Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
27 Managing Policy Elements Managing Authorizations and Permissions Defining Custom Attributes Use this tab to define custom attributes for the shell profile. This tab also displays the Common Tasks Attributes that you have chosen in the Common Tasks tab. 1.Edit the fields in the Custom Attributes tab as described in Table 75 on page 27: 2.Click: Submit to save your changes and return to the Shell Profiles page. The General tab to configure the name and description for the authorization profile; see Defining General Shell Profile Properties, page 23. The Common Tasks tab to configure the shell profile’s privilege level and attributes for the authorization profile; see Defining Common Tasks, page 24. Related Topics Defining General Shell Profile Properties, page 23 Defining Common Tasks, page 24 Creating, Duplicating, and Editing Command Sets for Device Administration Command sets provide decisions for allowed commands and arguments for device administration. You can specify command sets as results in a device configuration authorization policy. Shell profiles and command sets are combined for authorization purposes, and are enforced for the duration of a user’s session. You can duplicate a command set if you want to create a new command set that is the same, or similar to, an existing command set. After duplication is complete, you access each command set (original and duplicated) separately to edit or delete them. After you create command sets, you can use them in authorizations and permissions within rule tables. A rule can contain multiple command sets. See Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 22. Note: Command sets support TACACS+ protocol attributes only. Table 75 Shell Profile: Custom Attributes Page Option Description Common Tasks AttributesDisplays the names, requirements, and values for the Common Tasks Attributes that you have defined in the Common Tasks tab. Manually Entered Use this section to define custom attributes to include in the authorization profile. As you define each attribute, its name, requirement, and value appear in the table. To: Add a custom attribute, fill in the fields below the table and click Add. Edit a custom attribute, select the appropriate row in the table and click Edit. The custom attribute parameters appear in the fields below the table. Edit as required, then click Replace. Attribute Name of the custom attribute. Requirement Choose whether this custom attribute is Mandatory or Optional. Attribute Value Choose whether the custom attribute is Static or Dynamic.
28 Managing Policy Elements Managing Authorizations and Permissions To create, duplicate, or edit a new command set: 1.Choose Policy Elements > Authorization and Permissions > Device Administration > Command Sets. The Command Sets page appears. 2.Do one of the following: Click Create. The Command Set Properties page appears. Check the check box the command set that you want to duplicate and click Duplicate. The Command Set Properties page appears. Click the name that you want to modify; or, check the check box the name that you want to modify and click Edit. The Command Set Properties page appears. Click File Operations to perform any of the following functions: —Add—Choose this option to add command sets from the import file to ACS. —Update—Choose this option to replace the list of command sets in ACS with the list of command sets in the import file. —Delete—Choose this option to delete the command sets listed in the import file from ACS. See Performing Bulk Operations for Network Resources and Users, page 7 for a detailed description of the bulk operations. Click Export to export the command sets from ACS to your local hard disk. A dialog box appears, prompting you to enter an encryption password to securely export the command sets: a.Check the Password check box and enter the password to encrypt the file during the export process, then click Start Export. b.Click Start Export to export the command sets without any encryption. 3.Enter valid configuration data in the required fields. As a minimum configuration, you must enter a unique name for the command set; all other fields are optional. You can define commands and arguments; you can also add commands and arguments from other command sets. See Table 76 on page 28 for a description of the fields in the Command Set Properties page. Table 76 Command Set Properties Page Field Description Name Name of the command set. Description (Optional) The description of the command set. Permit any command that is not in the table belowCheck to allow all commands that are requested, unless they are explicitly denied in the Grant table. Uncheck to allow only commands that are explicitly allowed in the Grant table.
