9. Which Of The Following Is Used To Configure A Service Template?

Configuring Identity Service Templates

Configuring Identity Service Templates

---

Identity service templates contain a fix of policy attributes or features that can be applied to i or more subscriber sessions through a control policy, a RADIUS Modify of Authorization (CoA) request, or a user contour or service profile. This module provides information about how to configure local service templates for Session Aware Networking.

• Finding Characteristic Information
• Prerequisites for Identity Service Templates
• Information Well-nigh Identity Service Templates
• How to Configure Identity Service Templates
• Configuration Examples for Identity Service Templates
• Boosted References
• Characteristic Information for Identity Service Templates

Finding Feature Information

Your software release may not back up all the features documented in this module. For the latest characteristic information and caveats, meet the release notes for your platform and software release. To detect data about the features documented in this module, and to see a list of the releases in which each feature is supported, run across the Characteristic Data Table at the end of this certificate.

Use Cisco Characteristic Navigator to discover data almost platform support and Cisco software image support. To admission Cisco Feature Navigator, go to world wide web.cisco.com/​go/​cfn. An account on Cisco.com is non required.

Prerequisites for Identity Service Templates

For downloadable service templates, the switch uses the default password "cisco123" when downloading the service templates from the authentication, authorisation, and accounting (AAA) server, Cisco Secure Admission Control Server (ACS), or Cisco Identity Services Engine (ISE). The AAA, ACS, and ISE server must include the password "cisco123" in the service template configuration.

Data About Identity Service Templates

Service Templates for Session Enlightened Networking

A service template contains a ready of service-related attributes or features, such as access command lists (ACLs) and VLAN assignments, that tin can be activated on 1 or more subscriber sessions in response to session life-wheel events. Templates simplify the provisioning and maintenance of network session policies where policies fall into distinct groups or are office-based.

A service template is applied to sessions through its reference in a control policy, through RADIUS Change of Authorization (CoA) requests, or through a user profile or service profile. User profiles are divers per subscriber; service profiles tin can use to multiple subscribers.

Session Aware Networking supports two types of service templates:

• Downloadable Service Templates—The service template is configured centrally on an external ACS or AAA server and downloaded on need.
• Locally Configured Service Templates—The service template is configured locally on the device through the Cisco IOS control-line interface (CLI).

Downloadable Service Templates

Session Enlightened Networking tin can download a service template divers on an external AAA server. The template defines a drove of AAA attributes. These templates are practical to sessions through the utilise of vendor-specific attributes (VSAs) included in RADIUS CoA messages received from the external AAA server or ACS. The name of the template is referenced in a user profile or a control policy, which triggers a download of the service template during processing.

The downloadable template is cached on the device and subsequent requests for a download volition refer to the available cached template. The template however is buried simply for the duration of its active usage. The downloaded template cached on the device is protected and cannot be deleted through the CLI or through other applications. This ensures that the template is deleted only when there are no active references to it.

Locally Configured Service Templates

Service templates can be configured locally through the CLI. These service templates can exist applied to subscriber sessions by a reference in a command policy.

When an agile local template is updated, changes to that local template volition be reflected beyond all sessions for which the template is active. If a template is deleted, all content from that template that is applied against sessions is removed.

How to Configure Identity Service Templates

Configuring a Local Service Template

A service template defines the local policies that can be practical to a subscriber session. Activate this service template on sessions on which the local policies must be applied.

SUMMARY STEPS

one. enable


ii. configure terminal


iii. service-template template-name


4. absolute-timer minutes


5. access-grouping access-list-name


6. clarification clarification


7. inactivity-timer minutes probe


eight. redirect url url


nine. tag tag-name


10. vlan vlan-id


xi. end


12. show service-template [template-proper noun]

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Case: Device> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure concluding Case: Device# configure terminal	Enters global configuration manner.
Step iii	service-template template-name Instance: Device(config)# service-template SVC_2	Creates a service template and enters service template configuration mode.
Step iv	absolute-timer minutes Example: Device(config-service-template)# absolute-timer 15	(Optional) Enables an absolute timeout for subscriber sessions.
Pace 5	access-group admission-list-name Example: Device(config-service-template)# access-group ACL_2	(Optional) Applies an access list to sessions using a service template.
Footstep 6	clarification description Case: Device(config-service-template)# description characterization for SVC_2	(Optional) Adds a description for a service template.
Step vii	inactivity-timer minutes probe Example: Device(config-service-template)# inactivity-timer fifteen	(Optional) Enables an inactivity timeout for subscriber sessions.
Step 8	redirect url url Example: Device(config-service-template)# redirect url www.cisco.com	(Optional) Redirects clients to a detail URL.
Stride 9	tag tag-proper name Case: Device(config-service-template)# tag TAG_2	(Optional) Associates a user-defined tag with a service template.
Step 10	vlan vlan-id Instance: Device(config-service-template)# vlan 215	(Optional) Applies a VLAN to sessions using a service template.
Pace xi	end Instance: Device(config-service-template)# end	Exits service template configuration style and returns to privileged EXEC mode.
Step 12	evidence service-template [template-name] Example: Device# show service-template SVC_2	Displays information about configured service templates.

Case: Service Template

service-template SVC_2  clarification characterization for SVC_2  access-group ACL_2  redirect url www.cisco.com  vlan 215  inactivity-timer 15  absolute-timer 15  tag TAG_2

What to Practise Next

To activate a service template on a subscriber session, specify the service template in a control policy. See "Configuring a Command Policy."

