Chapter 9 Managing Policy Elements

Managing Authorizations and Permissions

Table 9-6

Authorization Profile: RADIUS Attributes Page (continued)

 

 

Option

Description

 

RADIUS Attribute Name of the RADIUS attribute. Click Select to choose a RADIUS attribute from the specified

 

dictionary.

 

You must manually add VPN attributes to the authorization profile to authenticate VPN devices in your

 

network. ACS can work with different Layer 2 and Layer 3 protocols, such as:

IPSec—Operates at Layer 3; no mandatory attributes need to be configured in the ACS authorization profile, but you can configure optional attributes.

L2TP—For L2TP tunneling, you must configure ACS with:

CVPN3000/ASA/PIX7.x-Tunneling Protocols—This attribute specifies the type of tunneling to be used.

CVPN3000/ASA/PIX7.x-L2TP-Encryption—This attribute, when set, enables VPN3000 to communicate to the client the type of Microsoft Point-to-Point Encryption (MPPE) key that must be used, either the MSCHAPv1 or MSCHAPv2 authentication method.

PPTP—For PPTP tunneling, you must configure ACS with:

CVPN3000/ASA/PIX7.x-Tunneling Protocols—This attribute specifies the type of tunneling to be used.

CVPN3000/ASA/PIX7.x-PPTP-Encryption—This attribute, when set, enables VPN3000 to communicate to the client the type of Microsoft Point-to-Point Encryption (MPPE) key that must be used, either the MSCHAPv1 or MSCHAPv2 authentication method.

Attribute Type

Client vendor type of the attribute, from which ACS allows access requests. For a description of the

 

attribute types, refer to Cisco IOS documentation for the release of Cisco IOS software that is running

 

on your AAA clients.

 

 

Attribute Value

Value of the attribute. Click Select for a list of attribute values. For a description of the attribute values,

 

refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA

 

clients.

 

For tunneled protocols, ACS provides for attribute values with specific tags to the device within the

 

access response according to RFC 2868.

 

If you choose Tagged Enum or Tagged String as the RADIUS Attribute type, the Tag field appears. For

 

the tag value, enter a number that ACS will use to group attributes belonging to the same tunnel.

 

For the Tagged Enum attribute type:

 

Choose an appropriate attribute value.

 

Enter an appropriate tag value (0–31).

 

For the Tagged String attribute type:

 

Enter an appropriate string attribute value (up to 256 characters).

 

Enter an appropriate tag value (0–31).

Step 3 To configure:

Basic information of an authorization profile; see Specifying Authorization Profiles, page 9-19.

Common tasks for an authorization profile; see Specifying Common Attributes in Authorization Profiles, page 9-19.

 

User Guide for Cisco Secure Access Control System 5.3

9-22

OL-24201-01

Page 252
Image 252
Cisco Systems OL-24201-01 manual Dictionary