beautypg.com

Cisco 3.3 User Manual

Page 680

background image

Appendix C RADIUS Attributes

About the cisco-av-pair RADUIS Attribute

C-8

User Guide for Cisco Secure ACS for Windows Server

78-16592-01

In IOS, support for Network Admission Control (NAC) includes the use of the
following AV pairs:

url-redirect—Enables the AAA client to intercept an HTTP request and
redirect it to a new URL. This is especially useful if the result of posture
validation indicates that the NAC-client computer requires an update or patch
that you have made available on a remediation web server. For example, a
user can be redirected to a remediation web server to download and apply a
new virus DAT file or an operating system patch. For example:

url-redirect=http://10.1.1.1

posture-token—Enables Cisco Secure ACS to send a text version of a system
posture token (SPT) derived by posture validation. The SPT is always sent in
numeric format and using the posture-token AV pair makes viewing the result
of a posture validation request more easily read on the AAA client. For
example:

posture-token=Healthy

Caution

The posture-token AV pair is the only way that Cisco Secure ACS notifies the
AAA client of the SPT returned by posture validation. Because you manually
configure the posture-token AV pair, errors in configuring posture-token can
result in the incorrect system posture token being sent to the AAA client or, if the
AV pair name is mistyped, the AAA client not receiving the system posture token
at all.

For a list of valid SPTs, see

Posture Tokens, page 14-4

.

status-query-timeout—Overrides the status-query default value of the AAA
client with the value you specify, in seconds. For example:

status-query-timeout=150

For more information about AV pairs supported by IOS, refer to the
documentation for the releases of IOS implemented on your AAA clients.