29 Managing Policy Elements Managing Authorizations and Permissions 4.Click Submit. The command set is saved. The Command Sets page appears with the command set that you created or duplicated. Related Topics Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 17 Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 22 Deleting an Authorizations and Permissions Policy Element, page 31 Command Set table Use this section to define commands to include in the authorization profile. As you define each command, its details appear in the table. To: Add a command, fill in the fields below the table and click Add. Edit a command, select the appropriate row in the table, and click Edit. The command parameters appear in the fields below the table. Edit as required, then click Replace. The order of commands in the Command Set table is important; policy rule table processing depends on which command and argument are matched first to make a decision on policy result choice. Use the control buttons at the right of the Command Set table to order your commands. Grant Choose the permission level of the associated command. Options are: Permit—The associated command and arguments are automatically granted. Deny—The associated command and arguments are automatically denied. Deny Always—The associated command and arguments are always denied. Command Enter the command name. This field is not case sensitive. You can use the asterisk (*) to represent zero (0) or more characters in the command name, and you can use the question mark (?) to represent a single character in a command name. Examples of valid command name entries: SHOW sH* sho? Sh*? Arguments (field) Enter the argument associated with the command name. This field is not case sensitive. ACS 5.7 uses standard UNIX-type regular expressions. Select Command/ Arguments from Command SetTo add a command from another command set: 1.Choose the command set. 2.Click Select to open a page that lists the available commands and arguments. 3.Choose a command and click OK. Table 76 Command Set Properties Page (continued) Field Description
30 Managing Policy Elements Managing Authorizations and Permissions Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 22 Creating, Duplicating, and Editing Downloadable ACLs You can define downloadable ACLs for the Access-Accept message to return. Use ACLs to prevent unwanted traffic from entering the network. ACLs can filter source and destination IP addresses, transport protocols, and more by using the RADIUS protocol. After you create downloadable ACLs as named permission objects, you can add them to authorization profiles, which you can then specify as the result of an authorization policy. You can duplicate a downloadable ACL if you want to create a new downloadable ACL that is the same, or similar to, an existing downloadable ACL. After duplication is complete, you access each downloadable ACL (original and duplicated) separately to edit or delete them. To create, duplicate or edit a downloadable ACL: 1.Choose Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs. The Downloadable ACLs page appears. 2.Do one of the following: Click Create. The Downloadable ACL Properties page appears. Check the check box the downloadable ACL that you want to duplicate and click Duplicate. The Downloadable ACL Properties page appears. Click the name that you want to modify; or, check the check box the name that you want to modify and click Edit. The Downloadable ACL Properties page appears. Click File Operations to perform any of the following functions: —Add—Choose this option to add ACLs from the import file to ACS. —Update—Choose this option to replace the list of ACLs in ACS with the list of ACLs in the import file. —Delete—Choose this option to delete the ACLs listed in the import file from ACS. See Performing Bulk Operations for Network Resources and Users, page 7 for a detailed description of the bulk operations. Click Export to export the DACLs from ACS to your local hard disk. A dialog box appears, prompting you to enter an encryption password to securely export the DACLs: —Check the Password check box and enter the password to encrypt the file during the export process, then click Start Export. —Click Start Export to export the DACLs without any encryption. 3.Enter valid configuration data in the required fields as shown in Table 77 on page 31, and define one or more ACLs by using standard ACL syntax.
31 Managing Policy Elements Managing Authorizations and Permissions 4.Click Submit. The downloadable ACL is saved. The Downloadable ACLs page appears with the downloadable ACL that you created or duplicated. Related Topics Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 17 Configuring a Session Authorization Policy for Network Access, page 30 Deleting an Authorizations and Permissions Policy Element, page 31 Deleting an Authorizations and Permissions Policy Element To delete an authorizations and permissions policy element: 1.Choose Policy Elements > Authorization and Permissions; then, navigate to the required option. The corresponding page appears. 2.Check one or more check boxes the items that you want to delete and click Delete. The following message appears: Are you sure you want to delete the selected item/items? 3.Click OK. The page appears without the deleted object. Configuring Security Group Access Control Lists Security group access control lists (SGACLs) are applied at Egress, based on the source and destination SGTs. Use this page to view, create, duplicate and edit SGACLs. When you modify the name or content of an SGACL, ACS updates its generation ID. When the generation ID of an SGACL changes, the relevant Security Group Access network devices reload the content of the SGACL. Table 77 Downloadable ACL Properties Page Option Description Name Name of the DACL. Description Description of the DACL. Downloadable ACL ContentDefine the ACL content. Use standard ACL command syntax and semantics. The ACL definitions comprise one or more ACL commands; each ACL command must occupy a separate line. For detailed ACL definition information, see the command reference section of your device configuration guide.
