Reset Search
 

 

Article

How to configure NAC for custom radius attributes such as RFC3580 VLAN ID, Egress Type, Service Type, Filter-ID

« Go Back

Information

 
TitleHow to configure NAC for custom radius attributes such as RFC3580 VLAN ID, Egress Type, Service Type, Filter-ID
Objective
  • To add custom attributes to radius packets from the NAC.
  • This will affect the return radius attribute from the NAC to the switch, router or Wireless controller
Environment
  • Netsight NAC
Procedure
     1. In NAC Manager click the "Switches" tab
     2. Click the switch you'd like to send the new RADIUS attribute to, and then click the "Edit" button in the lower right hand corner of the table
     3. Click the drop down for "Gateway RADIUS Attributes to send"
     4. Check pre-loaded profiles to determine if the attributes you'd like to send are already in a configured profile by pressing the "gear" icon next to the pre-loaded profiles
     User-added image

     5. If the desired attributes do not exist in a pre-loaded profile then you'll need to create a new profile
     6. Highlight and copy the "Preview" section of your currently used profile
     7. Click the "Add" button
     8. Give the Attribute Group a name
     9. Paste in the Attributes in your clipboard into the Attribute Definition window, and then used the defined Variables on the bottom of the window to add the CUSTOM1 attribute into the new attribute group
     User-added image

     10. In this example I added in the CUSTOM1 attribute, and the CUSTOM2 attributes. (Case sensitive) You can either configure the profile to have the attribute string = %VARIABLE%, or just %VARIABLE% and have this defined in the policy mappings (Shown below). Be aware that the attribute string is CASE                            SENSITIVE. If not an exact match NAC will thrown an error when you try to save. The attribute must match exactly and exist in the freeRADIUS attribute dictionary.
     11. Click the "Save"  button
     12. Click the "OK"  button
     13. Choose the newly configured Attribute Group for the "Gateway RADIUS attributes to send" drop down
     14. Click the "OK button
     15. Select Tools -> Management and Configuration -> Advanced Configuration
     16. Drill into "NAC Profile"
     17. Drill into Policy Mappings and click "Default"
     18. Double click the Profile you wish to modify
     19. Add in Custom attribute or value in the field that was defined previously
     User-added image
     20. Alter the fields as needed.  Popular fields for modification are VLAN ID for RFC 3580 support (must also be configured on switch) VLAN ID and VLAN egress as tagged or untagged, as well as Service type for management login to the switch
     21. Click OK for all of the previous windows, then do an enforce for this to take affect
     22. Check End system events to make sure the criteria is being used under the Authorization column after a reauthentication, or new authentication has taken place
 
Additional notes
  • The "Gateway RADIUS attributes to send" Attribute Group will determine which attributes will be sent to the switch. The Policy Mappings will determine what values to use in the variables defined in the Attribute Group when the authorization occurs. If the attribute is not defined in the "Gateway RADIUS attributes to send" section of the configuration, then the values in the policy mappings will not be used.
  • For Step by Step walk though: https://www.youtube.com/watch?v=V0MWxMKmNtY

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255