Configuration Examples for Identity Service Templates

Example: Activating a Service Template and Supercede All

Local Service Template Configuration

The following example shows the configuration of a service template defined locally on the device. This template contains attributes that are practical to sessions that use the control policy named POSTURE_VALIDATION, shown below:

service-template DOT1X  access-group SVC1_ACL  redirect url www.cisco.com match URL_REDIRECT_ACL  inactivity-timer sixty  absolute-timer 300 ! ip admission-list extended URL_REDIRECT_ACL  permit tcp any host 5.5.5.5 eq www                          

Control Policy Configuration

The post-obit example shows a command policy that activates the service template named DOT1X with replace-all enabled. The successfully activated template volition replace the existing authorization data and any service template previously applied to the session.

policy-map blazon command subscriber POSTURE_VALIDATION  upshot session-started lucifer-all   ten class e'er practice-until-failure    10 cosign using dot1x priority ten    20 authenticate using webauth priority twenty  event hallmark-success match-all   10 class DOT1X do-all     10 terminate webauth    20 activate service-template DOT1X replace-all                          

Case: Activating a Service Template for Fallback Service

Local Service Template Configuration

The post-obit example shows the configuration of a service template defined locally on the device. This template contains attributes that are applied to sessions that utilise the control policy named POSTURE_VALIDATION, shown below:

service-template FALLBACK  description fallback service  access-group ACL_2  redirect url world wide web.cisco.com  inactivity-timer 15  accented-timer 15  tag TAG_2

Command Policy Configuration

The following example shows a command policy that runs authentication methods dot1x and MAB. If dot1x authentication fails, MAB authentication is attempted. If MAB fails, the organisation provides a default authorization profile using the FALLBACK template.

policy-map blazon control subscriber POSTURE_VALIDATION  event session-started lucifer-all   10 form e'er do-all    10 authenticate using dot1x  event hallmark-failure match-all   10 grade DOT1X practice-all    x authenticate using mab   20 grade MAB practise-all    10 activate service-template FALLBACK                          

Example: Deactivating a Service Template

Access Control List Configuration

The following instance shows the configuration of an access control list (ACL) that is used by the local service template named LOW_IMPACT_TEMPLATE, shown below.

ip access-list extended LOW_IMPACT_ACL  permit udp whatsoever any eq bootps  permit tcp any whatever eq www  permit tcp whatever whatever eq 443  allow ip any 172.30.0.0 0.0.255.255                          

Local Service Template Configuration

The following example shows the configuration of the local service template that provides limited access to all hosts even when hallmark fails.

service-template LOW_IMPACT_TEMPLATE  clarification Service template for Low touch fashion  admission-grouping LOW_IMPACT_ACL  inactivity-timer 60   tag LOW_IMPACT_TEMPLATE                          

Control Policy Configuration

The following example shows the configuration of a command policy that uses the template named LOW_IMPACT_TEMPLATE to provide express admission to all hosts even when hallmark fails. If authentication succeeds, the policy manager removes the service template and provides access based on the policies downloaded by the RADIUS server.

class-map type control subscriber friction match-all DOT1X_MAB_FAILED  no-friction match result-type method dot1x success  no-lucifer result-type method mab success ! policy-map type control subscriber CONCURRENT_DOT1X_MAB_LOW_IMP_MODE  result session-started friction match-all   10 class always practise-until-failure    10 authorize    xx actuate service-template LOW_IMPACT_TEMPLATE    thirty authenticate using mab    40 authenticate using dot1x  event authentication-success match-all   ten grade always do-until-failure    10 deactivate service-template LOW_IMPACT_TEMPLATE  event authentication-failure lucifer-first   10 grade DOT1X_MAB_FAILED do-until-failure    10 qualify    20 end dot1x    30 terminate mab  consequence agent-establish match-all   10 class always do-until-failure    10 authenticate using dot1x  event inactivity-timeout match-all   10 class always practice-until-failure    10 clear-session                          

Additional References

Related Documents

Standards and RFCs

Standard/RFC	Title
RFC 5176	Dynamic Authorization Extensions to RADIUS

Technical Help

Description	Link
The Cisco Support and Documentation website provides online resource to download documentation, software, and tools. Apply these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.	http:/​/​world wide web.cisco.com/​cisco/​web/​support/​index.html

Characteristic Information for Identity Service Templates

The post-obit table provides release information well-nigh the feature or features described in this module. This table lists simply the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release railroad train also support that feature.

Utilise Cisco Feature Navigator to detect data about platform support and Cisco software epitome back up. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 1 Characteristic Information for Identity Service Templates

Feature Name	Releases	Characteristic Information
Downloadable Identity Service Template	Cisco IOS XE Release 3.2SE	Enables a service template to exist downloaded from an ACS and its attributes applied against a session.
Identity Service Template	Cisco IOS XE Release three.2SE	Enables identity service templates to be configured locally and available at all times. The following commands were introduced: absolute-timer, access-group (service template), clarification (service template), inactivity-timer, redirect url, service-template, show service-template, tag (service template), vlan (service template).

---

9. Which Of The Following Is Used To Configure A Service Template?,

Source: https://www.cisco.com/en/US/docs/ios-xml/ios/san/configuration/xe-3se/3850/san-svc-temp.html

Posted by: andersonwhishis.blogspot.com

Share this post