Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

Cisco IOS and NX-OS Software

Tag and Template

Downloads

Table Of Contents

Tag and Template

Finding Feature Information

Contents

Prerequisites for Tag and Template

Requirements for Tag and Template

Information About Tag and Template

Tag and Template Overview

How to Configure Tag and Template

Defining a Class Map for a Specific Type and Associating Match Conditions with It

What to Do Next

Associating the Class Map with the Policy Map and Applying Actions for Classes That Match

What to Do Next

Associating the Service Policy with a Specific IP Admission Rule

Monitoring the Template Configuration

Verifying the Template Configuration

Configuration Examples for Tag and Template

Typical Tag and Template Configuration: Example

Where to Go Next

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

Feature Information for Tag and Template


Tag and Template

First Published: February 27, 2006
Last Updated: July 17, 2009

The Tag and Template feature allows network administrators to define enforcement policies on a local device and have a RADIUS server specify the policy selector to be enforced. This feature can be applied to a Network Admission Control (NAC) architecture.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Tag and Template" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Tag and Template

Requirements for Tag and Template

Information About Tag and Template

How to Configure Tag and Template

Configuration Examples for Tag and Template

Where to Go Next

Additional References

Command Reference

Feature Information for Tag and Template

Prerequisites for Tag and Template

You must have a Cisco IOS image that supports the Modular Quality of Service (QoS) command-line interface (CLI).

Requirements for Tag and Template

To apply the enforcement policies, the identity policy and access groups that are associated with the identity policy have to be configured for Tag and Template.

Information About Tag and Template

Before configuring Tag and Template, you should understand the following concepts:

Tag and Template Overview

Tag and Template Overview

In a typical Network Admission Control deployment, an access control server (ACS) or a RADIUS server is used for validating the user posture information and for applying the policies on the network access device (NAD). A centralized ACS can be used to support multiple NADs. This solution has inherent problems associated with it, namely:

Version control of policies. Typically, a specific NAD that is running a Cisco IOS image may support some ACLs, and another NAD may support a different version. Managing different versions can be a problem.

Users connect on different interfaces to the NAD, and on the basis of the interface type, the policies that can be applied to the user can change, and the NAD can determine the policies to be applied. In the current architecture, the ACS sends the same set of policies to all the NADs when a profile is matched, which does not give enough control to the administrator to configure the polices on the basis of the NAD configuration.

To overcome the above problems, the Tag and Template concept has been introduced. The concept is that the ACS maps users to specific groups and associates a tag with them. For example, the Usergroup1 user group may have a tag with the name "usergroup1." When the NAD queries the ACS for the policies, the ACS can return the tag that is associated with the user group. When this tag is received at the NAD, the NAD can map the tag to a specific template that can have a set of policies that are associated with the user group. This mapping provides administrators with the flexibility to configure the template on a NAD basis, and the policies can change from NAD to NAD even though the tag is the same.

In summary, a template must be configured on the NAD, and the template must be associated with a tag. When the ACS sends the policies back to the NAD, the template that matches the tag that was received from the ACS is used.

How to Configure Tag and Template

This section includes the following procedures:

Defining a Class Map for a Specific Type and Associating Match Conditions with It

Associating the Class Map with the Policy Map and Applying Actions for Classes That Match

Associating the Service Policy with a Specific IP Admission Rule

Monitoring the Template Configuration

Verifying the Template Configuration

Defining a Class Map for a Specific Type and Associating Match Conditions with It

To define a class map and associate match conditions with it, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type tag [match-all | match-any] class-map-name

4. match port-type {routed | switched}

5. match tag tag-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

class-map type tag [match-all | match-any] class-map-name

Example:

Router (config)# class-map tag match-all group1_class

Creates a class map to be used for matching packets to a specified class and enters class-map configuration mode.

Step 4 

match port-type {routed | switched}

Example:

Router (config-cmap)# match port-type routed

Matches the access policy on the basis of the port for a class map.

Step 5 

match tag tag-name

Example:

Router (config-cmap)# match tag group1_class

Specifies the tag to be matched for a tag type of class map.

