-
This documentation has been moved
-
Automatic Signature Extraction
-
Configuring Lock-and-Key Security for Dynamic Access Lists
-
Access Control Lists (ACLs)
-
IP Access List Features Roadmap
-
IP Access List Overview
-
Creating an IP Access List and Applying It to an Interface
-
Creating an IP Access List to Filter IP Options TCP Flags Noncontiguous Ports or TTL Values
-
ACL Syslog Correlation
-
Refining an IP Access List
-
Displaying and Clearing IP Access List Data Using ACL Manageability
-
Object Groups for ACLs
-
Controlling Access to a Virtual Terminal Line
-
Access List-Based RBSCP
-
ACL IP Options Selective Drop
-
ACL Authentication of Incoming rsh and rcp Requests
-
-
Configuring IP Session Filtering of Reflexive Access Lists
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Application Firewall - Instant Message Traffic Enforcement
-
Cisco IOS Firewall MIB
-
Cisco IOS Firewall Performance Improvements
-
Cisco IOS Firewall Support for TRP
-
Cisco IOS Firewall Stateful Failover
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Support of Skinny Client Control Protocol
-
Firewall Websense URL Filtering
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
TCP Out-of-Order Packet Support for Cisco IOS Firewall and Cisco IOS IPS
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
VRF Aware Cisco IOS Firewall
-
-
Zone-Based Policy Firewall
-
Zone-Based Policy Firewall
-
Cisco IOS Firewall H.323 Support
-
H.323 RAS Support in Cisco IOS Firewall
-
Cisco IOS Firewall: SIP Enhancements: ALG and AIC
-
Application Inspection and Control for SMTP
-
Subscription-based Cisco IOS Content Filtering
-
Cisco IOS Firewall Support for Skinny Local Traffic and CME
-
User Based Firewall Support
-
- Cisco IOS Intrusion Prevention System (IPS)
- Flexible Packet Matching
-
Configuring IP Security Options
-
Configuring Port to Application Mapping
-
Configuring TCP Intercept and Preventing Denial-of-Service Attacks
- Unicast Reverse Path Forwarding (uRPF)
-
Tag and Template
-
Feedback
Table Of Contents
Prerequisites for Tag and Template
Requirements for Tag and Template
Information About Tag and Template
How to Configure Tag and Template
Defining a Class Map for a Specific Type and Associating Match Conditions with It
Associating the Class Map with the Policy Map and Applying Actions for Classes That Match
Associating the Service Policy with a Specific IP Admission Rule
Monitoring the Template Configuration
Verifying the Template Configuration
Configuration Examples for Tag and Template
Example: Typical Tag and Template Configuration
Feature Information for Tag and Template
Tag and Template
First Published: February 27, 2006Last Updated: July 17, 2009The Tag and Template feature allows network administrators to define enforcement policies on a local device and have a RADIUS server specify the policy selector to be enforced. This feature can be applied to a Network Admission Control (NAC) architecture.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Tag and Template" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Tag and Template
•
•
•
•
•
Prerequisites for Tag and Template
You must have a Cisco IOS image that supports the Modular Quality of Service (QoS) command-line interface (CLI).
Requirements for Tag and Template
To apply the enforcement policies, the identity policy and access groups that are associated with the identity policy have to be configured for Tag and Template.
Information About Tag and Template
Tag and Template Overview
In a typical Network Admission Control deployment, an access control server (ACS) or a RADIUS server is used for validating the user posture information and for applying the policies on the network access device (NAD). A centralized ACS can be used to support multiple NADs. This solution has inherent problems associated with it, namely:
•
•
To overcome the above problems, the Tag and Template concept has been introduced. The concept is that the ACS maps users to specific groups and associates a tag with them. For example, the Usergroup1 user group may have a tag with the name "usergroup1." When the NAD queries the ACS for the policies, the ACS can return the tag that is associated with the user group. When this tag is received at the NAD, the NAD can map the tag to a specific template that can have a set of policies that are associated with the user group. This mapping provides administrators with the flexibility to configure the template on a NAD basis, and the policies can change from NAD to NAD even though the tag is the same.
In summary, a template must be configured on the NAD, and the template must be associated with a tag. When the ACS sends the policies back to the NAD, the template that matches the tag that was received from the ACS is used.
