Cisco Cisco IOS Software Release 12.4(6)T
Tag and Template
Prerequisites for Tag and Template
2
Cisco IOS Security Configuration Guide
Prerequisites for Tag and Template
•
You must have a Cisco IOS image that supports the Modular Quality of Service (QoS)
command-line interface (CLI).
command-line interface (CLI).
Requirements for Tag and Template
•
To apply the enforcement policies, the identity policy and access groups that are associated with the
identity policy have to be configured for Tag and Template.
identity policy have to be configured for Tag and Template.
Information About Tag and Template
Before configuring Tag and Template, you should understand the following concepts:
•
Tag and Template Overview
In a typical Network Admission Control deployment, an access control server (ACS) or a RADIUS
server is used for validating the user posture information and for applying the policies on the network
access device (NAD). A centralized ACS can be used to support multiple NADs. This solution has
inherent problems associated with it, namely:
server is used for validating the user posture information and for applying the policies on the network
access device (NAD). A centralized ACS can be used to support multiple NADs. This solution has
inherent problems associated with it, namely:
•
Version control of policies.Typically, a specific NAD that is running a Cisco IOS image may support
some ACLs, and another NAD may support a different version. Managing different versions can be
a problem.
some ACLs, and another NAD may support a different version. Managing different versions can be
a problem.
•
Users connect on different interfaces to the NAD, and on the basis of the interface type, the policies
that can be applied to the user can change, and the NAD can determine the policies to be applied. In
the current architecture, the ACS sends the same set of policies to all the NADs when a profile is
matched, which does not give enough control to the administrator to configure the polices on the
basis of the NAD configuration.
that can be applied to the user can change, and the NAD can determine the policies to be applied. In
the current architecture, the ACS sends the same set of policies to all the NADs when a profile is
matched, which does not give enough control to the administrator to configure the polices on the
basis of the NAD configuration.
To overcome the above problems, the Tag and Template concept has been introduced. The concept is that
the ACS maps users to specific groups and associates a tag with them. For example, the Usergroup1 user
group may have a tag with the name “usergroup1.” When the NAD queries the ACS for the policies, the
ACS can return the tag that is associated with the user group. When this tag is received at the NAD, the
NAD can map the tag to a specific template that can have a set of policies that are associated with the
user group. This mapping provides administrators with the flexibility to configure the template on a
NAD basis, and the policies can change from NAD to NAD even though the tag is the same.
the ACS maps users to specific groups and associates a tag with them. For example, the Usergroup1 user
group may have a tag with the name “usergroup1.” When the NAD queries the ACS for the policies, the
ACS can return the tag that is associated with the user group. When this tag is received at the NAD, the
NAD can map the tag to a specific template that can have a set of policies that are associated with the
user group. This mapping provides administrators with the flexibility to configure the template on a
NAD basis, and the policies can change from NAD to NAD even though the tag is the same.
In summary, a template must be configured on the NAD, and the template must be associated with a tag.
When the ACS sends the policies back to the NAD, the template that matches the tag that was received
from the ACS is used.
When the ACS sends the policies back to the NAD, the template that matches the tag that was received
from the ACS is used.