Cisco Acs 57 User Guide
Have a look at the manual Cisco Acs 57 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
35 Managing Access Policies Configuring Access Service Policies Configuring Shell/Command Authorization Policies for Device Administration When you create an access service and select a service policy structure for Device Administration, ACS automatically creates a shell/command authorization policy. You can then create and modify policy rules. The web interface supports the creation of multiple command sets for device administration. With this capability, you can maintain a smaller number of basic command sets. You can then choose the command sets in combination as rule results, rather than maintaining all the combinations themselves in individual command sets. You can also create an authorization policy with an exception policy, which can override the standard policy results. See Configuring Authorization Exception Policies, page 36. For information about how ACS processes rules with multiple command sets, see Processing Rules with Multiple Command Sets, page 10. To configure rules, see: Creating Policy Rules, page 37 Duplicating a Rule, page 38 Table 98 Device Administration Authorization Exception Policy Page Option Description Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Name Name of the rule. Conditions Identity Group Name of the internal identity group to which this is matching against. NDG:nameNetwork device group. The two predefined NDGs are Location and Device Type. ConditionConditions that define the scope of the rule. To change the types of conditions that the rule uses, click the Customize button. You must have previously defined the conditions that you want to use. Results Displays the shell profile and command sets that will be applied when the corresponding rule is matched. You can customize rule results; a rule can determine the shell profile, the command sets, or both. The columns that appear reflect the customization settings. Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column. Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. You do not need to use the same set of conditions and results as in the corresponding authorization policy. Caution: If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 9.
36 Managing Access Policies Configuring Access Service Policies Editing Policy Rules, page 39 Deleting Policy Rules, page 39 Configuring Authorization Exception Policies An authorization policy can include exception policies. In general, exceptions are temporary policies; for example, to grant provisional access to visitors or increase the level of access to specific users. Use exception policies to react efficiently to changing circumstances and events. The results from the exception rules always override the standard authorization policy rules. You create exception policies in a separate rule table from the main authorization policy table. You do not need to use the same policy conditions in the exception policy as you used in the corresponding standard authorization policy. To access the exception policy rules page: 1.Select Access Policies > Service Selection Policy service > authorization policy, where service is the name of the access service, and authorization policy is the session authorization or shell/command set authorization policy. 2.In the Rule-Based Policy page, click the Exception Policy link above the rules table. The Exception Policy table appears with the fields described in Table 99 on page 36: Table 99 Network Access Authorization Exception Policy Page Option Description Status Rule statuses are: Enabled—The rule is active. Disabled—ACS does not apply the results of the rule. Monitor—The rule is active, but ACS does not apply the results of the rule. Results such as hit count are written to the log, and the log entry includes an identification that the rule is monitor only. The monitor option is especially useful for watching the results of a new rule. Name Name of the rule. Conditions Identity Group Name of the internal identity group to which this is matching against. NDG:nameNetwork device group. The two predefined NDGs are Location and Device Type. Condition NameConditions that define the scope of the rule. To change the types of conditions that the rule uses, click the Customize button. You must have previously defined the conditions that you want to use. Results Displays the authorization profile that will be applied when the corresponding rule is matched. When you enable the Security Group Access feature, you can customize rule results; a rule can determine the access permission of an endpoint, the security group of that endpoint, or both. The columns that appear reflect the customization settings.