How to Configure Tag and Template
•
•
•
•
•
Defining a Class Map for a Specific Type and Associating Match Conditions with It
To define a class map and associate match conditions with it, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
What to Do Next
Associate the class map with the policy map and apply actions for classes that match.
Associating the Class Map with the Policy Map and Applying Actions for Classes That Match
To associate the class map with the policy map and apply actions for classes that match, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
What to Do Next
Associate the service policy with a specific IP admission table.
Associating the Service Policy with a Specific IP Admission Rule
The policy map defined above can be associated with an IP authentication proxy or IP admission rule. To associate the map with the IP authentication proxy or IP admission rule, perform the following steps.
Note
SUMMARY STEPS
1.
2.
3.
or
ip auth-proxy name auth-proxy-name {ftp | http | telnet}[inactivity-timer min] [absolute-timer min] [list {acl | acl-name}] [service-policy type tag {service-policy-name} ]
DETAILED STEPS
Monitoring the Template Configuration
To monitor the template configuration, perform the following steps.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Verifying the Template Configuration
To verify the template configuration, perform the following steps. The show commands can be used individually or together.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuration Examples for Tag and Template
•
Example: Typical Tag and Template Configuration
In the following service policy (Tag and Template) example, tags named "healthy" and "non_healthy" can be received from an AAA server, the policy map is defined on the NAD, and the tag policy type is associated with the IP admission name "greentree."
Class Map Definition for the "healthy class" Type Tag
Router (config)# class-map type tag healthy_classRouter(config-cmap)# match tag healthyRouter(config-cmap)# endClass Map Definition for the "non_healthy_class" Type Tag
Router (config)# class-map type tag non_healthy_classRouter (config-cmap)# match tag non_healthyRouter (config-cmap)# endPolicy Map Is Defined
! The following line will be associated with the IP admission name.Router (config)# policy-map type control tag global_class! The following line refers to the class map that was defined above.Router (config-pmap)# class healthy_classRouter (config-pmap-c)# identity policy healthy_policyRouter(config-pmap-c)# exitThe following line refers to the non_healthy class that was defined above.Router (config-pmap)# class non_healthy_classRouter(config-pmap-c)# identity policy non_healthy_policyRouter (config-pmap-c)# endIdentity Policy Can Be Defined As Follows
Router (config)# identity policy healthy_policy! The following line is the IP access list for healthy users.Router (config-identity-policy)# access-group healthyRouter (config-identity-policy)# endRouter (config)# identity policy non_healthy_policyRouter (config-identity-policy)# access-group non_healthyRouter (config-identity-policy)# endAccess Lists Can Be Defined As Follows
Router (config)# ip access-list extended healthy_class! The following line can be anything, but as an example, traffic is being allowed.Router (config-ext-nacl)# permit ip any anyRouter (config-ext-nac)# endRouter (config)# ip access-list extended non_healthy_class! The following line is only an example. In practical cases, you could prevent a user from accessing specific networks.Router (config-ext-nacl)# deny ip any anyRouter (config-ext-nac)# endPolicy Map That Was Defined Above Is Associated with the IP Admission Name
Router (config)# ip admission name greentree service-policy type tag global_class! In the next line, the admission name can be associated with the interface.Router (config)# interface fastethernet 1/0Router (config-if)# ip admission greentreeIn the above configuration, if the AAA server sends a tag named "healthy" or "non_healthy" for any host, the policies that are associated with the appropriate identity policy will be applied on the host.
Where to Go Next
The tag attribute must be configured in the RADIUS profile using the following Cisco attribute-value (AV) pair: tag-name={tag string}.
For information about configuring RADIUS AV pairs, see the subsection "Configuring Cisco AV Pairs" in the section "Related Documents."
Additional References
Related Documents
Cisco IOS commands
Configuring Cisco RADIUS AV pairs
The section "Configuring RADIUS" in the Cisco IOS Security Configuration Guide: Securing User Services
Standards
MIBs
RFCs
Technical Assistance
Feature Information for Tag and Template
Table 1 lists the features in this module and provides links to specific configuration information.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2007-2009 Cisco Systems, Inc. All rights reserved.
