Chapter 8 Managing Users and Identity Stores

Managing External Identity Stores

Configuring Directory Attributes

When a RADIUS identity server responds to a request, RADIUS attributes are returned along with the response. You can make use of these RADIUS attributes in policy rules.

In the Directory Attributes tab, you can specify the RADIUS attributes that you use in policy rule conditions. ACS maintains a separate list of these attributes.

Step 1 Modify the fields in the Directory Attributes tab as described in Table 8-17.

Table 8-17

RADIUS Identity Servers - Directory Attributes Tab

 

 

Option

Description

 

 

Attribute List

Use this section to create the attracted list to include in policy conditions. As you include each

 

attribute, its name, type, default value, and policy condition name appear in the table. To:

Add a RADIUS attribute, fill in the fields below the table and click Add.

Edit a RADIUS attribute, select the appropriate row in the table and click Edit. The RADIUS attribute parameters appear in the fields below the table. Edit as required, then click Replace.

Dictionary Type

RADIUS dictionary type. Click the drop-down list box to select a RADIUS dictionary type.

 

 

RADIUS Attribute

Name of the RADIUS attribute. Click Select to choose the RADIUS attribute. This name is

 

composed of two parts: The attribute name and an extension to support AV-pairs if the attribute

 

selected is a Cisco AV-Pair.

 

For example, for an attribute, cisco-av-pairwith an AV-pair name some-avpair, ACS displays

 

cisco-av-pair.some-avpair.

 

IETF and vendor VSA attribute names contain an optional suffix, -nnn, where nnn is the ID of the

 

attribute.

 

 

Type

RADIUS attribute type. Valid options are:

 

String

 

Unsigned Integer 32

 

IPv4 Address

 

 

Default

(Optional) A default value that can be used if the attribute is not available in the response from the

 

RADIUS identity server. This value must be of the specified RADIUS attribute type.

 

 

Policy Condition Name

Specify the name of the custom policy condition that uses this attribute.

Step 2 Do either of the following:

Click Submit to save your changes and return to the RADIUS Identity Servers page.

Click the Advanced tab to configure failure message handling and to enable identity caching. See Configuring Advanced Options, page 8-68for more information.

Related Topics

RADIUS Identity Stores, page 8-60

Creating, Duplicating, and Editing RADIUS Identity Servers, page 8-63

Configuring General Settings, page 8-64

 

 

User Guide for Cisco Secure Access Control System 5.3

 

 

 

 

 

 

OL-24201-01

 

 

8-67

 

 

 

 

 

Page 218 Page 220
Page 219
Image 219
Cisco Systems OL-24201-01 manual Configuring Directory Attributes, Cisco-av-pair.some-avpair
Page 218 Page 220
Top Page Image Contents