Cisco 3.3 User Manual
Page 230
Chapter 6 User Group Management
Configuration-specific User Group Settings
6-40
User Guide for Cisco Secure ACS for Windows Server
78-16592-01
Configuring Cisco IOS/PIX RADIUS Settings for a User Group
The Cisco IOS/PIX RADIUS parameters appear only when both the following are
true:
•
A AAA client has been configured to use RADIUS (Cisco IOS/PIX) in
Network Configuration.
•
Group-level RADIUS (Cisco IOS/PIX) attributes have been enabled in
Interface Configuration: RADIUS (Cisco IOS/PIX).
Cisco IOS/PIX RADIUS represents only the Cisco VSAs. You must configure
both the IETF RADIUS and Cisco IOS/PIX RADIUS attributes.
Note
To hide or display Cisco IOS/PIX RADIUS attributes, see
Configuration Options for Non-IETF RADIUS Attributes, page 3-17
. A VSA
applied as an authorization to a particular group persists, even when you remove
or replace the associated AAA client; however, if you have no AAA clients of this
(vendor) type configured, the VSA settings do not appear in the group
configuration interface.
To configure and enable Cisco IOS/PIX RADIUS attributes to be applied as an
authorization for each user in the current group, follow these steps:
Step 1
Before you configure Cisco IOS/PIX RADIUS attributes, be sure your IETF
RADIUS attributes are configured properly. For more information about setting
IETF RADIUS attributes, see
Configuring IETF RADIUS Settings for a User
Step 2
If you want to use the [009\001] cisco-av-pair attribute to specify authorizations,
select the check box next to the attribute and then type the attribute-value pairs in
the text box. Separate each attribute-value pair by pressing Enter.
For example, if the current group is used for assigning authorizations to Network
Admission Control (NAC) clients to which Cisco Secure ACS assigns a system
posture token of Infected, you could specify values for the url-redirect,
posture-token, and status-query-timeout attributes as follows:
url-redirect=http://10.1.1.1
posture-token=Infected
status-query-timeout=150