What to Do Next

Associate the class map with the policy map and apply actions for classes that match.

Associating the Class Map with the Policy Map and Applying Actions for Classes That Match

To associate the class map with the policy map and apply actions for classes that match, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type control tag policy-map-name

4. class type tag {class-name} [insert-before {class-name}]

5. identity policy policy-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

policy-map type control tag policy-map-name

Example:

Router (config)# policy-map type control tag usergroup1_pmap

Creates or modifies a policy map that can be attached to one or more interfaces to specify a service policy and enters policy-map configuration mode.

Step 4 

class type tag {class-name} [insert-before {class-name}]

Example:

Router (config-pmap)# class type tag usergroup1_class

Associates a class map with a policy map.

Step 5 

identity policy policy-name

Example:

Router (config-pmap)# identity policy usergroup1_iden_policy

Associates an identity policy with the class map.

What to Do Next

Associate the service policy with a specific IP admission table.

Associating the Service Policy with a Specific IP Admission Rule

The policy map defined above can be associated with an IP authentication proxy or IP admission rule. To associate the map with the IP authentication proxy or IP admission rule, perform the following steps.

Note There can be multiple policy maps, and each one can be associated with a different IP admission rule even though an IP admission rule can have only one instance of the policy map.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip admission name admission-name [eapoudp | proxy {ftp | http | telnet} | service-policy type tag {service-policy-name} ] [list {acl | acl-name}]

or

ip auth-proxy name auth-proxy-name {ftp | http | telnet}[inactivity-timer min] [absolute-timer min] [list {acl | acl-name}] [service-policy type tag {service-policy-name} ]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

ip admission name admission-name [eapoudp | proxy {ftp | http | telnet} | service-policy type tag {service-policy-name} ] [list {acl | acl-name}]


or


ip auth-proxy name auth-proxy-name {ftp | http | telnet}[inactivity-timer min] [absolute-timer min] [list {acl | acl-name}] [service-policy type tag {service-policy-name} ]

Example:

Router (config)# ip admission name nac eapoudp service-policy type tag usergroup1_iden_policy


or


Router (config)# ip auth-proxy name nac eapoudp service-policy type tag usergroup1_iden_policy

Associates the policy map with an IP network admission control rule.

The service policy name must be the same as the policy map name.

or

Associates the policy map with an authentication proxy rule.

Monitoring the Template Configuration

To monitor the template configuration, perform the following steps.

SUMMARY STEPS

1. enable

2. debug tag-template event

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

debug tag-template event

Example:

Router# debug tag-template event

Displays the tag application on a session (an Authentication Proxy or Extensible Authentication Protocol over UDP [EAPoUDP] session).

Verifying the Template Configuration

To verify the template configuration, perform the following steps. The show commands can be used individually or together.

SUMMARY STEPS

1. enable

2. show class-map type tag class-map-name

3. show epm session {interface type number | ip {ip-address [client client-type] | all} | mac {mac-address [client client-type] | all} | summary}

4. show policy-map type control tag type-name

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

show class-map type tag class-map-name

Example:

Router# show class-map type tag map1

Displays all class maps and their matching criteria.

Step 3 

show epm session {interface type number | ip {ip-address [client client-type] | all} | mac {mac-address [client client-type] | all} | summary}

Example:

Router# show epm session summary

Displays whether tag policies or authentication, authorization, and accounting (AAA) policies are actually applied to a service policy application.

Step 4 

show policy-map type control tag type-name

Example:

Router# show policy-map type control tag type1

Displays a template configuration when applying access policies on Layer 2 and Layer 3 interfaces.

Configuration Examples for Tag and Template

This section provides the following configuration example.

Typical Tag and Template Configuration: Example

Typical Tag and Template Configuration: Example

In the following service policy (Tag and Template) example, tags named "healthy" and "non_healthy" can be received from an AAA server, the policy map is defined on the NAD, and the tag policy type is associated with the IP admission name "greentree."

