Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
25 Managing Access Policies Configuring Access Service Policies To configure a rule-based policy, see these topics: Creating Policy Rules, page 37 Duplicating a Rule, page 38 Editing Policy Rules, page 39 Deleting Policy Rules, page 39 For information about configuring an identity policy for Host Lookup requests, see Configuring an Authorization Policy for Host Lookup Requests, page 18. Table 89 Rule-based Identity Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the results to apply to all requests. Rule-based—Configure rules to apply different results depending on the request. Caution: If you switch between policy types, you will lose your previously saved policy configuration. Status The current status of the rule. The rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule. Name Rule name. Conditions Conditions that determine the scope of the policy. This column displays all current conditions in subcolumns. Results Identity source that is used for authentication as a result of the evaluation of the rule. Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column. Default Rule ACS applies the Default rule when: Enabled rules are not matched. No other rules are defined. Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it. Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. Caution: If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 9.
26 Managing Access Policies Configuring Access Service Policies Related Topics Configuring a Group Mapping Policy, page 27 Configuring a Session Authorization Policy for Network Access, page 30 Configuring a Session Authorization Policy for Network Access, page 30 Configuring Shell/Command Authorization Policies for Device Administration, page 35 Configuring Identity Policy Rule Properties You can create, duplicate, or edit an identity policy rule to determine the identity databases that are used to authenticate the client and retrieve attributes for the client. To display this page: 1.Choose Access Policies > Access Services > service > Identity, then do one of the following: Click Create. Check a rule check box, and click Duplicate. Click a rule name or check a rule check box, then click Edit. 2.Complete the fields as shown in the Identity Rule Properties page described in Table 90 on page 26: Table 90 Identity Rule Properties Page Option Description General Rule Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Rule Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The Monitor option is especially useful for watching the results of a new rule. Conditions conditions Conditions that you can configure for the rule. By default the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value. If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions, page 40.
27 Managing Access Policies Configuring Access Service Policies Configuring a Group Mapping Policy Configure a group mapping policy to map groups and attributes that are retrieved from external identity stores to ACS identity groups. When ACS processes a request for a user or host, this policy retrieves the relevant identity group which can be used in authorization policy rules. If you created an access service that includes a group mapping policy, you can configure and modify this policy. You can configure a simple policy, which applies the same identity group to all requests; or, you can configure a rule-based policy. In the rule-based policy, each rule contains one or more conditions and a result. The conditions can be based only on attributes or groups retrieved from external attribute stores, and the result is an identity group within the identity group hierarchy. You can create, duplicate, edit, and delete rules within the policy; and you can enable and disable them. Caution: If you switch between the simple policy and the rule-based policy pages, you will lose your previously saved policy. To configure a simple group mapping policy: 1.Select Access Policies > Access Services > service > Group Mapping, where service is the name of the access service. By default, the Simple Group Mapping Policy page appears. See Table 91 on page 28 for field descriptions. See Table 92 on page 28 for Rule-Based Group Mapping Policy page field descriptions. Results Identity Source Identity source to apply to requests. The default is Deny Access. For: Password-based authentication, choose a single identity store, or an identity store sequence. Certificate-based authentication, choose a certificate authentication profile, or an identity store sequence. The identity store sequence defines the sequence that is used for authentication and attribute retrieval and an optional sequence to retrieve additional attributes. See Configuring Identity Store Sequences, page 90. Advanced optionsSpecifies whether to reject or drop the request, or continue with authentication for these options: If authentication failed—Default is reject. If user not found—Default is reject. If process failed—Default is drop. Owing to restrictions on the underlying protocol, ACS cannot always continue processing when the Continue option is chosen. ACS can continue when authentication fails for PAP/ASCII, EAP-TLS or Host Lookup. For all other authentication protocols, the request is dropped even if you choose the Continue option. Table 90 Identity Rule Properties Page (continued) Option Description
28 Managing Access Policies Configuring Access Service Policies 2.Select an identity group. Table 91 Simple Group Mapping Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the results to apply to all requests. Rule-based—Configure rules to apply different results depending on the request. Caution: If you switch between policy types, you will lose your previously saved policy configuration. Identity Group Identity group to which attributes and groups from all requests are mapped. Table 92 Rule-based Group Mapping Policy Page Option Description Policy type Defines the type of policy to configure: Simple—Specifies the results to apply to all requests. Rule-based—Configure rules to apply different results depending on the request. Caution: If you switch between policy types, you will lose your previously saved policy configuration. Status Current status of the rule. The rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Name Rule name. Conditions Conditions that determine the scope of the policy. This column displays all current conditions in subcolumns. Results Identity group that is used as a result of the evaluation of the rule. Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column. Default Rule ACS applies the Default rule when: Enabled rules are not matched. No other rules are defined. Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it. Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. Caution: If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 9.
