Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
17 Managing Policy Elements Managing Authorizations and Permissions Authorization profiles for network access authorization (for RADIUS). Shell profiles for TACACS+ shell sessions and command sets for device administration. Downloadable ACLs. Security groups and security group ACLs for Cisco Security Group Access. See ACS and Cisco Security Group Access, page 21, for information on configuring these policy elements. These topics describe how to manage authorizations and permissions: Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 17 Creating and Editing Security Groups, page 22 Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 22 Creating, Duplicating, and Editing Command Sets for Device Administration, page 27 Creating, Duplicating, and Editing Downloadable ACLs, page 30 Deleting an Authorizations and Permissions Policy Element, page 31 Configuring Security Group Access Control Lists, page 31 Creating, Duplicating, and Editing Authorization Profiles for Network Access You create authorization profiles to define how different types of users are authorized to access the network. For example, you can define that a user attempting to access the network over a VPN connection is treated more strictly than a user attempting to access the network through a wired connection. An authorization profile defines the set of attributes and values that the Access-Accept response returns. You can specify: Common data, such as VLAN information, URL for redirect, and more. This information is automatically converted to the raw RADIUS parameter information. RADIUS authorization parameters—You can select any RADIUS attribute and specify the corresponding value to return. You can duplicate an authorization profile to create a new authorization profile that is the same, or similar to, an existing authorization profile. After duplication is complete, you access each authorization profile (original and duplicated) separately to edit or delete them. After you create authorization profiles, you can use them as results in network access session authorization policies. To create, duplicate, or edit an authorization profile: 1.Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profile. The Authorization Profiles page appears with the fields described in Table 68 on page 18:
18 Managing Policy Elements Managing Authorizations and Permissions 2.Do one of the following: Click Create. Check the check box the authorization profile that you want to duplicate and click Duplicate. Click the name that you want to modify; or, check the check box the name that you want to modify and click Edit. The Authorization Profile Properties page appears. 3.Enter valid configuration data in the required fields in each tab. See: Specifying Authorization Profiles, page 18 Specifying Common Attributes in Authorization Profiles, page 19 Specifying RADIUS Attributes in Authorization Profiles, page 20 4.Click Submit. The authorization profile is saved. The Authorization Profiles page appears with the authorization profile that you created or duplicated. Specifying Authorization Profiles Use this tab to configure the name and description for a network access authorization profile. 1.Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click: Create to create a new network access authorization definition. Duplicate to duplicate a network access authorization definition. Edit to edit a network access authorization definition. 2.Complete the required fields of the Authorization Profile: General page as shown in Table 69 on page 18: 3.Click one of the following: Submit to save your changes and return to the Authorization Profiles page. The Common Tasks tab to configure common tasks for the authorization profile; see Specifying Common Attributes in Authorization Profiles, page 19. Table 68 Authorization Profiles Page Option Description Name List of existing network access authorization definitions. DescriptionDisplay only. The description of the network access authorization definition. Table 69 Authorization Profile: General Page Option Description Name The name of the network access authorization definition. Description The description of the network access authorization definition.
19 Managing Policy Elements Managing Authorizations and Permissions The RADIUS Attributes tab to configure RADIUS attributes for the authorization profile; see Specifying RADIUS Attributes in Authorization Profiles, page 20. Specifying Common Attributes in Authorization Profiles Use this tab to specify common RADIUS attributes to include in a network access authorization profile. ACS converts the specified values to the required RADIUS attribute-value pairs and displays them in the RADIUS attributes tab. 1.Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click: Create to create a new network access authorization definition, then click the Common Tasks tab. Duplicate to duplicate a network access authorization definition, then click the Common Tasks tab. Edit to edit a network access authorization definition, then click the Common Tasks tab. 2.Complete the required fields of the Authorization Profile: Common Tasks page as shown in Table 70 on page 19: Table 70 Authorization Profile: Common Tasks Page Option Description ACLS Downloadable ACL Name Includes a defined downloadable ACL. See Creating, Duplicating, and Editing Downloadable ACLs, page 30 for information about defining a downloadable ACL. Filter-ID ACL Includes an ACL Filter ID. Proxy ACL Includes a proxy ACL. Voice VLAN Permission to Join Select Static. A value for this parameter is displayed. VLAN VLAN ID/Name Includes a VLAN assignment. Reauthentication Reauthentication Timer Select whether to use a session timeout value. If you select Static, you must enter a value in the Seconds field. The default value is 3600 seconds. If you select Dynamic, you must select the dynamic parameters. Maintain Connectivity during ReauthenticationClick Ye s to ensure connectivity is maintained while reauthentication is performed. By default, Ye s is selected. This field is enabled only if you define the Reauthentication Timer. QoS Input Policy Map Includes a QoS input policy map. Output Policy Map Includes a QoS output policy map. 802.1X-REV
