Radius Authorization Components

RADIUS authorization components, or RACs, as they are more commonly referred to, are groupings of RADIUS attributes that map back to a NAC policy and are applied to a NAD during the posture-enforcement phase. These attributes apply NAC timers, assign ports to the specified VLAN, enforce policy-based ACLs, and apply URL redirect ACLs. Table 8-5 lists the NAC method along with the mandatory RADIUS attributes on the right.

Table 8-5 RADIUS Attributes Used in NAC RADIUS Authorization Components

NAC Method

RADIUS Attributes

L3-IP

[027]Session-Timeout [26/9/1]cisc-av-pair status-query-timeout [029] Termination-Action RADIUS-Request(l)

[029] Termination-Action RADIUS-Request (1)

[029] Termination-Action RADIUS-Request (1)

[065] Tunnel-Medium-Type [T1] 802 (6) [081] Tunnel-Private-Group-ID (81)

* Required only for Catalyst 6500 switches running CatOS. Used to apply policy-based ACLs.

* Required only for Catalyst 6500 switches running CatOS. Used to apply policy-based ACLs.

Because you previously created NAC profiles using ACS's built-in NAC templates, the required RACs have already been created and prepopulated for you. The only thing left to do is rename and edit them to meet your needs. Additionally, you will apply a URL redirect ACL for NAC-L2-IP and NAC-L3-IP quarantined hosts. Follow these steps to accomplish this task:

NOTE For more information about using NAC templates, see the section "Create Network Access Profiles Using NAC Templates," earlier in this chapter

Step 1 From the navigation frame on the left, select Shared Profile Components.

Step 2 The Shared Profile Components page appears. Select the RADIUS Authorization Components link to display the current RACs. Depending on the NAC profiles you created earlier, you might see L2 RACs or L3 RACs or both.

Step 3 If you see L3-RACs, continue with the next step. Otherwise, jump to step 17.

Step 4 Click the NAC-SAMPLE-HEALTHY-L3-RAC link.

Step 5 The RADIUS Authorization Components page appears. Edit the Name field to remove the word SAMPLE. Scroll down in the page to view the assigned attributes. The default for each attribute is fine; there is no need to edit them at this point.

Step 6 Select the Submit button to save the changes. You get a pop-up message indicating that the RAC might be referenced in a network access profile. Click OK to continue.

Step 7 Click the NAC-SAMPLE-QUARANTINE-L3-RAC link.

Step 8 The RADIUS Authorization Components page appears. Edit the Name field to remove the word SAMPLE.

Step 9 Scroll down to the bottom of the page. You will notice that for quarantined hosts, Session-Timeout was shortened from 10 hours (in the Healthy RAC) to just 1 hour (3600 seconds). Also, status-query-timeout (or how often CTA is polled to check for a status change) was shortened from 300 to 30 seconds.

Step 10 Specify the URL redirect ACL by adding a new Cisco av-pair. In the Add New Attribute section, select cisco-av-pair (1) from the Cisco IOS/PIX 6.0 drop-down list. Then click the Add button.

Step 11 In the Value field, type url-redirect-acl=ACL_Name_defined_on_NAD (example: url-redirect-acl=quarantine_url_redir_acl). Then click Submit.

NOTE The URL redirect ACL is defined on the router or switch and has a deny statement for your remediation server and permit tcp any any eq 80 for everything else. See Chapter 5, "Configuring Layer 3 NAC on Network Access Devices," for more information on defining the redirect ACL.

Step 12 Click the Submit button again to save the changes. You might get a popup message indicating that the RAC might be referenced in a network access profile. If you do, click OK to continue.

Step 13 Click the NAC-SAMPLE-TRANSITION-L3-RAC link.

Step 14 The RADIUS Authorization Components page appears. Edit the Name field to remove the word SAMPLE.