29 Managing Access Policies Configuring Access Service Policies 3.Click Save Changes to save the policy. To configure a rule-based policy, see these topics: Creating Policy Rules, page 37 Duplicating a Rule, page 38 Editing Policy Rules, page 39 Deleting Policy Rules, page 39 Related Topics Viewing Identity Policies, page 23 Configuring a Session Authorization Policy for Network Access, page 30 Configuring a Session Authorization Policy for Network Access, page 30 Configuring Shell/Command Authorization Policies for Device Administration, page 35 Configuring Group Mapping Policy Rule Properties Use this page to create, duplicate, or edit a group mapping policy rule to define the mapping of attributes and groups that are retrieved from external databases to ACS identity groups. 1.Select Access Policies > Access Services > service > Group Mapping, then do one of the following: Click Create. Check a rule check box, and click Duplicate. Click a rule name or check a rule check box, then click Edit. 2.Complete the fields as described in Table 93 on page 29: Table 93 Group Mapping Rule Properties Page Option Description General Rule Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Rule Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule.
30 Managing Access Policies Configuring Access Service Policies Configuring a Session Authorization Policy for Network Access When you create an access service for network access authorization, it creates a Session Authorization policy. You can then add and modify rules to this policy to determine the access permissions for the client session. You can create a standalone authorization policy for an access service, which is a standard first-match rule table. You can also create an authorization policy with an exception policy. See Configuring Authorization Exception Policies, page 36. When a request matches an exception rule, the policy exception rule result is always applied. The rules can contain any conditions and multiple results: Authorization profile—Defines the user-defined attributes and, optionally, the downloadable ACL that the Access-Accept message should return. Security Group Tag (SGT)—If you have installed Cisco Security Group Access, the authorization rules can define which SGT to apply to the request. For information about how ACS processes rules with multiple authorization profiles, see Processing Rules with Multiple Authorization Profiles, page 16. To configure an authorization policy, see these topics: Creating Policy Rules, page 37 Duplicating a Rule, page 38 Editing Policy Rules, page 39 Deleting Policy Rules, page 39 For information about creating an authorization policy for: Host Lookup requests, see ACS and Cisco Security Group Access, page 21. Security Group Access support, see Creating an Endpoint Admission Control Policy, page 25. 1.Select Access Policies > Access Services > service > Authorization. 2.Complete the fields as described in Table 94 on page 31: Conditions conditions Conditions that you can configure for the rule. By default, the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value. If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions, page 40. Results Identity Group Identity group to which attributes and groups from requests are mapped. Table 93 Group Mapping Rule Properties Page (continued) Option Description
31 Managing Access Policies Configuring Access Service Policies Configuring Network Access Authorization Rule Properties Use this page to create, duplicate, and edit the rules to determine access permissions in a network access service. 1.Select Access Policies > Access Services > > Authorization, and click Create, Edit, or Duplicate. Table 94 Network Access Authorization Policy Page Option Description Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Name Name of the rule. Conditions Identity Group Name of the internal identity group to which this is matching against. NDG:nameNetwork device group. The two predefined NDGs are Location and Device Type. conditionsConditions that define the scope of the rule. To change the types of conditions that the rule uses, click the Customize button. You must have previously defined the conditions that you want to use. Results Authorization Profile Displays the authorization profile that will be applied when the corresponding rule is matched. When you enable the Security Group Access feature, you can customize rule results; a rule can determine the access permission of an endpoint, the security group of that endpoint, or both. The columns that appear reflect the customization settings. Hit Count The number of times that the rule is matched. Click the Hit Count button to refresh and reset this column. Default Rule ACS applies the Default rule when: Enabled rules are not matched. No other rules are defined. Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it. Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. When you enable the Security Group Access feature, you can also choose the set of rule results; only session authorization profiles, only security groups, or both. Caution: If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 9.
