After a user successfully completes the EAP authentication process
of whatever type, the Cisco Secure ACS responds to the switch with a RADIUS
authentication-accept packet granting that user access to the network. This
packet is a fairly standard RADIUS authentication-accept packet and can carry a
variety of the usual RADIUS attributes that may be communicated and that will
be understood by the Cisco Catalyst Switch. Taken as a whole, the attributes
that compose the access-accept packet constitute an access profile. Once
received by the switch, the attributes are then processed in compliance with
the RADIUS RFC and whatever logic is implemented above the level of the
protocol. The access profile generally contains user-specific authorization
information, such as ACLs to be applied or the VLAN ID to be assigned.
Configuration of the RADIUS profile is performed on the Cisco Secure ACS
under the Group Setup section or the User Setup section. For attributes to show
up in the Group and User sections, they first have to be configured as required
in the Interface Configuration section. The following attributes are
required:
[064] Tunnel-Type
[081] Tunnel-Private-Group-ID
These attributes can be found under the IETF RADIUS Settings section of
Interface Control. Checking these boxes causes the appropriate fields to appear
on the Group and User pages.
For reasons of administrative scalability,
RADIUS profiles are usually configured at the group level rather than one for
each user. To configure a VLAN ID to be assigned to all users belonging to a
specific group accessing the network through a Cisco Catalyst 4000, 5000, or
6000 Switch, navigate to that page for the group within Cisco Secure ACS and
locate the IETF RADIUS settings section. If the attributes have been configured
in the Interface Configuration, then the attributes Tunnel-Type [# 64] and
Tunnel-Private-Group-ID [# 81] will appear there for configuration.
To
configure these, check the checkbox on the left of both attributes. For the
"Tunnel-Type" attribute ensure the first "Tag" list is set
to "1" and the corresponding value is set to "VLAN." Make
sure that the second "Tag" list is set to "0." For the
"Tunnel-Private-Group-ID" again make sure the first "Tag"
list value is set to "1" and then set the corresponding value field
to the appropriate number for the VLAN to be assigned. Again, make sure that
the second "Tag" list is set to "0." In normal usage,
RADIUS supports multiple tunnel attribute support tags. When assigning VLAN IDs
to a Cisco Catalyst Switch, it will ignore anything with a Tag other than
"1." Only a single VLAN ID may be supplied in each RADIUS response
packet to a Cisco Catalyst Switch.
NOTE:
Because RADIUS VLAN ID assignment is not supported by Cisco Catalyst
2950 and 3550 switches, assignment of it by the Cisco Secure ACS using RADIUS
should not be attempted. Support for VLAN ID to Cisco Catalyst 6000 switches by
RADIUS requires Cisco Catalyst Operating System Version 7.2 or higher.