Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
7 Managing Policy Elements Managing Policy Conditions —In a TACACS request, ACS obtains this identifier from the remote address field of the start request (of every phase). It takes the remote address value before the slash (/) separator, if it is present; otherwise, it takes the entire remote address value. The end st ati on IP add ress i s eit her an IPv4 or IPv6 of the end station identifier. The end station MAC is a normalized MAC address of the end station identifier. Device Filter—Filters a network device (AAA client) that acts as a Policy Enforcement Point (PEP) to the end station based on the network device’s IP address or name, or the network device group that it belongs to. The device identifier can be the IP address or name of the device, or it can be based on the network device group to which the device belongs. The IP address is a protocol-agnostic attribute of type IPv4 or IPv6, which contains a copy of the device IP address that is obtained from the request: —In a RADIUS request, if Attribute 4 (NAS-IP-Address) is present, ACS obtains the IP address from Attribute 4; otherwise, if Attribute 32 (NAS-Identifier) is present, ACS obtains the IP address from Attribute 32, or it obtains the IP address from the packet that it receives. —In a TACACS request, the IP address is obtained from the packet that ACS receives. The device name is an attribute of type string that contains a copy of the device name derived from the ACS repository. The device dictionary (the NDG dictionary) contains network device group attributes such as Location, Device Type, or other dynamically created attributes that represent NDGs. These attributes, in turn, contain the groups that the current device is related to. Device Port Filter—Filters the physical port of the device that the end station is connected to. Filtering is based on the device’s IP address, name, NDG it belongs to, and port. The device port identifier is an attribute of type string: —In a RADIUS request, if Attribute 5 (NAS-Port) is present in the request, ACS obtains the value from Attribute 5; or, if Attribute 87 (NAS-Port-Id) is present in the request, ACS obtains the request from Attribute 87. —In a TACACS request, ACS obtains this identifier from the port field of the start request (of every phase). The device name is an attribute of type string that contains a copy of the device name derived from the ACS repository. The device dictionary (the NDG dictionary) contains network device group attributes such as Location, Device Type, or other dynamically created attributes that represent NDGs. These attributes, in turn, contain the groups that the current device is related to. You can create, duplicate, and edit these filters. You can also do a bulk import of the contents within a filter from a .csv file and export the filters from ACS to a .csv file. See Importing Network Conditions, page 8 for more information on how to do a bulk import of network conditions. This section contains the following topics: Importing Network Conditions, page 8 Exporting Network Conditions, page 8 Creating, Duplicating, and Editing End Station Filters, page 9 Creating, Duplicating, and Editing Device Filters, page 11 Creating, Duplicating, and Editing Device Port Filters, page 14
8 Managing Policy Elements Managing Policy Conditions Importing Network Conditions You can use the bulk import function to import the contents from the following network conditions: End station filters Device filters Device port filters For bulk import, you must download the .csv file template from ACS, add the records that you want to import to the .csv file, and save it to your hard drive. Use the Download Template function to ensure that your .csv file adheres to the requirements. The .csv templates for end station filters, device filters, and device port filters are specific to their type; for example, you cannot use a downloaded template accessed from the End Station Filters page to import device filters or device port filters. Within the .csv file, you must adhere to these requirements: Do not alter the contents of the first record (the first line, or row, of the .csv file). Use only one line for each record. Do not imbed new-line characters in any fields. For non-English languages, encode the .csv file in utf-8 encoding, or save it with a font that supports Unicode. The import process does not add filters to the existing list of filters in ACS, but instead replaces the existing list. When you import records from a .csv file, it replaces the existing filter configuration in ACS and replaces it with the filter configuration from the .csv file. 1.Click the Replace from File button on the End Station Filter, Device Filter, or Device Port Filter page of the web interface. The Replace from File dialog box appears. 2.Click Download Template to download the .csv file template if you do not have it. 3.Click Browse to navigate to your .csv file. 4.Click Start Replace to start the bulk import process. The import progress is shown on the same page. You can monitor the bulk import progress. Data transfer failures of any records within your .csv file are displayed. 5.Click Close to close the Import Progress window. You can submit only one .csv file to the system at one time. If an import is under way, an additional import cannot succeed until the original import is complete. Note: Instead of downloading the template and creating an import file, you can use the export file of the particular filter, update the information in that file, save it, and reuse it as your import file. Exporting Network Conditions ACS 5.7 offers you a bulk export function to export the filter configuration data in the form of a .csv file. You can export the following filter configurations: End Station Filters Device Filters