37 Managing Access Policies Configuring Access Service Policies To configure rules, see: Creating Policy Rules, page 37 Duplicating a Rule, page 38 Editing Policy Rules, page 39 Deleting Policy Rules, page 39 Related Topics Configuring a Session Authorization Policy for Network Access, page 30 Configuring Shell/Command Authorization Policies for Device Administration, page 35 Creating Policy Rules When you create rules, remember that the order of the rules is important. When ACS encounters a match as it processes the request of a client that tries to access the ACS network, all further processing stops and the associated result of that match is found. No further rules are considered after a match is found. The Default Rule provides a default policy in cases where no rules are matched or defined. You can edit the result of a default rule. Before You Begin Configure the policy conditions and results. See Managing Policy Conditions, page 1. Select the types of conditions and results that the policy rules apply. See Customizing a Policy, page 4. To create a new policy rule: 1.Select Access Policies > Service Selection Policy service > policy, where service is the name of the access service, and policy is the type of policy. If you: Previously created a rule-based policy, the Rule-Based Policy page appears, with a list of configured rules. Have not created a rule-based policy, the Simple Policy page appears. Click Rule-Based. 2.In the Rule-Based Policy page, click Create. Hit Count Number of times that the rule is matched. Click the Hit Count button to refresh and reset this column. Customize button Opens the Customize page in which you choose the types of conditions to use in policy rules. A new Conditions column appears in the Policy page for each condition that you add. You do not need to use the same set of conditions as in the corresponding authorization policy. When you enable the Security Group Access feature, you can also choose the set of rule results; only session authorization profiles, only security groups, or both. Caution: If you remove a condition type after defining rules, you will lose any conditions that you configured for that condition type. Hit Count button Opens a window that enables you to reset and refresh the Hit Count display in the Policy page. See Displaying Hit Counts, page 9. Table 99 Network Access Authorization Exception Policy Page (continued) Option Description
38 Managing Access Policies Configuring Access Service Policies The Rule page appears. 3.Define the rule. 4.Click OK The Policy page appears with the new rule. 5.Click Save Changes to save the new rule. To configure a simple policy to use the same result for all requests that an access service processes, see: Viewing Identity Policies, page 23 Configuring a Group Mapping Policy, page 27 Configuring a Session Authorization Policy for Network Access, page 30 Configuring a Session Authorization Policy for Network Access, page 30 Configuring Shell/Command Authorization Policies for Device Administration, page 35 Related Topics Duplicating a Rule, page 38 Editing Policy Rules, page 39 Deleting Policy Rules, page 39 Note: ACS 5.7 displays a detailed audit reports on ACS configuration audit reports page for creating, editing, or re-ordering access service policies from the ACS web interface. Duplicating a Rule You can duplicate a rule if you want to create a new rule that is the same, or very similar to, an existing rule. The duplicate rule name is based on the original rule with parentheses to indicate duplication; for example, Rule-1(1). After duplication is complete, you access each rule (original and duplicated) separately. Note: You cannot duplicate the Default rule. To duplicate a rule: 1.Select Access Policies > Service Selection Policy > service > policy, where service is the name of the access service, and policy is the type of policy. The Policy page appears with a list of configured rules. 2.Check the check box the rule that you want to duplicate. You cannot duplicate the Default Rule. 3.Click Duplicate. The Rule page appears. 4.Change the name of the rule and complete the other applicable field options. 5.Click OK. The Policy page appears with the new rule. 6.Click Save Changes to save the new rule.
39 Managing Access Policies Configuring Access Service Policies 7.Click Discard Changes to cancel the duplicate rule. Related Topics Creating Policy Rules, page 37 Editing Policy Rules, page 39 Deleting Policy Rules, page 39 Editing Policy Rules You can edit all values of policy rules; you can also edit the result in the Default rule. To edit a rule: 1.Select Access Policies > Service Selection Policy > service > policy, where service is the name of the access service, and policy is the type of policy. The Policy page appears, with a list of configured rules. 2.Click the rule name that you want to modify; or, check the check box for the Name and click Edit. The Rule page appears. 3.Edit the appropriate values. 4.Click OK. The Policy page appears with the edited rule. 5.Click Save Changes to save the new configuration. 6.Click Discard Changes to cancel the edited information. Related Topics Creating Policy Rules, page 37 Duplicating a Rule, page 38 Deleting Policy Rules, page 39 Deleting Policy Rules Note: You cannot delete the Default rule. To delete a policy rule: 1.Select Access Policies > Service Selection Policy > service > policy, where service is the name of the access service, and policy is the type of policy. The Policy page appears, with a list of configured rules. 2.Check one or more check boxes the rules that you want to delete. 3.Click Delete.
40 Managing Access Policies Configuring Compound Conditions The Policy page appears without the deleted rule(s). 4.Click Save Changes to save the new configuration. 5.Click Discard Changes to retain the deleted information. Related Topics Creating Policy Rules, page 37 Duplicating a Rule, page 38 Editing Policy Rules, page 39 Configuring Compound Conditions Use compound conditions to define a set of conditions based on any attributes allowed in simple policy conditions. You define compound conditions in a policy rule page; you cannot define them as separate condition objects. This section contains the following topics: Compound Condition Building Blocks, page 40 Types of Compound Conditions, page 41 Using the Compound Expression Builder, page 44 Compound Condition Building Blocks Figure 24 on page 40 shows the building blocks of a compound condition. Figure 24 Building Blocks of a Compound Condition Operands—Any attribute or condition type, such as Protocol/Request Attributes, Identity Attributes, Identity Groups, Network Device Groups (NDGs), Date/Time, and Custom or Standard Conditions. Relational Operators—Operators that specify the relation between an operand and a value; for example, equals (=), or does not match. The operators that you can use in any condition vary according to the type of operand. Binary condition—A binary condition defines the relation between a specified operand and value; for example, [username = “Smith”]. Logical Operators—The logical operators operate on or between binary conditions. The supported logical operators are AND and OR.