32 Managing Policy Elements Managing Authorizations and Permissions SGACLs are also called role-based ACLs (RBACLs). 1.Choose Policy Elements > Authorizations and Permissions > Named Permissions Objects > Security Group ACLs. The Security Group Access Control Lists page appears with the fields described in Table 78 on page 32: 2.Click one of the following options: Create to create a new SGACL. Duplicate to duplicate an SGACL. Edit to edit an SGACL. 3.Complete the fields in the Security Group Access Control Lists Properties page as described in Table 79 on page 32: 4.Click Submit. Table 78 Security Group Access Control Lists Page Option Description Name The name of the SGACL. Description The description of the SGACL. Table 79 Security Group Access Control List Properties Page Option Description General Name Name of the SGACL. You cannot use spaces, hyphens (-), question marks (?), or exclamation marks (!) in the name. After you create an SGACL, its generation ID appears. Generation IDDisplay only. ACS updates the generation ID of the SGACL if you change the: Name of the SGACL. Content of the SGACL (the ACEs). Changing the SGACL description does not affect the generation ID. Description Description of the SGACL. Security Group ACL ContentEnter the ACL content. Ensure that the ACL definition is syntactically and semantically valid.
1 Cisco Systems, Inc.www.cisco.com Managing Access Policies In ACS 5.7, policy drives all activities. Policies consist mainly of rules that determine the action of the policy. You create access services to define authentication and authorization policies for requests. A global service selection policy contains rules that determine which access service processes an incoming request. For a basic work flow for configuring policies and all their elements, see Flows for Configuring Services and Policies, page 18. In general, before you can configure policy rules, you must configure all the elements that you will need, such as identities, conditions, and authorizations and permissions. For information about: Managing identities, see Managing Users and Identity Stores, page 1 Configuring conditions, see Managing Policy Elements, page 1. Configuring authorizations and permissions, see Configuring System Operations, page 1. This section contains the following topics: Policy Creation Flow, page 1 Customizing a Policy, page 4 Configuring the Service Selection Policy, page 5 Configuring Access Services, page 10 Configuring Access Service Policies, page 22 Configuring Compound Conditions, page 40 Security Group Access Control Pages, page 45 Maximum User Sessions, page 50 Maximum Login Failed Attempts Policy, page 55 For information about creating Egress and NDAC policies for Cisco Security Group Access, see Configuring an NDAC Policy, page 23. Policy Creation Flow Policy creation depends on your network configuration and the degree of refinement that you want to bring to individual policies. The endpoint of policy creation is the access service that runs as the result of the service selection policy. Each policy is rule driven. In short, you must determine the: Details of your network configuration. Access services that implement your policies. Rules that define the conditions under which an access service can run.