9 Managing Policy Elements Managing Policy Conditions Device Port Filters From the create, edit, or duplicate page of any of the filters, click Export to File to save the filter configuration as a .csv file on your local hard drive. Creating, Duplicating, and Editing End Station Filters Use the End Station Filters page to create, duplicate, and edit end station filters. To do this: 1.Choose Policy Elements > Session Conditions > Network Conditions > End Station Filters. The End Station Filters page appears with a list of end station filters that you have configured. 2.Click Create. You can also: Check the check box the end station filter that you want to duplicate, then click Duplicate. Check the check box the end station filter that you want to edit, then click Edit. Click Export to save a list of end station filters in a .csv file. For more information, see Exporting Network Conditions, page 8. Click Replace from File to perform a bulk import of end station filters from a .csv import file. For more information, see Importing Network Conditions, page 8. 3.Enter the values for the following fields: Name—Name of the end station filter. Description—A description of the end station filter. 4.Edit the fields in one or more of the following tabs: IP Address—See Defining IP Address-Based End Station Filters, page 9 for a description of the fields in this tab. MAC Address—See Defining MAC Address-Based End Station Filters, page 10 for a description of the fields in this tab. CLI/DNIS—See Defining CLI or DNIS-Based End Station Filters, page 11 for a description of the fields in this tab. Note: To configure a filter, at a minimum, you must enter filter criteria in at least one of the three tabs. 5.Click Submit to save the changes. Related Topics Managing Network Conditions, page 6 Importing Network Conditions, page 8 Creating, Duplicating, and Editing Device Filters, page 11 Creating, Duplicating, and Editing Device Port Filters, page 14 Defining IP Address-Based End Station Filters You can create, duplicate, and edit the IP addresses of end stati ons that you want to permi t or deny access to. To d o thi s: 1.From the IP Address tab, do one of the following: Click Create.
10 Managing Policy Elements Managing Policy Conditions Check the check box the IP-based end station filter that you want to duplicate, then click Duplicate. Check the check box the IP-based end station filter that you want to edit, then click Edit. A dialog box appears. 2.Choose either of the following: Single IP Address—If you choose this option, you must enter a valid address, as follows: —IPv4 address in the format x.x.x.x, where x can be any number from 0 to 255. —IPv6 address in the format x:x:x:x:x:x:x:x, where x represents one to four hexadecimal digits of the eight 16-bit pieces of the address. This can be either numbers from 0 to 9 or letters from A to F. IP Range(s)—If you choose this option, you must enter a valid IPv4 address and subnet mask to filter a range of IP addresses. By default, the subnet mask value for IPv4 is 32, and the IPv6 value is 128. Note: IPv6 ranges are not supported in ACS 5.7. Note: IPv6 addresses are supported only in TACACS+ protocols. 3.Click OK. Related Topics Managing Network Conditions, page 6 Creating, Duplicating, and Editing End Station Filters, page 9 Defining MAC Address-Based End Station Filters, page 10 Defining CLI or DNIS-Based End Station Filters, page 11 Defining MAC Address-Based End Station Filters You can create, duplicate, and edit the MAC addresses of end stations or destinations that you want to permit or deny access to. To do this: 1.From the MAC Address tab, do one of the following: Click Create. Check the check box the MAC address-based end station filter that you want to duplicate, then click Duplicate. Check the check box the MAC address-based end station filter that you want to edit, then click Edit. A dialog box appears. 2.Check the End Station MAC check box to enter the MAC address of the end station. You can optionally set this field to ANY to refer to any MAC address. 3. Check the Destination MAC check box to enter the MAC address of the destination machine. You can optionally set this field to ANY to refer to any MAC address. Note: You must enter the MAC address in one of the following formats: xxxxxxxxxxxx, xx-xx-xx-xx-xx-xx, xx:xx:xx:xx:xx:xx, or xxxx.xxxx.xxxx, where x can be any number from 0 to 9 or A through F. You cannot use wildcard characters for MAC address.
