ACS Appliance - Advance filtering

koeppend · ‎08-22-2007

Hi all

Quick question about my NAC setup on the ACS appliance.

I have create a number of Network Access Profiles from the templates that ACS provide. All is working fine but my question is in regards to the Advanced Filtering under the NAP.

When I created a template to support L2-802.1x users it placed the following attributes into my advance filter

[026/009/001]cisco-av-pair not-exist aaa:service

[006]Service-Type != 10

And when I created a template to support mac-auth-bypass it placed these following attributes into my advance filter

[026/009/001]cisco-av-pair not-exist aaa:service

[006]Service-Type = 10

What does the following line do?

[026/009/001]cisco-av-pair not:exist aaa:service

And what do these 2 lines do exactly.

[006]Service-Type != 10

[006]Service-Type = 10

Thanks

Dale

darpotter · ‎08-22-2007

"cisco-av-pair not:exist aaa:service"

means to match, the incoming request must NOT include a cisco-av-pair VSA attribute that contains the value "aaa:service=........"

remembering that the cicso-av-pair is like a container for TACACS+ style attributes of the form "protocol:attr=value" eg "ip:addr=1.2.3.4"

RADIUS Service-Type 10 is "Framed Routing" which has been reused for some purpose by the NAC people. Not sure what it denotes but your filters are looking this attribute != (not equal to) and equal to this value.

koeppend · ‎08-27-2007

Thanks for that,

But I'm still not sure why we would want to check that a request does not include the AV pair for aaa:service and also that there is no equal sign or value after an equal sign.

I?m also wanting to know why these are included and what purpose they serve for the templates.

Thanks for the info