Cisco Cisco IOS Software Release 12.4(6)T

This section provides the following configuration example.

In the following service policy (Tag and Template) example, tags named “healthy” and “non_healthy” 
can be received from an AAA server, the policy map is defined on the NAD, and the tag policy type is 
associated with the IP admission name “greentree.”

Router (config)# class-map type tag healthy_class

Router(config-cmap)# match tag healthy

Router(config-cmap)# end

Router (config)# class-map type tag non_healthy_class

Router (config-cmap)# match tag non_healthy

Router (config-cmap)# end

! The following line will be associated with the IP admission name.

Router (config)# policy-map type control tag global_class

! The following line refers to the class map that was defined above.

Router (config-pmap)# class healthy_class

Router (config-pmap-c)# identity policy healthy_policy

Router(config-pmap-c)# exit

The following line refers to the non_healthy class that was defined above.

Router (config-pmap)# class non_healthy_class

Router(config-pmap-c)# identity policy non_healthy_policy

Router (config-pmap-c)# end

Router (config)# identity policy healthy_policy

! The following line is the IP access list for healthy users.

Router (config-identity-policy)# access-group healthy

Router (config-identity-policy)# end

Router (config)# identity policy non_healthy_policy

Router (config-identity-policy)# access-group non_healthy 

Router (config-identity-policy)# end

Router (config)# ip access-list extended healthy_class

! The following line can be anything, but as an example, traffic is being allowed.

Router (config-ext-nacl)# permit ip any any

Router (config-ext-nac)# end

Router (config)# ip access-list extended non_healthy_class

! The following line is only an example. In practical cases, you could prevent a user from 

accessing specific networks.

Router (config-ext-nacl)# deny ip any any

Router (config-ext-nac)# end