11 Managing Policy Elements Managing Policy Conditions 4.Click OK. Related Topics Managing Network Conditions, page 6 Creating, Duplicating, and Editing End Station Filters, page 9 Defining IP Address-Based End Station Filters, page 9 Defining CLI or DNIS-Based End Station Filters, page 11 Defining CLI or DNIS-Based End Station Filters You can create, duplicate, and edit the CLI and DNIS number of the end stations or destinations that you want to permit or deny access to. To do this: 1.From the CLI/DNIS tab, do one of the following: Click Create. Check the check box the CLI or DNIS-based end station filter that you want to duplicate, then click Duplicate. Check the check box the CLI or DNIS-based end station filter that you want to edit, then click Edit. A dialog box appears. 2.Check the CLI check box to enter the CLI number of the end station. You can optionally set this field to ANY to refer to any CLI number. 3.Check the DNIS check box to enter the DNIS number of the destination machine. You can optionally set this field to ANY to refer to any DNIS number. Note: You can use ? and * wildcard characters to refer to any single character or a series of one or more successive characters respectively. 4.Click OK. Related Topics Managing Network Conditions, page 6 Creating, Duplicating, and Editing End Station Filters, page 9 Defining IP Address-Based End Station Filters, page 9 Defining MAC Address-Based End Station Filters, page 10 Creating, Duplicating, and Editing Device Filters Use the Device Filters page to create, duplicate, and edit device filters. To do this: 1.Choose Policy Elements > Session Conditions > Network Conditions > Device Filters. The Device Filters page appears with a list of device filters that you have configured. 2.Click Create. You can also:
12 Managing Policy Elements Managing Policy Conditions Check the check box the device filter that you want to duplicate, then click Duplicate. Check the check box the device filter that you want to edit, then click Edit. Click Export to save a list of device filters in a .csv file. For more information, see Exporting Network Conditions, page 8. Click Replace from File to perform a bulk import of device filters from a .csv import file. For more information, see Importing Network Conditions, page 8. 3.Enter the values for the following fields: Name—Name of the device filter. Description—A description of the device filter. 4.Edit the fields in any or all of the following tabs: IP Address—See Defining IP Address-Based Device Filters, page 12 for a description of the fields in this tab. Device Name—See Defining Name-Based Device Filters, page 13 for a description of the fields in this tab. Network Device Group—See Defining NDG-Based Device Filters, page 13 for a description of the fields in this tab. Note: To configure a filter, at a minimum, you must enter filter criteria in at least one of the three tabs. 5.Click Submit to save the changes. Related Topics Managing Network Conditions, page 6 Importing Network Conditions, page 8 Creating, Duplicating, and Editing End Station Filters, page 9 Creating, Duplicating, and Editing Device Port Filters, page 14 Defining IP Address-Based Device Filters You can create, duplicate, and edit the IP addresses of network devices that you want to permit or deny access to. To do this: 1.From the IP Address tab, do one of the following: Click Create. Check the check box the IP-based device filter that you want to duplicate, then click Duplicate. Check the check box the IP-based device filter that you want to edit, then click Edit. A dialog box appears. 2.Choose either of the following: Single IP Address—If you choose this option, you must enter a valid address, as follows: —IPv4 address in the format x.x.x.x, where x can be any number from 0 to 255. —IPv6 address in the format x:x:x :x:x:x:x:x, where x represents one to four hexadecimal digits of the eight 16-bit pieces of the address. This can be either numbers from 0 to 9 or letters from A to F.
13 Managing Policy Elements Managing Policy Conditions IP Range(s)—If you choose this option, you must enter a valid IPv4 or IPv6 address and subnet mask to filter a range of IP addresses. By default, the subnet mask value for IPv4 is 32, and the IPv6 value is 128. Note: IPv6 ranges are not supported in ACS 5.7. 3.Click OK. Related Topics Managing Network Conditions, page 6 Creating, Duplicating, and Editing Device Filters, page 11 Defining Name-Based Device Filters, page 13 Defining NDG-Based Device Filters, page 13 Defining Name-Based Device Filters You can create, duplicate, and edit the name of the network device that you want to permit or deny access to. To do this: 1.From the Device Name tab, do one of the following: Click Create. Check the check box the name-based device filter that you want to duplicate, then click Duplicate. Check the check box the name-based device filter that you want to edit, then click Edit. A dialog box appears. 2.Click Select to choose the network device that you want to filter. 3.Click OK. Related Topics Managing Network Conditions, page 6 Creating, Duplicating, and Editing Device Filters, page 11 Defining IP Address-Based Device Filters, page 12 Defining NDG-Based Device Filters, page 13 Defining NDG-Based Device Filters You can create, duplicate, and edit the name of the network device group type that you want to permit or deny access to. To do this: 1.From the Network Device Group tab, do one of the following: a.Click Create. b.Check the check box the NDG-based device filter that you want to duplicate, then click Duplicate. c.Check the check box the NDG-based device filter that you want to edit, then click Edit. A dialog box appears. 2.Click Select to choose the network device group type that you want to filter.
