Security Solutions
3-118
Designing Access Controls
Finalize Security Policies
Next, create each policy. The exact steps vary, of course, depending on your
RADIUS server. In general, you must:
1. Set the conditions by which the RADIUS server matches an authentication
request to the policy.
The exact conditions supported depend on your RADIUS server, but they
commonly include group membership (in a group defined on the RADIUS
server or in a directory), time, and access method (such as wired, wireless,
or remote). Often, you define the conditions manually as a certain value
for an attribute in a RADIUS access request. Table 3-91 lists some such
attributes. In the rightmost column, you can enter the correct value for
your policy. Of course, most policies will only use one or two conditions.
Table 3-91. RADIUS Attributes in Access Requests
2. Select authentication protocols.
You need to choose the protocols (such as CHAP, PEAP, EAP-TTLS, and
EAP-TLS) with which the RADIUS server authenticates users. Users’
endpoints must support the same protocol. However, many RADIUS
servers allow you to choose multiple authentication protocols, any of
which the endpoints can support. Check your server’s documentation for
the protocols that it supports.
Remember that on the NAC 800, you do not configure an EAP method.
Instead, you select the EAP type on the endpoint, and during the negoti-
ation of the EAP method, the NAC 800 detects the EAP type. If the NAC
800 supports the EAP type, it automatically uses it.
You should have already chosen your authentication protocols and EAP
methods in earlier steps in the design process. List your selections in
Table 3-92.
Attribute Explanation Value for My Policy 1 Value for My Policy 2
NAS-IP-Address IP address of the NAS
(switch or AP) that sends the
request
NAS-Port-Type Protocol by which the user
connects (802.3, 802.11, and
so forth)
NAS-Port-ID Port—either a physical or a
WLAN—to which the user
connects
Time Time at which the access
request is sent