32 Managing Access Policies Configuring Access Service Policies 2.Complete the fields as described in Table 95 on page 32: Note: ACS allows you to create an internal user account using the identity string attribute to match a particular NDG:location only by configuring the detailed path of the NDG. Configuring Device Administration Authorization Policies A device administration authorization policy determines the authorizations and permissions for network administrators. You create an authorization policy during access service creation. See Configuring General Access Service Properties, page 13 for details of the Access Service Create page. Use this page to: View rules. Delete rules. Open pages that enable you to create, duplicate, edit, and customize rules. Select Access Policies > Access Services > service > Authorization. Table 95 Network Access Authorization Rule Properties Page Option Description General Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Conditions conditions Conditions that you can configure for the rule. By default the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value. If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions, page 40. Results Authorization Profiles List of available and selected profiles. You can choose multiple authorization profiles to apply to a request. See Processing Rules with Multiple Authorization Profiles, page 16 for information about the importance of authorization profile order when resolving conflicts. Security Group (Security Group Access only) The security group to apply. When you enable Security Group Access, you can customize the results options to display only session authorization profiles, only security groups, or both.
33 Managing Access Policies Configuring Access Service Policies The Device Administration Authorization Policy page appears as described in Table 96 on page 33. Configuring Device Administration Authorization Rule Properties Use this page to create, duplicate, and edit the rules to determine authorizations and permissions in a device administration access service. Select Access Policies > Access Services > service > Authorization, and click Create, Edit, or Duplicate. The Device Administration Authorization Rule Properties page appears as described in Table 97 on page 34. Table 96 Device Administration Authorization Policy Page Option Description Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Name Name of the rule. Conditions Conditions that define the scope of the rule. To change the types of conditions that the rule uses, click the Customize button. You must have previously defined the conditions that you want to use. Results Displays the shell profiles and command sets that will be applied when the corresponding rule is matched. You can customize rule results; a rule can apply shell profiles, or command sets, or both. The columns that appear reflect the customization settings. Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column. Default Rule ACS applies the Default rule when: Enabled rules are not matched. No other rules are defined. Click the link to edit the Default Rule. You can edit only the results of the Default Rule; you cannot delete, disable, or duplicate it. Customize buttonOpens the Customize page in which you choose the types of conditions and results to use in policy rules. The Conditions and Results columns reflect your customized settings. Caution: If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count buttonOpens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 9.
34 Managing Access Policies Configuring Access Service Policies Configuring Device Administration Authorization Exception Policies You can create a device administration authorization exception policy for a defined authorization policy. Results from the exception rules always override authorization policy rules. Use this page to: View exception rules. Delete exception rules. Open pages that create, duplicate, edit, and customize exception rules. Select Access Policies > Access Services > service > Authorization, and click Device Administration Authorization Exception Policy. The Device Administration Authorization Exception Policy page appears as described in Table 98 on page 35. Table 97 Device Administration Authorization Rule Properties Page Option Description General Name Name of the rule. If you are duplicating a rule, you must enter a unique name as a minimum configuration; all other fields are optional. Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Conditions conditions Conditions that you can configure for the rule. By default the compound condition appears. You can change the conditions that appear by using the Customize button in the Policy page. The default value for each condition is ANY. To change the value for a condition, check the condition check box, then specify the value. If you check Compound Condition, an expression builder appears in the conditions frame. For more information, see Configuring Compound Conditions, page 40. Results Shell Profiles Shell profile to apply for the rule. Command SetsList of available and selected command sets. You can choose multiple command sets to apply.