUS AV pairs

The section "Configuring RADIUS" in the Cisco IOS Security Configuration Guide: Securing User Services


Standards

Standard
Title

No new or modified standards are supported by this feature.


MIBs

MIB
MIBs Link

No new or modified MIBs are supported by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

No new or modified RFCs are supported by this feature.


Technical Assistance

Description
Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html


Feature Information for Tag and Template

Table 1 lists the features in this module and provides links to specific configuration information.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.


Table 1 Feature Information for Tag and Template 

Feature Name
Releases
Feature Information

Tag and Template

12.4(6)T

The Tag and Template feature allows network administrators to define enforcement policies on a local device and have a RADIUS server specify the policy selector to be enforced. This feature can be applied to a Network Admission Control (NAC) architecture.

The following commands were introduced or modified by this feature: class-map, class type, debug tag-template event, identity policy (policy-map), ip admission name, ip auth-proxy name, match port-type, match tag (class-map), show class-map, show epm session ip and show policy-map type.

IP Admission Policy MIB

12.2(33)SXI2

The IP Admission Policy MIB provides a management information base (MIB) for monitoring the Network Access Device (NAD) for the Enforcement Policy Module (EPM) system.

The following command was introduced or modified by this feature: show epm session.