2 Managing Access Policies Policy Creation Flow This section contains the following topics: Network Definition and Policy Goals, page 2 Policy Elements in the Policy Creation Flow, page 2 Access Service Policy Creation, page 4 Service Selection Policy Creation, page 4 Network Definition and Policy Goals The first step in creating a policy is to determine the devices and users for which the policy should apply. Then you can start to configure your policy elements. For basic policy creation, you can rely on the order of the drawers in the left navigation pane of the web interface. The order of the drawers is helpful because some policy elements are dependent on other policy elements. If you use the policy drawers in order, you initially avoid having to go backward to define elements that your current drawer requires. For example, you might want to create a simple device administration policy from these elements in your network configuration: Devices—Routers and switches. Users—Network engineers. Device Groups—Group devices by location and separately by device type. Identity groups—Group network engineers by location and separately by access level. The results of the policy apply to the administrative staff at each site: Full access to devices at their site. Read-only access to all other devices. Full access to everything for a supervisor. The policy itself applies to network operations and the administrators who will have privileges within the device administration policy. The users (network engineers) are stored in the internal identity store. The policy results are the authorizations and permissions applied in response to the access request. These authorizations and permissions are also configured as policy elements. Policy Creation Flow—Next Steps Policy Elements in the Policy Creation Flow, page 2 Access Service Policy Creation, page 4 Service Selection Policy Creation, page 4 Policy Elements in the Policy Creation Flow The web interface provides these defaults for defining device groups and identity groups: All Locations All Device Types All Groups
3 Managing Access Policies Policy Creation Flow The locations, device types, and identity groups that you create are children of these defaults. To create the building blocks for a basic device administration policy: 1.Create network resources. In the Network Resources drawer, create: a.Device groups for Locations, such as All Locations > East, West, HQ. b.Device groups for device types, such as All Device Types > Router, Switch. c.AAA clients (clients for AAA switches and routers, address for each, and protocol for each), such as EAST-ACCESS-SWITCH, HQ-CORE-SWITCH, or WEST-WAN-ROUTER. 2.Create users and identity stores. In the Users and Identity Stores drawer, create: a.Identity groups (Network Operations and Supervisor). b.Specific users and association to identity groups (Names, Identity Group, Password, and more). 3.Create authorizations and permissions for device administration. In the Policy Elements drawer, create: a.Specific privileges (in Shell Profiles), such as full access or read only. b.Command Sets that allow or deny access (in Command Sets). For this policy, you now have the following building blocks: Network Device Groups (NDGs), such as: —Locations—East, HQ, West. —Device Types—Router, Switch. Identity groups, such as: —Network Operations Sites—East, HQ, West. —Access levels—Full Access. Devices—Routers and switches that have been assigned to network device groups. Users—Network engineers in the internal identity store that have been assigned to identity groups. Shell Profiles—Privileges that can apply to each administrator, such as: —Full privileges. —Read only privileges. Command Sets—Allow or deny authorization to each administrator. Policy Creation Flow—Previous Step Network Definition and Policy Goals, page 2 Policy Creation Flow—Next Steps Access Service Policy Creation, page 4 Service Selection Policy Creation, page 4
4 Managing Access Policies Customizing a Policy Access Service Policy Creation After you create the basic elements, you can create an access policy that includes identity groups and privileges. For example, you can create an access service for device administration, called NetOps, which contains authorization and authentication policies that use this data: Users in the Supervisor identity group—Full privileges to all devices at all locations. User in the East, HQ, West identity groups—Full privileges to devices in the corresponding East, HQ, West device groups. If no match—Deny access. Policy Creation Flow—Previous Steps Network Definition and Policy Goals, page 2 Policy Elements in the Policy Creation Flow, page 2 Policy Creation Flow—Next Step Service Selection Policy Creation, page 4 Service Selection Policy Creation ACS provides support for various access use cases; for example, device administration, wireless access, network access control, and so on. You can create access policies for each of these use cases. Your service selection policy determines which access policy applies to an incoming request. For example, you can create a service selection rule to apply the NetOps access service to any access request that uses the TACAC+ protocol. Policy Creation Flow—Previous Steps Network Definition and Policy Goals, page 2 Policy Elements in the Policy Creation Flow, page 2 Access Service Policy Creation, page 4 Customizing a Policy ACS policy rules contain conditions and results. Before you begin to define rules for a policy, you must configure which types of conditions that policy will contain. This step is called customizing your policy. The condition types that you choose appear on the Policy page. You can apply only those types of conditions that appear on the Policy page. For information about policy conditions, see Managing Policy Conditions, page 1. By default, a Policy page displays a single condition column for compound expressions. For information on compound conditions, see Configuring Compound Conditions, page 40. If you have implemented Security Group Access functionality, you can also customize results for authorization policies. Caution: If you have already defined rules, be certain that a rule is not using any condition that you remove when customizing conditions. Removing a condition column removes all configured conditions that exist for that column. To customize a policy: 1.Open the Policy page that you want to customize. For: The service selection policy, choose Access Policies > Service Selection Policy.