Cisco Secure ACS RADIUS profile configuration

After a user successfully completes the EAP authentication process of whatever type, the Cisco Secure ACS responds to the switch with a RADIUS authentication-accept packet granting that user access to the network. This packet is a fairly standard RADIUS authentication-accept packet and can carry a variety of the usual RADIUS attributes that may be communicated and that will be understood by the Cisco Catalyst Switch. Taken as a whole, the attributes that compose the access-accept packet constitute an access profile. Once received by the switch, the attributes are then processed in compliance with the RADIUS RFC and whatever logic is implemented above the level of the protocol. The access profile generally contains user-specific authorization information, such as ACLs to be applied or the VLAN ID to be assigned.

Configuration of the RADIUS profile is performed on the Cisco Secure ACS under the Group Setup section or the User Setup section. For attributes to show up in the Group and User sections, they first have to be configured as required in the Interface Configuration section. The following attributes are required:

  • [064] Tunnel-Type
  • [081] Tunnel-Private-Group-ID

These attributes can be found under the IETF RADIUS Settings section of Interface Control. Checking these boxes causes the appropriate fields to appear on the Group and User pages.

For reasons of administrative scalability, RADIUS profiles are usually configured at the group level rather than one for each user. To configure a VLAN ID to be assigned to all users belonging to a specific group accessing the network through a Cisco Catalyst 4000, 5000, or 6000 Switch, navigate to that page for the group within Cisco Secure ACS and locate the IETF RADIUS settings section. If the attributes have been configured in the Interface Configuration, then the attributes Tunnel-Type [# 64] and Tunnel-Private-Group-ID [# 81] will appear there for configuration.

To configure these, check the checkbox on the left of both attributes. For the "Tunnel-Type" attribute ensure the first "Tag" list is set to "1" and the corresponding value is set to "VLAN." Make sure that the second "Tag" list is set to "0." For the "Tunnel-Private-Group-ID" again make sure the first "Tag" list value is set to "1" and then set the corresponding value field to the appropriate number for the VLAN to be assigned. Again, make sure that the second "Tag" list is set to "0." In normal usage, RADIUS supports multiple tunnel attribute support tags. When assigning VLAN IDs to a Cisco Catalyst Switch, it will ignore anything with a Tag other than "1." Only a single VLAN ID may be supplied in each RADIUS response packet to a Cisco Catalyst Switch.

NOTE:

Because RADIUS VLAN ID assignment is not supported by Cisco Catalyst 2950 and 3550 switches, assignment of it by the Cisco Secure ACS using RADIUS should not be attempted. Support for VLAN ID to Cisco Catalyst 6000 switches by RADIUS requires Cisco Catalyst Operating System Version 7.2 or higher.

Lab Activity

Lab Exercise: Configure EAP on Cisco ACS for Windows

In this lab, students will configure Extensible Authentication Protocol (EAP) with Cisco Secure ACS for Windows.