Filter
Top Products
9-22
User Guide for Cisco Secure Access Control System 5.3
OL-24201-01
Chapter 9 Managing Policy Elements
Managing Authorizations and Permissions
Step 3 To configure:
• Basic information of an authorization profile; see Specifying Authorization Profiles, page 9-19.
• Common tasks for an authorization profile; see Specifying Common Attributes in Authorization
Profiles, page 9-19.
RADIUS Attribute Name of the RADIUS attribute. Click Select to choose a RADIUS attribute from the specified
dictionary.
You must manually add VPN attributes to the authorization profile to authenticate VPN devices in your
network. ACS can work with different Layer 2 and Layer 3 protocols, such as:
• IPSec—Operates at Layer 3; no mandatory attributes need to be configured in the ACS
authorization profile, but you can configure optional attributes.
• L2TP—For L2TP tunneling, you must configure ACS with:
–
CVPN3000/ASA/PIX7.x-Tunneling Protocols—This attribute specifies the type of tunneling
to be used.
–
CVPN3000/ASA/PIX7.x-L2TP-Encryption—This attribute, when set, enables VPN3000 to
communicate to the client the type of Microsoft Point-to-Point Encryption (MPPE) key that
must be used, either the MSCHAPv1 or MSCHAPv2 authentication method.
• PPTP—For PPTP tunneling, you must configure ACS with:
–
CVPN3000/ASA/PIX7.x-Tunneling Protocols—This attribute specifies the type of tunneling
to be used.
–
CVPN3000/ASA/PIX7.x-PPTP-Encryption—This attribute, when set, enables VPN3000 to
communicate to the client the type of Microsoft Point-to-Point Encryption (MPPE) key that
must be used, either the MSCHAPv1 or MSCHAPv2 authentication method.
Attribute Type Client vendor type of the attribute, from which ACS allows access requests. For a description of the
attribute types, refer to Cisco IOS documentation for the release of Cisco IOS software that is running
on your AAA clients.
Attribute Value Value of the attribute. Click Select for a list of attribute values. For a description of the attribute values,
refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA
clients.
For tunneled protocols, ACS provides for attribute values with specific tags to the device within the
access response according to RFC 2868.
If you choose Tagged Enum or Tagged String as the RADIUS Attribute type, the Tag field appears. For
the tag value, enter a number that ACS will use to group attributes belonging to the same tunnel.
For the Tagged Enum attribute type:
• Choose an appropriate attribute value.
• Enter an appropriate tag value (0–31).
For the Tagged String attribute type:
• Enter an appropriate string attribute value (up to 256 characters).
• Enter an appropriate tag value (0–31).
Table 9-6 Authorization Profile: RADIUS Attributes Page (continued)
Option Description