20 Managing Policy Elements Managing Authorizations and Permissions Specifying RADIUS Attributes in Authorization Profiles Use this tab to configure which RADIUS attributes to include in the Access-Accept packet for an authorization profile. This tab also displays the RADIUS attribute parameters that you choose in the Common Tasks tab. 1.Choose Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles, then click: Create to create a new network access authorization definition, then click the RADIUS Attributes tab. Check the check box the authentication profile that you want to duplicate, click Duplicate, and then click the RADIUS Attributes tab. Check the check box the authentication profile that you want to duplicate, click Edit, and then click the RADIUS Attributes tab. 2.Complete the required fields of the Authorization Profile: RADIUS Attributes page as shown in Table 71 on page 20: LinkSec Security Policy If you select Static, you must select a value for the 802.1X-REV LinkSec security policy. Valid options are: must-not-secure should-secure must-secure URL Redirect When a URL is defined for Redirect an ACL must also be defined URL for Redirect Includes a URL redirect. URL Redirect ACL Includes the name of the access control list (ACL) for URL redirection. When you define a URL redirect, you must also define an ACL for the URL redirection. Table 70 Authorization Profile: Common Tasks Page (continued) Option Description Table 71 Authorization Profile: RADIUS Attributes Page Option Description Common Tasks AttributesDisplays the names, values, and types for the attributes that you defined in the Common Tasks tab. Manually EnteredUse this section to define RADIUS attributes to include in the authorization profile. As you define each attribute, its name, value, and type appear in the table. To: Add a RADIUS attribute, fill in the fields below the table and click Add. Edit a RADIUS attribute, select the appropriate row in the table and click Edit. The RADIUS parameters appear in the fields below the table. Edit as required, then click Replace. Dictionary Type Choose the dictionary that contains the RADIUS attribute you want to use.
21 Managing Policy Elements Managing Authorizations and Permissions 3.To c o n f i g u r e : Basic information of an authorization profile; see Specifying Authorization Profiles, page 18. RADIUS Attribute Name of the RADIUS attribute. Click Select to choose a RADIUS attribute from the specified dictionary. You must manually add VPN attributes to the authorization profile to authenticate VPN devices in your network. ACS can work with different Layer 2 and Layer 3 protocols, such as: IPSec—Operates at Layer 3; no mandatory attributes need to be configured in the ACS authorization profile, but you can configure optional attributes. L2TP—For L2TP tunneling, you must configure ACS with: —CVPN3000/ASA/PIX7.x-Tunneling Protocols—This attribute specifies the type of tunneling to be used. —CVPN3000/ASA/PIX7.x-L2TP-Encryption—This attribute, when set, enables VPN3000 to communicate to the client the type of Microsoft Point-to-Point Encryption (MPPE) key that must be used, either the MSCHAPv1 or MSCHAPv2 authentication method. PPTP—For PPTP tunneling, you must configure ACS with: —CVPN3000/ASA/PIX7.x-Tunneling Protocols—This attribute specifies the type of tunneling to be used. —CVPN3000/ASA/PIX7.x-PPTP-Encryption—This attribute, when set, enables VPN3000 to communicate to the client the type of Microsoft Point-to-Point Encryption (MPPE) key that must be used, either the MSCHAPv1 or MSCHAPv2 authentication method. Attribute Type Client vendor type of the attribute, from which ACS allows access requests. For a description of the attribute types, refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA clients. Attribute Value Value of the attribute. Click Select for a list of attribute values. For a description of the attribute values, refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA clients. For tunneled protocols, ACS provides for attribute values with specific tags to the device within the access response according to RFC 2868. If you choose Tagged Enum or Tagged String as the RADIUS Attribute type, the Tag field appears. For the tag value, enter a number that ACS will use to group attributes belonging to the same tunnel. For the Tagged Enum attribute type: Choose an appropriate attribute value. Enter an appropriate tag value (0–31). For the Tagged String attribute type: Enter an appropriate string attribute value (up to 256 characters). Enter an appropriate tag value (0–31). Table 71 Authorization Profile: RADIUS Attributes Page (continued) Option Description