14 Managing Policy Elements Managing Policy Conditions 3.Click Select to choose the network device group value that you want to filter. 4.Click OK. Related Topics Managing Network Conditions, page 6 Creating, Duplicating, and Editing Device Filters, page 11 Defining IP Address-Based Device Filters, page 12 Defining Name-Based Device Filters, page 13 Creating, Duplicating, and Editing Device Port Filters Use the Device Port Filters page to create, duplicate, and edit device port filters. To do this: 1.Choose Policy Elements > Session Conditions > Network Conditions > Device Port Filters. The Device Port Filters page appears with a list of device port filters that you have configured. 2.Click Create. You can also: Check the check box the device port filter that you want to duplicate, then click Duplicate. Check the check box the device port filter that you want to edit, then click Edit. Click Export to save a list of device port filters in a .csv file. For more information, see Exporting Network Conditions, page 8. Click Replace from File to perform a bulk import of device port filters from a .csv import file. For more information, see Importing Network Conditions, page 8. 3.Enter the values for the following fields: Name—Name of the device port filter. Description—A description of the device port filter. 4.Edit the fields in any or all of the following tabs: IP Address—See Defining IP Address-Based Device Port Filters, page 15 for a description of the fields in this tab. Device Name—See Defining NDG-Based Device Port Filters, page 16 for a description of the fields in this tab. Network Device Group—See Defining NDG-Based Device Port Filters, page 16 for a description of the fields in this tab. Note: To configure a filter, at a minimum, you must enter filter criteria in at least one of the three tabs. 5.Click Submit to save the changes. Related Topics Managing Network Conditions, page 6 Importing Network Conditions, page 8 Creating, Duplicating, and Editing End Station Filters, page 9
15 Managing Policy Elements Managing Policy Conditions Creating, Duplicating, and Editing Device Filters, page 11 Defining IP Address-Based Device Port Filters You can create, duplicate, and edit the IP addresses of the network device ports that you want to permit or deny access to. To do this: 1.From the IP Address tab, do one of the following: Click Create. Check the check box the IP-based device port filter that you want to duplicate, then click Duplicate. Check the check box the IP-based device port filter that you want to edit, then click Edit. A dialog box appears. 2.Choose either of the following: Single IP Address—If you choose this option, you must enter a valid address, as follows: —IPv4 address in the format x.x.x.x, where x can be any number from 0 to 255. —IPv6 address in the format x:x:x:x:x:x:x:x, where x represents one to four hexadecimal digits of the eight 16-bit pieces of the address. This can be either numbers from 0 to 9 or letters from A to F. IP Range(s)—If you choose this option, you must enter a valid IPv4 or IPv6 address and subnet mask to filter a range of IP addresses. By default, the subnet mask value for IPv4 is 32, and the IPv6 value is 128. Note: IPv6 ranges are not supported in ACS 5.7. 3.Check the Port check box and enter the port number. This field is of type string and can contain numbers or characters. You can use the following wildcard characters: ?—match a single character *—match a set of characters For example, the string “p*1*” would match any word that starts with the letter “p” and contains the number 1, such as port1, port15, and so on. 4.Click OK. Related Topics Managing Network Conditions, page 6 Creating, Duplicating, and Editing Device Port Filters, page 14 Defining Name-Based Device Port Filters, page 15 Defining NDG-Based Device Port Filters, page 16 Defining Name-Based Device Port Filters You can create, duplicate, and edit the name of the network device and the port to which you want to permit or deny access. To do this: 1.From the Device Name tab, do one of the following: Click Create.
16 Managing Policy Elements Managing Authorizations and Permissions Check the check box the name-based device port filter that you want to duplicate, then click Duplicate. Check the check box the name-based device port filter that you want to edit, then click Edit. A dialog box appears. 2.Click Select to choose the network device that you want to filter. 3.Check the Port check box and enter the port number. 4.Click OK. Related Topics Managing Network Conditions, page 6 Creating, Duplicating, and Editing Device Port Filters, page 14 Defining IP Address-Based Device Port Filters, page 15 Defining NDG-Based Device Port Filters, page 16 Defining NDG-Based Device Port Filters You can create, duplicate, and edit the network device group type and the port to which you want to permit or deny access. To do this: 1.From the Network Device Group tab, do one of the following: Click Create. Check the check box the NDG-based device port filter that you want to duplicate, then click Duplicate. Check the check box the NDG-based device port filter that you want to edit, then click Edit. A dialog box appears. 2.Click Select to choose the network device group type that you want to filter. 3.Click Select to choose the network device group value that you want to filter. 4.Check the Port check box and enter the port number. 5.Click OK. Related Topics Managing Network Conditions, page 6 Creating, Duplicating, and Editing Device Filters, page 11 Defining IP Address-Based Device Filters, page 12 Defining Name-Based Device Filters, page 13 Managing Authorizations and Permissions You define authorizations and permissions to determine the results associated with a specific policy rule. Yo u c a n d e f i n e :