41 Managing Access Policies Configuring Compound Conditions Precedence Control—You can alter the precedence of logical operators by using parentheses. Nested parentheses provide administrator control of precedence. The natural precedence of logical operators, that is, without parenthesis intervention, is NOT, AND, OR, where NOT has the highest precedence and OR the lowest. Table 100 on page 41 summarizes the supported dynamic attribute mapping while building Compound Conditions. Note: Dynamic attribute mapping is not applicable for ExternalGroups attribute of Type "String Enum" and "Time And Date" attribute of type "Date Time Period". For hierarchical attribute, the value is appended with attribute name so while configuring any string attribute to compare with hierarchical attribute the value of the string attribute has to start with hierarchical attribute name. For example: When you define a new string attribute named UrsAttr to compare against DeviceGroup attribute created under NDG, then the value of the UsrAttr has to be configured as follows: DeviceGroup: Value When you want to compare a string attribute with UserIdentityGroup which is a hierarchy type attribute within each internal users, then the string attribute has to be configured as follows: IdentityGroup:All Groups:”Identity Group Name” Related Topics Types of Compound Conditions, page 41 Using the Compound Expression Builder, page 44 Types of Compound Conditions You can create three types of compound conditions: Atomic Condition Consists of a single predicate and is the only entry in the list. Because all simple conditions in a rule table, except for NDGs, assume the equals (=) operation between the attribute and value, the atomic condition is used to choose an operator other than equals (=). See Figure 25 on page 42 for an example. Table 100 Supported Dynamic Attribute Mapping in Policy Compound Condition Operand1 Operand2 Example String attribute String attribute — Integer attribute Integer attribute — Enumeration attribute Enumeration attribute — Boolean attribute Boolean attribute — IP address attribute IP address attribute — Special cases Hierarchical attribute String attribute NDG:Customer vs. 'Internal Users' string attribute String attribute Hierarchical attribute —
42 Managing Access Policies Configuring Compound Conditions Figure 25 Compound Expression - Atomic Condition Single Nested Compound Condition Consists of a single operator followed by a set of predicates (>=2). The operator is applied between each of the predicates. See Figure 26 on page 42 for an example. The preview window displays parentheses [()] to indicate precedence of logical operators. Figure 26 Single Nested Compound Expression Multiple Nested Compound Condition You can extend the simple nested compound condition by replacing any predicate in the condition with another simple nested compound condition. See Figure 27 on page 43 for an example. The preview window displays parentheses [()] to indicate precedence of logical operators.
43 Managing Access Policies Configuring Compound Conditions Figure 27 Multiple Nested Compound Expression Compound Expression with Dynamic value You can select dynamic value to select another dictionary attribute to compare against the dictionary attribute selected as operand. See Figure 28 on page 44 for an example.
44 Managing Access Policies Configuring Compound Conditions Figure 28 Compound Expression Builder with Dynamic Value Related Topics Compound Condition Building Blocks, page 40 Using the Compound Expression Builder, page 44 Using the Compound Expression Builder You construct compound conditions by using the expression builder in Rule Properties pages. The expression builder contains two sections: a predicate builder to create primary conditions and controls for managing the expression. In the first section, you define the primary conditions. Choose the dictionary and attribute to define the operand, then choose the operator, and specify a value for the condition. Use the second section to organize the order of conditions and the logical operators that operate on or between binary conditions. Table 101 on page 44 describes the fields in the compound expression builder. Table 101 Expression Builder Fields Field Description ConditionUse this section to define the primary conditions. Dictionary Specifies the dictionary from which to take the operand. These available options depend on the policy that you are defining. For example, when you define a service selection policy, the Identity dictionaries are not available. Attribute Specifies the attribute that is the operand of the condition. The available attributes depend on the dictionary that you chose. Operator The relational operator content is dynamically determined according to the choice in the preceding operand field. Value The condition value. The type of this field depends on the type of condition or attribute. Select one of the following two options: Static—If selected, you have to enter or select the static value depending on attribute type. Dynamic—If selected, you can select another dictionary attribute to compare against the dictionary attribute selected as operand.