22 Managing Policy Elements Managing Authorizations and Permissions Common tasks for an authorization profile; see Specifying Common Attributes in Authorization Profiles, page 19. Creating and Editing Security Groups Use this page to view names and details of security groups and security group tags (SGTs), and to open pages to create, duplicate, and edit security groups. When you create a security group, ACS generates a unique SGT. Network devices can query ACS for SGT information. The network device uses the SGT to tag, or paint, packets at ingress, so that the packets can be filtered at Egress according to the Egress policy. See Egress Policy Matrix Page, page 45, for information on configuring an Egress policy. 1.Choose Policy Elements > Authorizations and Permissions > Network Access > Security Groups. The Security Groups page appears as described in Table 72 on page 22: 2.Click: Create to create a new security group. Duplicate to duplicate a security group. Edit to edit a security group. 3.Enter the required information in the Name and Description fields, then click Submit. Related Topic Creating Security Groups, page 23 Creating, Duplicating, and Editing a Shell Profile for Device Administration You can configure Cisco IOS shell profile and command set authorization. Shell profiles and command sets are combined for authorization purposes. Shell profile authorization provides decisions for the following capabilities for the user requesting authorization and is enforced for the duration of a user’s session: Privilege level. General capabilities, such as device administration and network access. Shell profile definitions are split into two components: Common tasks Custom attributes The Common Tasks tab allows you to select and configure the frequently used attributes for the profile. The attributes that are included here are those defined by the TACACS protocol draft specification that are specifically relevant to the shell service. However, the values can be used in the authorization of requests from other services. Ta b l e 7 2 S e c u r i t y G r o u p s P a g e Option Description Name The name of the security group. SGT (Dec / Hex) Representation of the security group tag in decimal and hexadecimal format. Description The description of the security group.
23 Managing Policy Elements Managing Authorizations and Permissions The Custom Attributes tab allows you to configure additional attributes. Each definition consists of the attribute name, an indication of whether the attribute is mandatory or optional, and the value for the attribute. Custom attributes can be defined for nonshell services. For a description of the attributes that you specify in shell profiles, see Cisco IOS documentation for the specific release of Cisco IOS software that is running on your AAA clients. After you create shell profiles and command sets, you can use them in authorization and permissions within rule tables. You can duplicate a shell profile if you want to create a new shell profile that is the same, or similar to, an existing shell profile. After duplication is complete, you access each shell profile (original and duplicated) separately to edit or delete them. To create, duplicate, or edit a shell profile: 1.Choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles. The Shell Profiles page appears. 2.Do one of the following: Click Create. Check the check box the shell profile that you want to duplicate and click Duplicate. Click the name that you want to modify; or, check the check box the name that you want to modify and click Edit. The Shell Profile Properties page General tab appears. 3.Enter valid configuration data in the required fields in each tab. As a minimum configuration, you must enter a unique name for the shell profile; all other fields are optional. See: Defining General Shell Profile Properties, page 23 Defining Common Tasks, page 24 Defining Custom Attributes, page 27 4.Click Submit. The shell profile is saved. The Shell Profiles page appears with the shell profile that you created or duplicated. Related Topics Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 17 Creating, Duplicating, and Editing Command Sets for Device Administration, page 27 Deleting an Authorizations and Permissions Policy Element, page 31 Configuring Shell/Command Authorization Policies for Device Administration, page 35 Defining General Shell Profile Properties Use this page to define a shell profile’s general properties. 1.Choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, then do one of the following:
24 Managing Policy Elements Managing Authorizations and Permissions Click Create. Check the check box the shell profile that you want to duplicate and click Duplicate. Click the name that you want to modify; or, check the check box the name that you want to modify and click Edit. 2.Complete the Shell Profile: General fields as described in Table 73 on page 24: 3.Click: Submit to save your changes and return to the Shell Profiles page. The Common Tasks tab to configure privilege levels for the authorization profile; see Defining Common Tasks, page 24. The Custom Attributes tab to configure RADIUS attributes for the authorization profile; see Defining Custom Attributes, page 27. Related Topics Defining Common Tasks, page 24 Defining Custom Attributes, page 27 Defining Common Tasks Use this page to define a shell profile’s privilege level and attributes. The attributes are defined by the TACACS+ protocol. For a description of the attributes, refer to Cisco IOS documentation for the release of Cisco IOS software that is running on your AAA clients. 1.Choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles, then click: Create to create a new shell profile, then click Common Tasks. Duplicate to duplicate a shell profile, then click Common Tasks. Edit to edit a shell profile, then click Common Tasks. 2.Complete the Shell Profile: Common Tasks page as described in Table 74 on page 25: Table 73 Shell Profile: General Page Option Description Name The name of the shell profile. Description (Optional) The description of the shell profile.