Class Map Definition for the "healthy class" Type Tag 

Router (config)# class-map type tag healthy_class

Router(config-cmap)# match tag healthy

Router(config-cmap)# end

Class Map Definition for the "non_healthy_class" Type Tag 

Router (config)# class-map type tag non_healthy_class

Router (config-cmap)# match tag non_healthy

Router (config-cmap)# end

Policy Map Is Defined 

! The following line will be associated with the IP admission name.

Router (config)# policy-map type control tag global_class

! The following line refers to the class map that was defined above.

Router (config-pmap)# class healthy_class

Router (config-pmap-c)# identity policy healthy_policy

Router(config-pmap-c)# exit

The following line refers to the non_healthy class that was defined above.

Router (config-pmap)# class non_healthy_class

Router(config-pmap-c)# identity policy non_healthy_policy

Router (config-pmap-c)# end

Identity Policy Can Be Defined As Follows 

Router (config)# identity policy healthy_policy

! The following line is the IP access list for healthy users.

Router (config-identity-policy)# access-group healthy

Router (config-identity-policy)# end

Router (config)# identity policy non_healthy_policy

Router (config-identity-policy)# access-group non_healthy 

Router (config-identity-policy)# end

Access Lists Can Be Defined As Follows 

Router (config)# ip access-list extended healthy_class

! The following line can be anything, but as an example, traffic is being allowed.

Router (config-ext-nacl)# permit ip any any

Router (config-ext-nac)# end

Router (config)# ip access-list extended non_healthy_class

! The following line is only an example. In practical cases, you could prevent a user from 
accessing specific networks.

Router (config-ext-nacl)# deny ip any any

Router (config-ext-nac)# end

Policy Map That Was Defined Above Is Associated with the IP Admission Name 

Router (config)# ip admission name greentree service-policy type tag global_class 

! In the next line, the admission name can be associated with the interface.

Router (config)# interface fastethernet 1/0

Router (config-if)# ip admission greentree

In the above configuration, if the AAA server sends a tag named "healthy" or "non_healthy" for any host, the policies that are associated with the appropriate identity policy will be applied on the host.

Where to Go Next

The tag attribute must be configured in the RADIUS profile using the following Cisco attribute-value (AV) pair: tag-name={tag string}.

For information about configuring RADIUS AV pairs, see the subsection "Configuring Cisco AV Pairs" in the section "Related Documents."

Additional References

The following sections provide references related to Tag and Template.

Related Documents

Related Topic
Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

Configuring Cisco RADIUS AV pairs

The section "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.4


Standards

Standard
Title

No new or modified standards are supported by this feature.


MIBs

MIB
MIBs Link

No new or modified MIBs are supported by this feature.

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


RFCs

RFC
Title

No new or modified RFCs are supported by this feature.


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Command Reference

The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or the Cisco IOS Master Command List, All Releases, at http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html.

class-map

class type tag

debug tag-template event

identity policy (policy-map)

ip admission name

ip auth-proxy name

match port-type

match tag (class-map)

policy-map

show class-map

show epm session

show policy-map

Feature Information for Tag and Template

Table 1 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Table 1 Feature Information for Tag and Template 

Feature Name
Releases
Feature Information

Tag and Template

12.4(6)T

The Tag and Template feature allows network administrators to define enforcement policies on a local device and have a RADIUS server specify the policy selector to be enforced. This feature can be applied to a Network Admission Control (NAC) architecture.

The following commands were introduced or modified by this feature: class-map, class type, debug tag-template event, identity policy (policy-map), ip admission name, ip auth-proxy name, match port-type, match tag (class-map), show class-map, show epm session ip and show policy-map type.

IP Admission Policy MIB

12.2(33)SXI2

The IP Admission Policy MIB provides a management information base (MIB) for monitoring the Network Access Device (NAD) for the Enforcement Policy Module (EPM) system.

The following command was introduced or modified by this feature: show epm session.


CCDE, CCSI, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0903R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.


© 2007-2009 Cisco Systems, Inc. All rights reserved.