Step 15 Scroll down to the bottom of the page. You will notice that, for transition hosts, Session-Timeout (the amount of time to wait before a full revalidation takes place) is only 60 seconds. Also note that status-query-timeout is missing. This is because the session timeout is so short that there is no need to query CTA between revalidations.

Step 16 Click the Submit button to save the changes. You might get a pop-up message indicating that the RAC might be referenced in a network access profile. If you do, click OK to continue. If you are doing only NAC-L3-IP, you can jump to the end of the steps. Otherwise, continue on.

Step 17 Click the NAC-SAMPLE-HEALTHY-L2-RAC link.

Step 18 The RADIUS Authorization Components page appears. Edit the Name field to remove the word SAMPLE.

Step 19 Scroll down in the page to view the assigned attributes. Notice that the Tunnel-Private-Group-ID has a value of Healthy. This is the VLAN name used in the VLAN assignment process of NAC-L2-802.1X. (If you are using only NAC-L2-IP, you can safely ignore this attribute.) For CatOS-based 6500 administrators, pay attention to the cisco-av-pair value. sec:pg=healthy_hosts is the name of the policy-based ACL that is sent to the switch. You can edit either of these values, although it is not recommended.

Step 20 Select the Submit button to save the changes. You might get a pop-up message indicating that the RAC might be referenced in a network access profile. If you do, click OK to continue.

Step 21 Click the NAC-SAMPLE-QUARANTINE-L2-RAC link.

Step 22 The RADIUS Authorization Components page appears. Edit the Name field to remove the word SAMPLE.

Step 23 Scroll down in the page to view the assigned attributes. Again, if you are deploying NAC-L2-802.1X, pay attention to the VLAN name used (quarantine); it is case sensitive. For CatOS-based 6500 administrators, the policy-based ACL name is quarantine_hosts; this is also case sensitive.

Step 24 To allow the quarantined host's web browsers to be automatically redirected to a server for guided remediation, a URL redirect ACL must be defined. Specify the URL redirect ACL by adding a new Cisco av-pair. In the Add New Attribute section, select Cisco-av-pair (1) from the Cisco IOS/PIX 6.0 drop-down list. Then click the Add button.

Step 25 In the Value field, type url-redirect-acl=ACL_Name_defined_on_NAD (example: url-redirect-acl=quarantine_url_redir_acl). Then click Submit. The assigned attributes should look like the ones shown in Figure 8-12.

Figure 8-12 RADIUS Authorization Components—Assigned Attributes

Assigned Attributes |

Vendor

Attribute

1

Value

|lETF

Session-Timeout (27)

3600

|cisco IOS/PIX 6,0

cisco-av-pair (1)

sec:DQ=Quarantine hosts

|lETF

Termination-Action (29)

|RADIUS-Reouest I'll

|lETF

Tunnel-Type (64)

|mi VLAN (13)

|lETF

Tunnel-Medium-Type (65)

|rm 802 rei

|lETF

Tunnel-Private-Qroup-ID (81)

|l"Tll Quarantine

Cisco IOS/PIX 6,0

acl=auarantine url redirect

NOTE If you plan to use automatic remediation through an external remediation server (such as Altiris or PatchLink), you do not need to add a URL redirect ACL in the Quarantine RAC.

For more information about remediation servers, see Chapter 12, "Remediation."

NOTE The URL redirect ACL is defined on the switch and has a deny statement for your remediation server and permit tcp any any eq 80 for everything else. See Chapter 4 for more information on defining the redirect ACL.

Step 26 Click the Submit button again to save the changes. You might get a popup message indicating that the RAC might be referenced in a network access profile. If you do, click OK to continue.

Step 27 Finally, with all the changes complete, you need to restart the ACS services from System Configuration > Service Control > Restart.

This completes the steps necessary to configure the RADIUS authorization components from within the shared profile components. Continue to the next section, "Network Access Profiles," to see how all these components fit together in the NAC solution.

Was this article helpful?

0 0

Post a comment