25 Managing Policy Elements Managing Authorizations and Permissions Table 74 Shell Profile: Common Tasks Option Description Privilege Level Default Privilege (Optional) Enables the initial privilege level assignment that you allow for a client, through shell authorization. If disabled, the setting is not interpreted in authorization and permissions. The Default Privilege Level specifies the default (initial) privilege level for the shell profile. If you select Static as the Enable Default Privilege option, you can select the default privilege level; the valid options are 0 to 15. If you select Dynamic as the Enable Default Privilege option, you can select attribute from dynamic ACS dictionary, for a substitute attribute. Maximum Privilege (Optional) Enables the maximum privilege level assignment for which you allow a client after the initial shell authorization. The Maximum Privilege Level specifies the maximum privilege level for the shell profile. If you select the Enable Change of Privilege Level option, you can select the maximum privilege level; the valid options are 0 to 15. If you choose both default and privilege level assignments, the default privilege level assignment must be equal to or lower than the maximum privilege level assignment. Shell Attributes Select Not in Use for the options provided below if you do not want to enable them. If you select Dynamic, you can substitute the static value of a TACACS+ attribute with a value of another attribute from one of the listed dynamic dictionaries Access Control List (Optional) Choose Static to specify the name of the access control list to enable it. The name of the access control list can be up to 27 characters, and cannot contain the following: A hyphen (-), left bracket ([), right bracket, (]) forward slash (/), back slash (\), apostrophe (‘), left angle bracket (). Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. Auto Command (Optional) Choose Static and specify the command to enable it. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. No Callback Verify (Optional) Choose Static to specify whether or not you want callback verification. Valid options are: True—Specifies that callback verification is not needed. False—Specifies that callback verification is needed. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. No Escape (Optional) Choose Static to specify whether or not you want escape prevention. Valid options are: True—Specifies that escape prevention is enabled. False—Specifies that escape prevention is not enabled. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute.
26 Managing Policy Elements Managing Authorizations and Permissions 3.Click: Submit to save your changes and return to the Shell Profiles page. The General tab to configure the name and description for the authorization profile; see Defining General Shell Profile Properties, page 23. The Custom Attributes tab to configure Custom Attributes for the authorization profile; see Defining Custom Attributes, page 27. To substitute the static value of a TACACS+ attribute with a value of another attribute from one of the listed dynamic dictionaries, complete the following steps. 1.Choose System Administration > Configuration > Dictionaries > Identity > Internal Users to add attributes to the Internal Users Dictionary. 2.Choose Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles to create a Shell Profile. 3.Choose Custom Attributes tab to create a new attribute and choose Dynamic as Attribute Value and correlate it to created attribute in Internal Users Dictionary. 4.Create a new rule in Access Policies > Access Services > Default Device Admin > Authorization and choose the Results created as Shell Profile instead. After authorization you will see the response as dynamic attribute value from Internal ID Store. Related Topics Defining Custom Attributes, page 27 Configuring Shell/Command Authorization Policies for Device Administration, page 35 No Hang Up (Optional) Choose Static to specify whether or not you want any hangups. Valid options are: True—Specifies no hangups are allowed. False—Specifies that hangups are allowed. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. Timeout (Optional) Choose Static to enable and specify, in minutes, the duration of the allowed timeout in the value field. The valid range is from 0 to 999. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. Idle Time (Optional) Choose Static to enable and specify, in minutes, the duration of the allowed idle time in the value field. The valid range is from 0 to 999. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. Callback Line (Optional) Choose Static to enable and specify the callback phone line in the value field. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. Callback Rotary (Optional) Choose Static to enable and specify the callback rotary phone line in the value field. Choose Dynamic to select attribute from dynamic ACS dictionary, for a substitute attribute. Table 74 Shell Profile: Common Tasks Option Description