IBM Tivoli and Cisco User Manual

Chapter 7. Network enforcement subsystem implementation

265

3. Click Add.

4. To create the Healthy Sales RAC, in the Name field type

Healthy_Sales_RAC

.

5. In the Add New Attribute section, we are using the drop-down menus to add

the required values, which are described in Table 7-2.

Table 7-2 Healthy Sales RAC attributes

Note: In the scenario detailed in this book, we have two groups defined:
sales and engineering. When creating the RACs, we define a Healthy
Sales RAC, a Quarantine Sales RAC, a Healthy Engineering RAC, and a
Quarantine engineering RAC. We also define a Default Quarantine RAC to
address the situation where a condition may not be defined or there is no
matched condition. When a user authenticates via IEEE 802.1x, the
posture is checked and a RAC is applied. In this way, we can have
individual Quarantine VLANs for the different groups, which also allows for
different access restrictions for different Quarantine groups. This was done
to show how the solution scales. Have a clear plan on your group to VLAN
mappings, and your VLAN structure before configuring this portion. We
used the following:

Healthy Sales - VLAN 11
Healthy Engineering - VLAN 12
Quarantine Sales - VLAN 13
Quarantine Engineering - VLAN 14
Default Quarantine - VLAN 15

Vendor Attribute

Value

Cisco IOS/PIX 6.0

cisco-av-pair (1)

status-query-timeout=30

Cisco IOS/PIX 6.0

cisco-av-pair (1)

sec:pg=healthy_hosts

IETF

Session-Timeout (27)

3600

IETF

Termination-Action (29)

RADIUS-Request(1)

IETF

Tunnel-Type (64)

[T1] VLAN (13)

IETF

Tunnel-Medium-Type (65)

[T1] 802 (6)

IETF

Tunnel-Private-Group-ID
(81)

[T1] 11